What is DNS?
Defining the acronym:
DNS = Domain Name System
On a very basic level, DNS is what allows us to easily navigate from website to website. It translates the domain name, which is easily readable and understandable by us humans, to an IP address - which is readable and "understandable" to computers.
For example, when you type in avoidthehack.com
(the domain) into your browser's address bar, the DNS resolver translates avoidthehack's domain to the IP address that points to the avoidthehack! website.
(This request frequently passes through different "levels" of the DNS, depending on a few different circumstances.)
Generally this remains true for any website you visit. However, things get complicated when you throw in functions such as DNS caching, where the majority of the DNS lookup process is "skipped" because your device stored the "address" from a previous lookup.
Many compare this system to how phone books work, and in many circles the DNS is often called "the phone book of the internet" for the very nature of what it does.
Please note: As you may have noticed, we didn't get into a super technical explanation here. If you're interested in reading about the details of what DNS is and how it works, Wikipedia is a valuable resource.
DNS and your privacy
Here's the question you're probably looking to answer: How does DNS relate to my online privacy?
Typically when one talks about DNS in a privacy-oriented context, we're mainly focusing on DNS resolvers. DNS Resolvers are the servers that do the translating from domain to IP address (as opposed to forwarders, which just pass on the brunt of the request to an actual resolver and then push the answer back to the initial requester.)
DNS servers can gather and provide a wealth of information about your internet activities. That's why it can be important to choose your DNS provider wisely (or run your own DNS client software) and to use protocols such as DoH (DNS-over-HTTPS) to better protect your privacy.
Keep in mind that DNS servers, even "trusted" ones, often log information. Now, different servers often log different details of information - especially if your DNS traffic isn't encrypted. Some log nothing at all.
What data is sent to DNS servers?
If you're not aware already - every connection that your devices make starts out as some kind of DNS request. This request goes to the DNS resolver, which is usually managed by some collective service. The resolver translates your device's request and gives it the resulting answer.
So, essentially, what I'm saying is that the resolver "knows" what sites you're visiting. Now, is this information being logged and stored? Depends on the DNS server/service.
But to answer the standing question, data sent to DNS resolvers typically includes:
- Top-level domain (TLD) requested. This includes links you click/domains typed into address bar/background connections initiated by devices and services
- Visited pages within the TLD - this applies only to the HTTP protocol and is one of the main reasons you should always force HTTPS connections where possible!
- Timestamp request was made
- Public IP address of your device - be careful of private IP leaks within a browser.
Keep in mind that this information is frequently necessary to complete a successful DNS lookup.
Who can see DNS information?
Since the data transmitted for a DNS lookup is often necessary, it becomes even more important to look at who runs the DNS resolvers and services you're sending this information to.
Generally speaking, your internet-connected devices (generally if it's the one making the DNS request), your router (when applicable), and the DNS provider see DNS requests.
Ultimately, what (if anything) gets logged and stored, depends on the provider of whatever DNS resolver service you're using. Therefore, it becomes especially important to understand the policies of the entity behind your DNS service.
Additionally, you should be aware that third-parties can eavesdrop on DNS traffic. This becomes especially problematic if your DNS traffic isn't encrypted, because the eavesdropper can easily see the details of what's being transmitted between your devices and the DNS resolver(s); a not-so-good actor can even "answer" DNS requests with malicious domains.
Encryption
Trusted DNS providers should always offer DoH (again: DNS-over-HTTPS) at a minimum, which is an encrypted protocol for communications between your device(s) and the DNS resolver.
DoH helps...
- protect the integrity of the data while in transit
and
- give "credibility" to the DNS resolver answering your DNS request(s). Learn more.
Why use a trusted, encrypted, and privacy-friendly DNS service?
- Hide DNS traffic from your ISP
Long story short: ISPs can and do spy on you.
Obviously, what they can "collect," log, and store depends on what country you're in. But in the US, ISPs have the legal ability to sell your browsing history (read: DNS lookups).
Your ISP knows who you are. Be reminded that ISPs in the US have notable PII on file, which commonly includes:
- Your full name
- Your current address
- Payment information
- Device information (if using ISP equipment)
- Network information (if using ISP equipment)
Don't give them even more of an edge by providing all your easily readable, unencrypted DNS traffic to them as well!
