In our last article, The Dangers Of Using Public Wi-Fi Hotspots, we discussed the undeniable benefits of HTTPS on your data privacy.
As a reminder, HTTPS serves two purposes:
First, HTTPS creates a secure encryption channel between your computer and the content you are looking to access using SSL/TLS protocol. This means that all the data that you exchange on this HTTPS connection is fully encrypted and cyber criminals sitting in the middle won’t be able to read your data.
Second, it guarantees you that the server you are trying to access is legit and not a fake portal used to capture your personal information. To achieve that, HTTPS relies on certificate authorities. Certificate authorities are pre-loaded into your browser and represent a list of authorities that are said to be trustworthy to issue domain certificates to web hosting companies.
If you own a website and request a certificate authority to issue a certificate for your domain and to vet for him, the authority will audit your request to ensure you are the real owner of this domain before issuing you the certificate.
For instance, our website https://invisibleman.tech has a signed certificate from Let’s Encrypt. You can validate that the certificate is signed by clicking on the small “i” icon (in Chrome or Firefox) on the left side of our website URL.
In the event that the certificate is not signed by a certificate authority, the following warning message will pop-up on your browser:
HTTPS is definitely great for protecting your data privacy and it is good news to see a vast adoption of the protocol. A special thanks to Lets Encrypt, which is a free, automated, and open certificate authority which definitely helps drive this adoption.
No matter how good HTTPS is, is it important to keep in mind that this encryption runs at the application layer. It means that everything from layer 4 to above is encrypted. This includes the URL, query parameters, headers, cookies… This excludes TCP/IP information which belongs to the Internet and Transport layer. This means that information like IP and Port are not encrypted.
Nowadays, IPs cannot tell much about an Internet user activity. With the proliferation of Content Delivery Networks, every website leverages on providers such as Cloudflare and Akamai to deliver content. That means that if you look up user web traffic at the transport level, you will have mostly no clue of what he is trying to access.
Good news: as long as I am using HTTPS, my online privacy is safe!
Hold on a minute. Let’s retrace our steps and make sure we are not missing anything there.
Let’s Assume you would like to visit our website: https://invisibleman.tech
Open your browser, type in the address and press enter.
The first thing that your browser has to do is to look up our domain name: invisibleman.tech and turn it to an IP. To achieve this, your browser leverages the DNS protocol. Once the DNS lookup is achieved, the browser knows where to route your request to and will initiate a TCP packet towards the destination IP.
Syn, Syn Ack, Ack, you know the drill. In a few milliseconds, your TCP session is connected and your data is encrypted end to end.
So the first step that people tend to forget is DNS Lookup. DNS is not encrypted. This means that anyone that sniffs your DNS traffic will know the websites that you are visiting. At least the fully qualified domain name (FQDN).
That means that a man-in-the-middle would know that you are visiting invisibleman.tech but he wouldn’t know which post you are reading because this is managed at the application level.
In a nutshell, you are leaking all your DNS data to a hacker potentially sitting in the middle. If we set cyber-crime aside, your DNS is also a valuable source of information for third parties. It can give a lot of crispy details about your browsing habits, and therefore your areas of interest. As such, your ISP can be very interested in capturing this data. Your ISP does not have to sweat too much to collect this data as it usually provides you with its own DNS servers.
Every device in your home gets its DHCP settings by your home gateway. The home gateway also acts as a DNS gateway for all your requests. If this home gateway is provided by your ISP, it is more likely to use the ISP local DNS servers and as such, all your DNS queries will be resolved and probably cached by your ISP.
These DNS servers log all your DNS data and can possibly resell it to third parties.
By tracking customer browsing activity, Internet Service Providers can have access to a lot of useful information. For instance, a customer unsatisfied with his ISP tends to look online for a better alternative. With this information in mind, ISP’s can put in place an anti-churn strategy to retain their customers.
Switching your DNS servers is definitely a good start to make things a bit more difficult for your ISP to track your moves.
Which Public DNS should I use?
There are two things you need to consider when choosing an Open DNS service.
The reason you are changing your DNS servers is to improve your online privacy. Make sure your new DNS provider does not log and resell your data to third parties.
