Tag Archives: DNS over TLS

Now (Some) (Important) Meta Data Can Be Encrypted

Worried about the NSA capturing all that metadata about you?  That is the stuff about you that the government says it can collect without a warrant (and courtesy of the Patriot Act) because you send it unencrypted over the Internet and so you have no expectation of privacy.

A big part of the data (besides the Internet address that identifies you) is the DNS queries that you make.

DNS is the phone book that the Internet uses to map that friendly name like www,foxnews.com to an IP address  like 23.36.10.215 that the Internet can route.

This week Google announced that it’s DNS service (the one at 8.8.8.8) can now handle DNS over TLS (meaning that your queries are encrypted) blinding not only the NSA but also making it more difficult for your ISP to sell your data as well.

Since DNS is used so much, there was a lot of work done to make sure that DNS over TLS was fast, including using TCP fast open, pipelining and supporting out of order responses.

You can use DNS over TLS in one of two ways and the distinction is important.  The first is opportunistic, meaning it will encrypt your data if it can.  The other is called strict, which means that if the receiving server won’t accept encryption, the transmission will fail.

Google made support for it available for Android 9 (Pie) users Yesterday.  Android 9 users will have to make some settings changes to use it.  Users of older phones will have to upgrade.

Cloudflare also supports DNS over TLS and also DNS over HTTPS, an older variant of it, but until the phones support it, it is unimportant what services support.

Apparently iPhone users can do this to, but Apple does not support it natively; you have to do some significant shenanigans to get it to work.

Information for this post came from the Hacker News.

 

 

 

Facebooktwitterredditlinkedinmailby feather