By selecting a DNS resolver that has technologies such as DoH enabled, you can make it harder for your ISP to collect your DNS requests (and by extension, browsing habits and history). The encryption in transit that DoH offers makes it more difficult for ISPs to sniff (read: pick-up/read/capture) your DNS traffic.
Therefore, it becomes harder for your ISP to block domains and create profiles from your DNS requests. However, it's also important to understand that if your particular ISP is dedicated to eavesdropping on your DNS requests by using techniques such as Deep Packet Inspection (DPI), then this solution isn't necessarily foolproof.
In general though, using an alternative and trusted DNS provider can greatly improve your privacy in the day-to-day by preventing the easy capture-and-reading of your devices' DNS requests - especially, if the provider utilizes DoH or DoT protocols.
- Help Hide DNS traffic from the likes of Google
Google provides a public DNS service as an alternative for using your ISP's DNS servers. However, [Google is known to trample over the privacy of its users]().
Feeding your DNS traffic to Google gives the company yet another data point to track you by, which proves detrimental to your privacy and your personal threat model.
This holds true for other DNS providers that don't take a privacy-centric stance as well.
- Filtered DNS servers can block ads and malicious domains on the network level
Using a trusted DNS provider often comes with some more "privacy" options that you wouldn't have otherwise.
For example, many trusted DNS providers offer filtered servers. These servers are configured to "block" connections to commonly known malicious domains and/or advertising domains.
- Prevent DNS hijacking and reduce effects of DNS tampering
Again: Trusted DNS providers should provide the DoH protocol at a minimum.
As mentioned earlier, third-parties can eavesdrop on communications between your device(s) and your DNS resolver. Without encryption, bad actors can even alter DNS requests and point your device(s) to a malicious domain.
DNS hijacking occurs when your DNS request gets "picked up" and redirected by a malicious and untrustworthy third-party. The third-party can be an untrustworthy DNS resolver, an intruder on your network, or a piece of malware. They might redirect you to a fake website.
DNS tampering tends to affect the DNS server itself; an attacker might gain access to the DNS server and make changes to the DNS records.
The DoH protocol gives authenticity to the DNS resolver while helping to protecting the "conversation" between your device(s) and the resolver.
Self-hosted solutions
Self-hosting your own DNS solutions (specifically, a forwarder or a local-cache resolver) can be simultaneously rewarding and extremely beneficial to your privacy. This comes from the increased control and customization that self-hosted solutions provide.
It should be noted that it's simply not feasible to host your own totally custom and independent DNS solution. This is because of the structure of the DNS as a whole; for example, you can't have an authoritative DNS server without obtaining a static IPv4 (and ideally, also an IPv6) address.
Limitations
While using a self-hosted DNS solution and/or a trusted DNS provider has many benefits, you should be aware that there are a couple limitations:
- Encrypted DNS resolvers do not create anonymity
Typically, when choosing a trusted DNS provider, you're cloaking your DNS traffic from your Internet Service Provider.
Additionally, even with using a filtered DNS, you're still open to malware and other tracking techniques employed by services/applications/websites.
Therefore, encrypted and/or filtered DNS resolvers are not an all-in-one-solution for improving and maintaining your privacy.
- "Hard-coded" DNS in a device can circumvent what DNS provider set for use by your network
For example, if you're running a local filtered DNS, such as the popular and highly recommended PiHole, it can be "avoided" by devices that are hard-coded to dodge DNS services that may block ads and/or telemetry.
What this ultimately means is that some devices running on your network may simply refuse to utilize the DNS provider that you've set, even on a network level. This is a growing trend for IoT devices.
Fortunately, there are some steps and measures you can take to mitigate hard coded DNS.
- SELF-HOSTED: Your "server" goes down? Bye-bye internet
One of the biggest issues with hosting your own DNS client solution is that if that host goes down, your internet connection goes down with it.
The machine that you choose run your DNS client (if for a network) must always be on. Even if you turn it off, your internet connection will be interrupted.