It's probably pretty safe to say that almost everyone has at least the basic understanding that not every website available on the internet is "safe" or "secure", but most people don't really think too hard about what security means in relation to the websites they use every day. On the most basic level, security could be understood as whether you trust the website you're visiting is save and won't end up with your computer riddled with viruses. Beyond that, website security to some might mean that you have to log in to access the content. For those who shop online, a website being secure usually means that the shopping cart or credit card screen is protected by a browser-trusted SSL. And finally for those that are a bit more savvy (or just paranoid) being secure might mean always using a browser in incognito mode, clearing their website history, or otherwise ensuring that nobody can easily look through their recent internet activities. But even for the generally wary, there's one area of normal website browsing that most people don't think about, and most of the other types of users barely even recognize as existing: the DNS queries that allow you to reach the website you requested.
Why would you want to encrypt DNS traffic?
DNS is not new, and in general terms it's not even that complicated. DNS, or Domain Name Systems, is like a giant phone book matching of all of the "phone numbers" of the internet to the websites people wish to visit. It is a system designed to match the unique human-friendly website hostname (ie: www.cozaq.com) to the unique computer-friendly IP address assigned to the server(s) that make that website available. Ignoring for a moment that there are a few technical ways of explicitly doing otherwise, when you open up a browser and navigate to any website by hostname, the request for the IP address where the website by that that hostname can be found is passed along from your computer to a number of different DNS servers until a match is found. We'll save the larger discussion on How DNS Works to expand on this another time, but it suffices to say that for any hostname you've not visited recently that request leaves your home or office and at a minimum passes through to your ISP. That means that without doing anything else and with no negative intent your ISP can, and most increasingly are, track the internet activity of your home, business, or even individual devices. DNS can also be spoofed by introducing corrupt DNS information into your local DNS cache, and thus redirect you to another location, often for the purpose of introducing additional malware or viruses to your computer or network.
For some parts of the world, this scenario can be taken even further when an ISP, local government, or even federal government wish to monitor, restrict, or even shut down internet access for the purpose of influencing or controlling the information available to others. Russia, for example, has just recently passed laws intending to isolate it's internet to be independent from the rest of the world. The spoken intention is to safeguard Russia from being cut off by the rest of the world, but that situation could be turned around very easily to deny Russian citizens access to any website, or redirect traffic to an alternate location for any website, that the government deems appropriate.
What can be done about this?
It is for situations like these that technology experts world wide want to accelerate implementation of a secure and encrypted DNS implementations such as DNS-over-HTTPS (DOH), DNS-over-TLS (DOT), and DNSCrypt.
Note: There are many, many very heated discussions, that can be found easily enough if you are inclined to join them, over which of these options is better than the other; this will not be one of those discussions. Plainly speaking, the option to implement secure, encrypted DNS to your personal computer or network should be an informed and calculated decision, and this article is intended to provide supportive information for doing so (in addition to the explanation of what and why you've read so far).
Until secure DNS becomes an easily toggled option in traditional operating systems, the options for implementing secure DNS on your own are still rather limited. Generally speaking doing so requires choosing one or more DNS providers who currently support one or more secure DNS protocols and either running a local client application on your computer, or configuring a network proxy to forward DNS requests to that provider. Using a proxy is significantly more technical, but has the advantage of being completely seamless to the end user, so this is the method larger businesses or more highly technical users are likely to employ. Use of a client application is much more user-friendly and, in the case of some DNS Providers, still the only supported option. Browser compatibility is also a consideration that should be weighed as developers are still only starting to begin direct integration of secure DNS.
For your convenience, here is a quick reference table for some of the most common browsers and DNS providers, along with links to supporting information you may find useful. If you notice any errors or updates to this information, we encourage you to contact us and we'll be happy to update this document with new information as it becomes available.
|Browser||DoH Supported?||DoT Supported?||DNSCrypt Supported?|
|Google Chrome||Tentative Plan to implement DoH starting in version 78||No information found||Not directly supported|
|Mozilla Firefox||DoH is currently supported||No information found||No information found|
|Safari||No information found||No information found||No information found|
|Opera||No information found, but since Opera is a Chromium-based browser, some functionality may be inherited eventually.|
|DNS Provider Support|
|Provider||DoH Supported?||DoT Supported?||DNSCrypt Supported?|
|CloudFlare Resolver 220.127.116.11||Available since launch - April 1st, 2018||Supported||Supported according to DNSCrypt public server list|
|Google Public DNS||Supported||Supported||Supported according to DNSCrypt public server list|
|Quadrant||Supported||Supported||No information found|
|OpenDNS||Not Supported||Not Supported||Supported|
Test your browsing security
- Cloudflare Browsing Experience Security Check - https://www.cloudflare.com/ssl/encrypted-sni/