DNS enables the easy navigation from website to website as you currently know it. However, the system wasn’t exactly designed with your privacy and security in mind.

Many DNS resolvers - such as your internet service provider's (ISP) - do not encrypt queries and may log data and metadata surrounding your queries. Additionally, unencrypted queries can be captured, viewed, and otherwise "consumed" (used) by eavesdropping third parties since data is exchanged in clear text.

Fortunately, using an encrypted DNS server provider can be a viable option for some users out there. This post aims to explore how and why - and doesn't leave out the limitations of encrypted DNS.

DNS and your privacy

Assuming you know the basics of DNS and how the system works, privacy issues surrounding DNS frequently involve the potential capture and “snooping” of DNS queries made by a device and the sending of unnecessary information (typical in the absence of QNAME minimization) to DNS servers performing the resolution.

DNS servers can log data about the device making the query, times queries were requested, and of course the query itself - ex: avoidthehack.com. Naturally, the amount of logging or even the presence of logging depends on the DNS service itself; for example, ISPs often log DNS queries and share them with a variety of third parties. Users often get no "say" or may not even be aware of this.

With unencrypted queries - which is often the default for most resolvers - third-parties to the transaction between the device and the DNS resolver can “eavesdrop” on queries made by devices. Eavesdropping has been has been performed by public and private organizations alike to surveil DNS traffic (and potentially hijack it.)

With the presence of HTTPS, third-party snooping devices won’t be able to see what data is passed between the client device and the web server - but with unencrypted DNS queries, it would be able to see that a query was made. Captured over time, browsing habits can be inferred from DNS requests observed.

What data is sent to DNS Servers?

Internet connections to visited websites and web apps start out as a DNS request. Assuming the absence of the requested website in a DNS cache - which can be in the browser and/or on the device itself - a query is sent to the DNS resolver.

The DNS resolver can be a machine local to the network or a service managed by a DNS service provider. The latter is generally more common (especially for most users out there); though, it is worth mentioning that local resolvers often pass queries to "upstream" DNS servers.

Again, generally, many users use the ISP’s DNS resolvers as it is the "default" and most do not know these can be changed in the browser or on the device/network (hardware/firmware permitting). Of those who know how to change DNS settings, we can safely assume most of these users, who are already a minority amongst most users, aren't running a local recursive resolver.

Exact data sent to DNS resolvers vary, but data sent to DNS resolvers typically include:

• Top-level domain (TLD) requested. This includes link clicked/domains typed into the browser address bar and background connections initiated by apps/services and resources called by websites.
• If HTTP is used: Visited pages within the TLD. The commonality of HTTPS makes this irrelevant in the modern landscape, though some websites still serve content using a mix of HTTP/HTTPS.
• Timestamp request was made
• IP address of client device
• Protocol (UDP or TCP)
• Record type (A, AAAA, etc)

Data sent with the queries themselves can also be logged by DNS resolvers, but as mentioned previously, the details of logged data and the action of logging itself ultimately depends on the DNS service provider.

Depending on the service provider, additional information about network subnets and device identifiers (such as MAC addresses) may be embedded within DNS queries, essentially fingerprinting users or their networks.

Who can see DNS information?

Ultimately, it depends.

As mentioned, DNS queries are typically unencrypted and thus clear text and readily available for anyone willing to listen.

Even with encrypted DNS, generally your device, the router, and the DNS provider can see DNS requests. If you are using your ISP’s DNS servers - which are usually the default - then they can also see your DNS requests.

Your ISP may log this information and potentially use it for their own endeavors and/or share this data with third parties - which can include advertisers or government agencies.

Unless you are using a virtual private network (VPN) or an onion routing service like the Tor network, your ISP can still see connections to IP addresses.

Benefits of using encrypted (and privacy-friendly) DNS services

Benefits of using encrypted DNS services include preventing third-party DNS query sniffing, keeping DNS traffic private from ISPs, and blocking ads on a network.

Eliminate third-party sniffing of DNS queries

The primary benefit of using any encrypted DNS server is preventing third parties from sniffing traffic and seeing what DNS queries users' devices make. This is true even if the encrypted DNS provider is capturing device information or otherwise logging DNS query data and metadata (though this is far from ideal.)

However, it's worth mentioning that if the encrypted DNS server is indeed logging information, they may share this information with third parties - this is a different threat vector than a third party listening or capturing the queries themselves. This can be alleviated by using a "trusted" encrypted DNS provider.

Filtered (and encrypted) DNS servers can block ads/malicious domains on the network level

Some encrypted DNS providers also offer domain filtering. Depending on the provider, they may filter domains known to serve malware, ads, and/or trackers - or any combination of these.

For example, if you set your router to use such a resolver, it will provide blocking services for devices connected to your home network. This can alleviate device processing power (as it doesn't have to render its own resources to do the blocking) and provide a level of adblocking services/protection to connected devices.

Some DNS providers give users customization options for what is blocked or filtered. Others run specific blocklists on their servers and do not allow the user to customize what is blocked. In either case, devices/networks using DNS providers with filtering services will not connect to domains meeting the criteria for blocking - which can be useful in reducing security risks of connecting to malicious domains, reducing privacy risks associated with ads and trackers, and implementing other rules or measures such as parental controls.

Avoid feeding DNS queries straight to ISPs

Encrypted DNS cannot "hide" your internet traffic from your ISP; users should instead consider using a VPN or the Tor network to accomplish this.

Internet service providers (ISPs) can and do spy on users - especially in the US, given that ISPs have the legal ability to sell your browsing history. Since the internet connection for your network passes through your ISP, they are privy to a lot of information - not just your DNS queries.

