Mountain%20Landscape_edited_edited.jpg
  • Hannah Lee

Check Your DNS

DNS, or Domain Name System, is one of those less talked-about technologies that everyone uses, but very few outside IT communities are aware of. The actual implementation is complicated, but the concept is simple, and it is yet another cyber attack surface you can cover with a little effort.


TL;DR: Just get a VPN.



What is DNS?


Computers talk in numbers. People talk in words. DNS servers translate the words into numbers; specifically, from domain names to IP addresses (and vice-versa). For example, "google.com" translates to "216.58.217.36"; if you type in "216.58.217.36" in your address bar, you'll go directly to the google homepage without needing to ask your DNS to translate.



What do I need to check?


Your Server:

  • Your default DNS server at your house is probably either owned by your Internet Service Provider (ISP) or Google. Naturally, since your DNS server is translating the addresses that you are visiting, they can see the addresses you are visiting.

  • Many DNS servers keep logs. At the end of the day, they're probably not logging to track the activity of individual users, but that doesn't mean the data that they do log won't be traceable back to you if it needed to be. This isn't necessarily a bad thing if it doesn't bother you, but there are other no-logging options if it does.


Security:

  • DNS was invented in the 80's. Like most things invented in the 20th century that we still use today, this protocol is unencrypted and unsecured. This means that a hacker sniffing your traffic could see what websites you're visiting, or execute various DNS attacks to lead you to malicious sites.


Diagram courtesy of BlueCat


How do I check it?


Your Server:

  • Your DNS server can be set in multiple places, such as your router, your computer, or your VPN server. If you aren't connected to a VPN, you are ore than likely using the DNS configured on your computer's network adapter (your WiFi or ethernet adapter). An easy way to check which server you're actually using is to run the test at DNSleaktest.com; there might be many servers or just one, but what you need to pay attention to is the "ISP": the entity that owns the servers.


Security:

There are three parts to DNS security:

  • Encryption: Concealing the traffic between your client and the DNS server. This prevents hackers from sniffing your traffic to see what websites you are visiting.

  • Authentication: Authenticating DNS requests to verify the data is coming from a legitimate source (and not, for example, a hacker executing a DNS spoofing attack)

  • Integrity: Ensuring the contents of the data was not altered in transit between your client and the DNS server.

Head over to Cloudflare to check your DNS security. (NOTE: If you are using a VPN,

they might not be able to detect your secure DNS status, and Server Name Indication

(SNI) isn't a concern because your traffic is already encrypted. Also, SNI is not a function of DNS, so we'll cover that another day.)


Since DNS is an unsecure protocol by default, you may not have all the security measures implemented if you are asking how to check it. The exception to this is if you are using a VPN service; in this case, you are using your VPN's DNS servers which likely have DNS security implemented. This is another aspect to research before choosing a VPN service.



How do I fix it?


Your Server:

  • This one's easy! Just pick a DNS server and configure your client to point to that server. You can also set this on your home router for all devices on your home network, but you may have to do some extra configuring to force all clients to use the DNS server specified on your router. Check out instructions for all OS's here (but you can obviously substitute Google's servers for the servers you chose).

Security:

  • The easiest option is to use a VPN service. Many VPN services host their own DNS servers. When properly configured, these DNS servers are accessed through their secure VPN tunnel and protected from malicious hackers.

**However, this will not necessarily be the case if you are hosting your own VPN; in this case, you would have to ensure you are implementing DNS security measures on your server.


Whether you're implementing DNS security on your home network or on your own VPN server, here are the protocols available to secure your DNS traffic:

  • Encryption:

  • DNS over TLS (DoT): Uses TLS encryption to secure your traffic on TCP port 843. This encryption is done at the operating system layer, but this implementation is limited in availability.

  • DNS over HTTPS (DoH): Uses HTTPS encryption to secure your traffic on TCP port 443. This protocol is application-level and is often available as a browser setting.

  • DNSCrypt: Also uses port 443, but can function on both UDP and TCP. Encryption on UDP means that this option will generally be faster than the TCP protocols. DNSCrypt-Proxy is an accessible implementation that is available to download as a client on most OS's. It will also encrypt all of your internet traffic, even outside of a browser. Learn more and install the client here.

If you enable secure DNS from a browser, keep in mind only your browser traffic will be encrypted. If you use other applications that connect to the internet, these will not be covered. DoT encrypts at the OS level, but unfortunately, there are not many DoT implementations available for you to install.

Other places you can check for secure DNS options:

  • Your router

  • Your operating system

  • Your browser

Read more about the options Internet Society and DNSCrypt.

  • Authentication and Integrity:

  • DNS Security Extensions (DNSSEC)

  • DNSSEC uses public key cryptography to encrypt the data. This, according to ICANN, adds two security measures to the DNS protocol:

  • Data origin authentication allows a resolver to cryptographically verify that the data it received actually came from where it believes the data originated.

  • Data integrity protection allows the resolver to know that the data hasn't been modified in transit since it was originally signed by the original owner with the owner's private key.

  • This will be implemented by your DNS server, so choose a good DNS server!


Summary


DNS security is still a developing field. There isn't a single, universal standard at this point, so implementing DNS security may not be as straightforward as it should be. I try to keep things short and simple, but if this seems like too much of a headache to worry about, GET A VPN SERVICE!