Let’s face it, your ISP local DNS service is the fastest DNS service you can find. That is sad but true. And the main reason is that it is the closest to you and can offer you the lowest latency.
Saying that, there is one tool that can help you find the fastest DNS provider after your own ISP. Domain Name Speed Benchmark is a free tool that will test the most popular DNS providers from your computer and rank them so you just have to pick the fastest.
With that in mind, these are just a few public DNS providers that you could choose:
- Google DNS 184.108.40.206 and 220.127.116.11 are both anycast DNS and completely unfiltered. That being said, it is still Google…
- CloudFlare 18.104.22.168 CloudFlare is not new to security but is a new open DNS provider, anycast and completely unfiltered. I would give it my preference.
- Quad9 22.214.171.124 Quad9 is a non profit organization supported by IBM. It offers anycast and unfiltered DNS. It does not log the user’s IP address but logs the geo-location of every user system (city, state, country) and uses this information for malicious campaign and actor analysis.
Changing your DNS settings is one of the first steps towards getting your online privacy back. But even though you are not handing over your DNS queries to your ISP anymore, it does not prevent it from intercepting and logging these queries. Remember that DNS by default is not secure.
If you want to encrypt your DNS queries, several options are available. Unfortunately they are not always available among all the public DNS Providers.
Encrypt your DNS traffic with DNS over HTTPS (DoH)
DNS over HTTPS has been standardized in the RFC8484 released in October 2018. This RFC was written by two experts respectively from ICANN and Mozilla.
Mozilla being the company behind Firefox, no wonder the foxy browser was the first to adopt the standard DoH.
If you like to use DoH in Firefox, you can follow this excellent guide.
Most of the largest DNS providers such as Cloudflare, Google and Quad9 already support DoH natively. You can find a complete list of supported DoH providers on Github.
Unfortunately, besides Firefox, it is going to be pretty challenging to find a browser or even a router that supports DoH seamlessly.
Encrypt your DNS traffic with DNSCrypt
DNScrypt was released in 2016. It can run seamlessly over TCP or UDP and use the port 443 although the protocol is completely different than HTTPS which use the same port.
The protocol implementation uses a proxy called dnscrypt-proxy which is quite commonly supported on the client side. You will be able to find a dnscrypt client for Windows, Linux, Android and also for your OpenWRT router.
A list of supported implementations for DNSCrypt can be found there.
Using DNS Crypt on your Windows Laptop could be super simple. Download Simple DNS Crypt and install it. The tool embeds a list of DNScrypt servers by default so you will be all set in less than 2 minutes.
Unfortunately, there is no option to configure your own DNSCrypt servers from the UI. This could be a bit frustrating all the more as the tool was developed by OpenDNS, well known for logging user DNS queries.
If you would like to have a fully customized setup, roll up your sleeves and install DNSCrypt proxy in command line mode. Hopefully there is a guide for this on Github.
If you wish to use DNSCrypt on Android, it can be a little bit tricky as you would need your smartphone to be rooted. If it is already rooted, DNS Manager will allow you to enable DNSCrypt in a few minutes.
DNSCrypt definitely has my preference because it is better supported on the client side than DoH. But DoH is surely a more elegant solution and seems to be popular across DNS providers. As soon as DoH became widely supported by most of the devices, I would definitely consider it a viable option.
On the server side, DNSCrypt is supported by CloudFlare, Quad9 and Google DNS. A complete list is available here.
DNS over TLS
There is a third protocol that we haven’t talked about yet that is DNS over TLS. We are not going to elaborate on this one because it is nearly impossible to find any client to use it besides Android Pie. But Google is seriously looking into it. If your smartphone is based on Android Pie, you may give it a shot by using this guide.
On the server side, DNS Over TLS is supported by CloudFlare, Quad9 and Google DNS.
So today we have learnt that even with HTTPS, there are other protocols that can leak personal data and DNS is definitely one of them.
So the first step is to change your DNS servers right now. I personally recommend CloudFlare 126.96.36.199 for performance and privacy purposes.
The second step to bring your online privacy to the next level is to encrypt your DNS traffic. DNS Over HTTPS (HoT) is a promising protocol but its compatibility is still limited as of today. DNSCrypt represents a viable alternative but would require you to spend some time on the command line to make it work across all of your devices.