Securing DNS

Most people don’t know what DNS is, but it is almost as old as the Internet and you use it hundreds of times a day, probably thousands of times a day.

Every time you check for new email on your phone or browse to a web site, you are using DNS.  The Internet uses numeric addresses called IP addresses to route requests, but you use names like ESPN.Com, and  DNS is what translates to (IPv4) or 2a03:2880:f003:c07:face:b00c::2 (IPv6).

Virtually all of your communications on the Internet these days are encrypted.  Except for DNS.  That means that anyone listening on your connection can see what web sites you are visiting and, if they are  malicious, route you to an alternative, malicious site.  That is because DNS traffic is not encrypted.

Until now.

There was an experiment called DNSCrypt that encrypted your DNS traffic, but it required that you install and configure software.  It never gained any traction.

After that came (of course) two competing standards, one called DNS over TLS and the other called DNS over HTTPS.    It looks like DNS over HTTPS won.

It does require that you turn it on in your browser, but beyond that, nothing is required.  That will probably change in the future to be the default.

In England, the Internet Service Provider Association named Firefox and Google villains of the year for encrypting your DNS traffic and GCHQ (their version of NSA) wasn’t thrilled either.  Probably a great reason to do it all by itself.

Firefox is the first to do it.  In Firefox, it is a bit confusing, but here is a ZDNet article on how to do it.

1. Type about:preferences in the address bar

2. scroll down to network settings and click on settings

3. click on enable DNS over HTTPS

4. Click OK.

You can change the default provider, but you don’t have to.

That’s pretty simple.  That is all it takes.

Now all of your DNS requests are private and cannot be spoofed by your local coffee shop WiFi.

Chrome is a little behind, but it should be there in a couple of months and since Microsoft Edge is really Chrome with a different decal, it will likely show up there too.

Having someone listen in on your browsing is maybe a problem if you care about your privacy.

Having someone redirect your browser to a malicious version of the web site you want to go to and steal your password or install malware.  That is a legitimate problem.

One more security/privacy thing that you should enable and it doesn’t cost anything.


Leave a Reply

Your email address will not be published.