Securing the Domain Name Service

One of the most important systems that makes the Internet easy to use has absolutely no security in its current form.  This means that your Internet service provider (and some others) can easily see every website that you visit. (Since  you have “nothing to hide” this should not be a problem, right?)

DNS or the Domain Name System is the networking protocol that finds websites and resources on the Internet using familiar names such as Google.com, Amazon.com, and WyzGuysCybersecurity.com.  It does that by converting the domain name in a typical web site request to the IP address of the server where the website is installed.  Google is 172.217.6.14.  Amazon is 176.32.103.205.  WyzGuys is 74.208.236.136.  You can see this in action by opening a CMD window (type cmd in the start menu search box) and enter nslookup google.com, then press Enter.

DNS, like other early Internet protocols such as email, was invented in a time when the thought of keeping this information secure from prying eyes was not considered an issue.  These days spying and surveillance are out of hand, with everyone from the government and your ISP to Internet marketing firms and e-commerce sites, to the corner coffee bar keeping tabs on your Internet travels.

If you are like me, you have nothing to hide but you still would like to keep your business to yourself.  You use one of our recommended private browsing options and have your browser delete your browsing history.  But since all of your DNS queries are unencrypted, it is not difficult for someone with access to reconstruct your path through the Internet.

Maybe you are wondering about DNSSEC.  Isn’t that some type of DNS security?  DNSSEC was designed to protect applications from using forged or manipulated DNS data.  DNSSEC responses are authenticated but not encrypted, and prevents DNS spoofing and website redirection.  DNSSEC doesn’t provide any privacy or confidentiality.  So no help for us there.

There are recent developments that will allow us to encrypt our DNS requests and recover a bit more of our lost privacy.  In the last couple of days I read an article by Dennis Anon on Privacy.net  about using Cloudflare DNS to secure your DNS queries, and another article on Sophos Naked Security about Mozilla’s beta test of Cloudflare’s DNS-over-HTTPS service to do the same thing in the Firefox browser.  If this is something you want to pursue, you have a couple options:

  • Use the Cloudflare public DNS server (1.1.1.1 and 1.0.0.1) in your computer’s network configuration.  There is a great illustrated tutorial in Dennis’ article that shows you how.
  • Use Firefox DoH Shield beta test as your web browser.  This will be released in final form in Firefox 62.
  • Use a VPN any time you are on the Internet.  This serves to encrypt everything, including DNS queries, and may be your best overall solution.

In the last 30 years as computers and the Internet have developed,  we have, as a species, really given up nearly all of our privacy.  Our information is everywhere, and we have no control over who has it or what they do with it.  But there is a movement back in the direction of recovering at least some of our privacy.  Efforts such as the European GDPR standards are an example.  DNS over HTTPS is another.

More information:

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.