Methods of DNS Encryption

The "end-to-end" encryption wave is a great thing - securing the data moving between you and the websites you visit is important. However, one of the issues that presents itself, either when companies keeping track of what you are doing in order to more efficiently sell you things (surveillance capitalism), government surveillance, or censorship by governments or ISPs, is that even when your web traffic is encrypted, your requests to DNS are not. So the actor interested in what you are doing might not know what data is moving back and forth between you and a particular website, but it does know what website you are visiting - and can track or block that activity.

So how do we fix this, besides moving everything whole-hog to Tor? One very promising avenue is to encrypt DNS requests. DNS requests go in plaintext from your browser, to an external DNS server, generally your ISP's, and then that server returns the record you need to get at the website you are wanting to visit. This request and the response to the external DNS server is in plaintext. What a surveillance actor can see is the IP address(es) of the external DNS server(s), the domain name request, and the IP address of the result.

That's a lot of information! An obvious step would be to encrypt DNS queries, hiding all of this information under a layer of encryption. There are three specific methods of encrypting DNS traffic. DNS over TLS (DoT), DNS over HTTPS (DoH), and DNSCrypt. DNSCrypt was the earliest kid on the block , hasn't become a standard, and is not widely supported. TLS (Transport Layer Security) is actually what already secures a lot of internet traffic, including HTTPS - it's an IETF standard, and DoT is pretty widely supported. DoH is basically DNS-over-HTTPS->HTTP-over-TLS. It's a bit hacky, but uses the same port as HTTPS, and basically gets the job done.

Any of these, of course, require that browsers (or web clients of whatever sort) and DNS servers can handle these requests. On the server side, both Cloudflare and Google's DNS servers handle both DoT and DoH. There is also a list of resolvers here, and DoH-only here. Most ISPs do not handle either.

On the client side - web browsers, like Chrome, Firefox and Opera have implemented DoH. You can choose to use any DNS resolver using custom settings. Mozilla Firefox uses Cloudflare as a default, and has a DoH resolver policy, which limits data retention and use. You can use any DNS service you'd like with Chrome - getting it to work is not quite as straightforward as with Firefox.

The one challenge is that you have to trust the service provider - because they have your data. If they are willing to abide by Mozilla's strict data policy (only two have so far) that's a good thing (data can only be retained for 24 hours.) But that still requires trust. So far, there have not been that many community-driven DoH (or DoT servers) with community accountability.

I found this tutorial on setting up DoH and some good tools. Probably adding that to my project to do list.

links

social