Securing the Domain Name Service

One of the most important systems that makes the Internet easy to use has absolutely no security in its current form.  This means that your Internet service provider (and some others) can easily see every website that you visit. (Since  you have “nothing to hide” this should not be a problem, right?)

DNS or the Domain Name System is the networking protocol that finds websites and resources on the Internet using familiar names such as Google.com, Amazon.com, and WyzGuysCybersecurity.com.  It does that by converting the domain name in a typical web site request to the IP address of the server where the website is installed.  Google is 172.217.6.14.  Amazon is 176.32.103.205.  WyzGuys is 74.208.236.136.  You can see this in action by opening a CMD window (type cmd in the start menu search box) and enter nslookup google.com, then press Enter.

DNS, like other early Internet protocols such as email, was invented in a time when the thought of keeping this information secure from prying eyes was not considered an issue.  These days spying and surveillance are out of hand, with everyone from the government and your ISP to Internet marketing firms and e-commerce sites, to the corner coffee bar keeping tabs on your Internet travels.

If you are like me, you have nothing to hide but you still would like to keep your business to yourself.  You use one of our recommended private browsing options and have your browser delete your browsing history.  But since all of your DNS queries are unencrypted, it is not difficult for someone with access to reconstruct your path through the Internet.

Maybe you are wondering about DNSSEC.  Isn’t that some type of DNS security?  DNSSEC was designed to protect applications from using forged or manipulated DNS data.  DNSSEC responses are authenticated but not encrypted, and prevents DNS spoofing and website redirection.  DNSSEC doesn’t provide any privacy or confidentiality.  So no help for us there.

There are recent developments that will allow us to encrypt our DNS requests and recover a bit more of our lost privacy.  In the last couple of days I read an article by Dennis Anon on Privacy.net  about using Cloudflare DNS to secure your DNS queries, and another article on Sophos Naked Security about Mozilla’s beta test of Cloudflare’s DNS-over-HTTPS service to do the same thing in the Firefox browser.  If this is something you want to pursue, you have a couple options:

  • Use the Cloudflare public DNS server (1.1.1.1 and 1.0.0.1) in your computer’s network configuration.  There is a great illustrated tutorial in Dennis’ article that shows you how.
  • Use Firefox DoH Shield beta test as your web browser.  This will be released in final form in Firefox 62.
  • Use a VPN any time you are on the Internet.  This serves to encrypt everything, including DNS queries, and may be your best overall solution.

In the last 30 years as computers and the Internet have developed,  we have, as a species, really given up nearly all of our privacy.  Our information is everywhere, and we have no control over who has it or what they do with it.  But there is a movement back in the direction of recovering at least some of our privacy.  Efforts such as the European GDPR standards are an example.  DNS over HTTPS is another.

More information:

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.