Why your DNS traffic is a privacy leak and how to fix it once and for all


Worried about your privacy? Worried about your ISP collecting your data? DNS queries are one way snoopers can profile you, and encrypted DNS is the answer. However, they are not all equal, but I have a solution that can really protect your anonymity.

Problem and solution

Your DNS queries leak every web request you make

DNS (Domain Name System) is a tool for mapping domain names (such as example.com) to IP addresses. When you send a web request, your system sends a DNS packet to a DNS server (called a recursive resolver) on the Internet. This system then sends a series of follow-up requests to resolve your request. The entire process takes place over a clear text protocol, which means that any snooper on the network (such as an ISP) can create a detailed profile of your browsing habits. I have covered this extensively another article I wrote. I recommend you read this first.

So what can we do about it? The previous workaround was to encrypt DNS queries. While not a perfect solution, it offers the best protection we have and certainly makes profiling more difficult.

DNSCrypt Proxy is one such option. It is a software program (service) that runs on any computer, such as your desktop or laptop. You then update your operating system’s DNS configuration to forward requests through it – more on that later.

Install DNSCrypt Proxy

A local service that accepts and encrypts DNS queries

This is a program you run on your computer that accepts and encrypts DNS requests. In the configuration file we tell where to send them.

The rest of the guide will focus on Linux, but you can refer official guides for Linux, Windows, macOSor several other platforms. The configuration section below is universal for all of them, and so are the explanations, so it’s useful to continue regardless of which one you use.

Any of these mentioned methods will help you install and set up the service.

Configure DNSCrypt Proxy

Universal configuration format on all platforms

The configuration is the hard part and I will share with you my experience of what works.

Refer to the official instructions to find the configuration file for your platform, but on Linux, the location: /etc/dnscrypt-proxy/dnscrypt-proxy.toml.

We will edit the configuration file (TOML) for DNS queries to pass through the relay.

Set it first listen to the address so the service listens on your local computer using the typical DNS port (53):

listen_addresses = ( "127.0.0.1:53", "(::1):53" )

This allows applications to easily find and use DNSCrypt Proxy. “127.0.0.1” and “(::1)” are the local computer (aka localhost). IPv4 and IPv6respectively.

What follows server names. DNSCrypt Proxy downloads the resolver lists containing the invoked remote configurations brands. Here are the names of these brands:

server_names = ( "server-name-1", "server-name-2" )

A stamp is an encoded, public configuration string – it contains public address and encryption information. For example, this is one of them Quad9 Seals for server named “quad9-dnscrypt-ip4-filter-ecs-pri”:

sdns://AQMAAAAAAAAAADTkuOS45LjExOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm

This decoding looks like:

A terminal window displays a decrypted DNSCrypt seal that reveals an IP address and certificate name.

It just shows the purpose and function of the stamps.

As a side note, the first half of this video introduces the Quad9. It’s separate from DNSCrypt, so don’t confuse them. You can use Quad9 without DNSCrypt which is explained in the second half of the video. However, you don’t get encrypted requests this way, so be careful. It’s best to use them together via Quad9’s DNSCrypt service.

Return to DNSCrypt. When specifying a server name, you tell DNSCrypt Proxy which public servers (stamps) to use. You would set the stamp above to use:

server_names = ( "quad9-dnscrypt-ip4-filter-ecs-pri" )

you choose from servers DNSCrypt public server list.

To select a suitable server, first order the list (“1”) with the “DNSCrypt” protocol (“2”), then use the name on the left (“3”). The second image shows additional server information, including a stamp – this is what DNSCrypt Proxy loads when you give it a server name.

For now relaysare privacy-respecting proxy servers that anonymize your requests. If you want to use them (and you should), then you need to set the “routes” option in the “anonymized_dns” section. The easiest approach is to forward all requests while randomly choosing a DNSCrypt Proxy:

(anonymized_dns)
routes = (
  { server_name = "*", via = ("*") }
)

Also, the above approach may take a while to work initially because it needs to find a working relay.

However, you can select specific relays such as:

(anonymized_dns)
routes = (
    { server_name = "*", via = ( "relay-example-1", "relay-example-2" ) },
)

This will send all bound requests for any given server through relays named “relay-example-1” and “relay-example-2”.

You can get a complete list of relays from the DNSCrypt public server list.

If you click on the title (annotation “1”), you can sort the list by relays (“2”). The name of the relay server is on the left (“3”).

Many of these relay servers are community owned, so be careful in your selection. But remember that they cannot read your request. Finally, to protect your anonymity, make sure that your relay and servers are not owned by the same people.

You can additionally configure servers to use special relays:

(anonymized_dns)
routes = (
    { server_name = "example-server-1", via = ( "relay-example-1", "relay-example-2" ) },
    { server_name = "example-server-2", via = ( "relay-example-1", "relay-example-2" ) },
)

You need it now Change your DNS settings. We have guides to do just that Windows 10, Windows 11and macOS. On Linux, you only need to update one file:

su  # Requires root first.
echo "nameserver 127.0.0.1\nnameserver ::1" > /etc/resolv.conf
chattr +i /etc/resolv.conf # Make the file immutable.