Any device or app on a device connecting to the internet generates DNS queries - many background processes on operating systems do just that. These background processes can be keeping logged in sessions alive, querying for software updates, sending telemetry, and other functions. Various software programs or apps on your device may make their own queries to check for updates or for sending diagnostic data to developer’s servers.

Most ISPs do not offer encrypted DNS services, leaving queries to be performed in clear text and available for capture/sniffing by third parties. Even of the those that do, you are still using their DNS service, so the ISP will receive your DNS queries directly and could collect that data at will.

As this post keeps reiterating: using a separate, encrypted DNS resolver allows users to reduce the amount of information available for third-party capture and reduce browsing-related information being fed directly to the ISP. Ideally, the encrypted DNS service provider would be "trusted" to not turn around and capture the queries themselves; though, even in this case, encrypted queries are shielded from snooping third parties, as explained previously. It's important to note the ISP can still "see" the IP addresses you establish connections to in the end.

Additionally, ISPs can pick up on known "leaks" in transport layer security (TLS) protocol extension Server Name Indication (SNI), which is always sent from the connecting client (your device) to a web server in plaintext, to track users' browsing histories. This occurs before the client and server share an encryption key to communicate; the client sends the hostname of the site to be connected to in clear text.

This is why if your primary concern is keeping your browsing traffic private from your ISP, your best bet is using a VPN or an onion-routed network. When connected to a VPN network, generally speaking, the ISP would be able to see that you're connected to the VPN, but not be privy to your browsing history - including DNS or ClientHello messages.

Encrypted ClientHello is an encrypted upgrade to the clear text ClientHello used in SNI, but it is not widely used as of writing.

However, since ISPs may embed identifying information such as MAC addresses and other user IDs when resolving queries made by users - which can make it easier to tie users and their browsing histories together - it's probably worth not using your ISP DNS resolvers.

We can also assume that most ISPs do not use DNSSEC or QNAME minimization, so additional and unnecessary for the transaction information may be forwarded to other DNS servers (like root servers).

For example, the root server for .com does not need to know the specific page of avoidthehack.com you are visiting to fulfill the DNS request. This is because a root server is the "first step" in the name resolution chain; they point your query to the appropriate top-level domain (TLD) servers for .com.

However, most resolvers (like your ISP's) not using QNAME minimization will still forward the full URL to root servers, which is essentially leaks unnecessary information solely because root servers wouldn't store the IP address information for avoidthehack.com.

Let's not forget, whether you agree or are aware of it or not, even without collecting additional data on your browsing history, your ISP already knows who you are. ISPs in the US have notable personal identifiable information (PII) on file just to render services, such as:

• Your full name
• Your current address
• Past address history (in some cases)
• Payment information
• Device information (especially if using ISP equipment)
• Network information (especially if using ISP equipment)

All this data can be “packaged” and “anonymized” with your browsing history and shared/sold for profit by your ISP. The “anonymization” of such data may bring peace to users, but it shouldn’t as most users can be “de-anonymized” with just three points of data.

Keep DNS traffic directly out of Big Tech’s hands

Google provides a public DNS service as an alternative to using your ISP’s DNS servers. While Google’s DNS service provides encryption via the DoH and DoT protocols, Google isn’t exactly known for explicitly protecting the privacy of its users.

Google’s DNS service engages in temporary logging and permanent logging. Temporary logging includes the IP address of device sending query. Permanent logging includes requested domain name and the user’s geolocation.

By contrast, trusted encrypted and privacy-friendly DNS providers do not retain detailed logs. In many cases, privacy-friendly DNS providers claim to not retain logs, though some DNS providers do enable users to log their queries if so desired.

Limitations of encrypted DNS solutions

1. Encrypted DNS resolvers do not create anonymity

Using encrypted DNS resolvers simply does not create anonymity. That's it.

Users wishing to maintain anonymity should take operational security (OpSec) principles into account and use anonymizing services, such as the Tor network, appropriately.

2. “Hard-coded” DNS in a device can circumvent customizable DNS settings

For example, if you're running a local filtered DNS, it can be "avoided" by devices that are hard-coded to dodge DNS services that may block ads and/or telemetry.

Some devices running on your network may simply refuse to use the DNS provider that you've set, even on a network level. This is a growing trend for IoT devices, as many come with hard-coded DNS in their firmware and do not offer a way for the user to meaningfully customize them.

3. ISP can still see connection information

As mentioned previously, even if you do not use your ISP’s DNS servers, your ISP can still see connection information such as which IP addresses your devices connect to; they just wouldn't be providing the domain resolution.

ISPs can also capture clear text ClientHello messages sent prior to TLS handshakes between clients and web servers to collect user browsing history.

4. Requires some level of trust in the DNS service provider

Regardless of the DNS provider, some level of trust must exist between you and the provider. It’s near impossible to 100% validate a provider’s claims of no logging policies, though we can certainly scrutinize other elements such as privacy policies, logging policies, and other known data practices of a provider.

While self-hosting a DNS resolver for your network is certainly possible with software such as Unbound, you may still need to forward some queries to an upstream DNS provider - meaning there must still be some trust present.

Final thoughts

Using an encrypted DNS resolver is in the best interest of many people out there. Of those who desire adblocking functionality, an encrypted resolver with domain filtering capabilities is certainly ideal.

DNS-over-HTTPS, DNSSEC, and QNAME minimization contribute to DNS security and improving privacy in DNS - most privacy-friendly encrypted DNS server providers enable these technologies.

Encrypted DNS resolvers are great, but they do have their limitations. They don’t necessarily hide browsing traffic from an ISP and they do not provide any level of anonymity.

With that said, stay safe out there!