J. R. Swab

You Need To Stop DNS Leaks

Categories: [Technology]
Tags: [security], [privacy], [dns]

My mind has been on the Domain Name System (DNS) server for about a week now. I've been mulling over whether VPNs are necessary and what level of trust should be placed in a DNS provider. It's evident not to trust your ISP's DNS since some companies have been caught manipulating the data or using you DNS metadata to sell to other companies.

Both of which suck.

This collection of data via the DNS still happens even when a user connects to a VPN. The data between the user and the site is encrypted but the request to what IP address ties to the requested domain name, is not. Worst of all the user is almost always using their ISP's default servers which they control.

Change the DNS settings

This can be done at the router level for most routers on the market. I have never used one that blocks this ability. Once you find the section within your router to set a custom DNS server, you need to find one to use. Some options include:

Of course, you still have to rely on a third party here so make sure you do your due diligence when using a DNS service.

Cloudflare DNS

Cloudflare is the newest one I have come across with their service. A bit skeptical about using them since they did kick that one Nazi guy's site offline. It's not that being a neo-Nazi is a right but freedom to speech is, and recently they have been speaking out against that action as well as supporting Gab in their fight to protect freedom of speech.

Cloudflare, which protects websites from denial of service attacks, is best known for dropping neo-Nazi website the Daily Stormer as a customer, effectively exiling the Stormer from the internet, following the white supremacist rally in Charlottesville, Virginia, in August 2017. Immediately, though, Cloudflare CEO Matthew Prince said he regretted his decision, and would in the future not arbitrate acceptable speech. “Literally, I woke up in a bad mood and decided someone shouldn’t be allowed on the internet. No one should have that power,” Prince wrote in a staff memo. Now, in one of the first tests of that approach, Cloudflare is among the few web firms continuing to provide service to Gab. - Wired.com

Cloudflare's DNS service is and has the goal to be the fastest DNS service on the internet. I am using it now and it is realy fast compaired to other DNS services I used in the past. Thes quote off the Cloudflare blog got me very interested. Time to learn some new tech!, supports both emerging DNS privacy standards - DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep your DNS queries private and free from tampering.

Do we even need a VPN?

The reason I ask this is that the majority of our web traffic is encrypted with HTTPS/TLS anyway and once we set up a custom DNS what is left for the ISPs to spy on? They could still see IP address you are going too and with minimal effort figure out what is what. With a VPN, the only IP they see us connecting to is the VPN's IP. So maybe a VPN still matters when trying to keep your data private from your ISP and it's a good idea to use them on open WiFi because I'm sure a Man In The Middle attack could still happen with popular DNS services like Cloudflare's.

But this is all speculation, and I still need to test some theories.

If you want to use a custom DNS and a VPN at the same time on your Android device update to Android 9. There is a new feature under the "WiFi & Internet" settings called "Private DNS". You will need to enter an actual domain name.

For Cloudflare it's 1dot1dot1dot1.cloudflare-dns.com, the reason to get the DNS provider to relay either IPV4, IPV6, or both based on you internet connection to your device. Once you do this, your apps will start acting funny (at least they did for me). Wait about five minutes then restart your device and everything should be back to normal.

Let me know what you think, shoot me a message in the Fediverse at jrswab(at)mastodon.xyz or hit me up on XMPP at jrswab(at)kode.im.

Ways to support the blog.

If you are an email kind of nerd you can sign up for mine here. You can donate to this site from my Liberapay account if you so choose. If you want a more passive way to support this site, use this link when shopping on Amazon; it kicks some of Amazon's profit to me at no extra cost to you.