Making a file immutable means that even root cannot change it. However, it can be changed again sudo chattr -i /etc/resolv.conf. use it lsattr /etc/resolv.conf to view the status of the current file attribute.

making resolv.conf In Linux, an immutable file is sometimes necessary because some programs (such as NetworkManager) like to reset it when activated. You should consider it a kernel option and prefer it if it can be obtained by some other method.

There are some additional settings which provides a clean, anonymized DNSCrypt protocol connection. Some act as a filter for the downloaded server list.

# Cache queries makes them faster.
cache = true
cache_size = 4_096

# Use servers reachable over IPv4.
ipv4_servers = true

# Use servers reachable over IPv6.
ipv6_servers = true

# Use servers implementing the DNSCrypt protocol.
dnscrypt_servers = true

# We do not want to use DNS over HTTPS.
doh_servers = false

# We do not want to use servers implementing the Oblivious DNS over HTTPS protocol.
odoh_servers = false

# DNSSEC is optional here, but it limits your options.
require_dnssec = false

# Include only servers that do not log queries.
require_nolog = true

# Include servers that filter (for example, malware filters.)
require_nofilter = false

Additionally, in the “anonymized_dns” section, specify:

(anonymized_dns)
# Skip resolvers incompatible with anonymization (relays).
skip_incompatible = true

If you see that the server is not connecting, it is because one of these filters removed it from the last filtered selection list. Double check your target server and settings.

Start the service and test it

It’s different for each platform

After configuration, you need to start and test the service. For platforms other than Linux, see the relevant guide linked earlier.

For Linux, the service is usually called “dnscrypt-proxy”:

sudo systemctl enable dnscrypt-proxy
sudo systemctl start dnscrypt-proxy

To test:

cd /etc/dnscrypt-proxy
dnscrypt-proxy -resolve example.com

Alternatively, if you are using to digyou can execute:

dig example.com

You should see the solution using local server:

A terminal window shows the output of the drill query for example.com. The server line is highlighted, indicating the request resolved via localhost.

This is how they know you’re using a VPN

This is not an invisibility cloak.

I have prepared a complete, working configuration file for you. It uses Quad9’s filtered DNSCrypt service, which filters malware domains. It also relays connections through Austria and Sweden. You can add or remove relays as you deem necessary or use the information covered to customize your setup.

For the options we’re covering today, I’ll call them “SPECIAL!” For everything else, you can find them in the example configuration file.

######################################################################
#                 GLOBAL SETTINGS (WITHOUT SECTIONS)                 #
######################################################################

# CUSTOM!
listen_addresses = ( "127.0.0.1:53", "(::1):53" )

# CUSTOM!
server_names = ( "quad9-dnscrypt-ip4-filter-pri" )

# CUSTOM! These options are either changed from their defaults or significant
# for the proper functioning of a pure DNSCrypt connection.
# I explained these previously.
cache = true
cache_size = 4_096
dnscrypt_servers = true
doh_servers = false
ipv4_servers = true
ipv6_servers = true
odoh_servers = false
require_dnssec = false
require_nofilter = false  # quad9-dnscrypt-ip4-filter-pri filters malware domains.
require_nolog = true

######################################################################
#                         SECTIONED SETTINGS                         #
######################################################################

(anonymized_dns)
skip_incompatible = true  # Only use servers that support relays.

# CUSTOM!
routes = (
  { server_name = "*", via = ( "anon-cs-austria", "anon-cs-swe" ) },
)

(sources.public-resolvers)
# This is where DNSCrypt resolves server names to stamps.
# They're authenticated using cryptography.
urls = (
  "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md",
  "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
)
cache_file = "public-resolvers.md"
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
refresh_delay = 73
prefix = ""

(sources.relays)
# A list of relays.
urls = (
  "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/relays.md",
  "https://download.dnscrypt.info/resolvers-list/v3/relays.md"
)
cache_file = "relays.md"
minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3"
refresh_delay = 73
prefix = ""

(broken_implementations)
# These are lists of server names with problematic implementations.
fragments_blocked = (
  "cisco",
  "cisco-ipv6",
  "cisco-familyshield",
  "cisco-familyshield-ipv6",
  "cisco-sandbox",
  "cleanbrowsing-adult",
  "cleanbrowsing-adult-ipv6",
  "cleanbrowsing-family",
  "cleanbrowsing-family-ipv6",
  "cleanbrowsing-security",
  "cleanbrowsing-security-ipv6"
)

You can execute dnscrypt-proxy – check (while in the same directory as the configuration file) to ensure that your requests are routed through Austria or Sweden. Once you’ve done that, it’s just a matter of starting the service and running DNS queries.

While an encrypted DNS does a lot for your privacy, a VPN does a lot more. With encrypted DNS it’s like closing your curtains, but with a VPN it’s like locking all your doors too. If you’re serious about privacy, I recommend ProtonVPN, which I personally use and love.

Proton VPN logo on white background

Access policy

No Records Policy

Mobile application

Android and iOS

Number of servers

13,000+

Free trial

Free version with limited features


A person using an iPhone with a VPN shield icon next to it.

Does a VPN really make your computer more secure?

Does a VPN make your computer invincible? Think again.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

I used TCL NXTPAPER 70 Pro’s e-paper display and I can’t wait for the US launch next month
DeepRare outperforms doctors in rare disease diagnosis study
Steam Giveaway: Free until March 9th with Parkitect Multiplayer Co-Op
PopSockets founder David Barnett talks about building a viral business