What Is DNS Privacy?

Updated On - by

DNS or Domain Name System transactions occur every time a user utilizes an app via the internet. Generally, DNS changes the domain name of a website, which is easily read by humans, to an IP address that only consists of numbers but is understandable by the computer. This is done to deliver data packets over a communication channel like the internet.

Anything you do with any application that uses the internet involves some sort of a DNS transaction. It encompasses all the websites you visit and every messaging app you use.

As you might imagine, there’s a lot of DNS traffic through the internet.

An image featuring DNS text in the middle with a blue background

But Where Does a Concept Like DNS Privacy Come In?

By its nature, domain information is easily available to the public. Hosts who perform DNS transactions, on the contrary, are not. Moreover, no DNS employs any kind of defense mechanism to provide privacy for all the DNS transactions that happen throughout a given day.

As a result, there are issues with DNS resolvers, DNS servers and other internet users logging DNS transaction information. They’re essentially trying to eavesdrop on your internet activity. This is why it’s very important to ensure your DNS privacy and have an understanding of what steps you can take to preserve your DNS privacy.

What Is DNS Privacy?

An image featuring a person using a DNS system representing DNS privacy

As we briefly mentioned earlier, DNS traffic information is publicly available. As a result, DNS queries and responses that use a network to get from one destination to another are vulnerable. By default, DNS isn’t encrypted which means that anyone who wants to collect the data is free to do so. The data is typically collected to see what data is being sent and which domains are being visited.

Once enough DNS traffic data is collected, they can move onto the next step which is to create user profiles by compiling large amounts of data. These user profiles can then be sold for hyper-targeted marketing campaigns. Marketing agencies can also use the same data for competitive analysis. It’s not hard to see why DNS privacy issues are a concern.

With that said, DNS data isn’t everything. There are lots of other kinds of data that marketing agencies use to determine details about a user’s internet activities. However, as far as big data analysis is concerned, DNS data can offer metadata that’s very relevant and valuable.

To address DNS privacy concerns, organizations like the Internet Engineering Task Force, or IETF, and the DNS Privacy Project have launched initiatives to safeguard user DNS requests.

In this regard, IETF standards are very prominent. Examples include DNS over TLS and DNS over HTTPS, DoH. Most approaches to protect DNS privacy concentrate on stub-to-resolve issues. Moreover, these approaches use cryptographic and TCP protocols to safeguard DNS privacy.

At this point, it’s also important to differentiate between DNS privacy and DNS security even though most of the time you can use the terms “privacy” and “security” interchangeably.

Warning:

A DNS query is private if a third-party is unable to view the content of the DNS query while it’s in motion. Most hackers use Man in the Middle Attacks or MITM to get that information.

Having a point-to-point connection between the recursive server and the client is a straightforward way to safeguard privacy. Data packets have to go through several hoops, such as proxies and routers while using the internet to go to and from clients and servers. This calls for encryption which is the single most important factor in ensuring DNS privacy.

With that out of the way, DNS security is different from DNS privacy. Whenever we talk about DNS security we’re actually talking about three things: authentication, data integrity and privacy.

An image featuring a blue security logo concept representing DNS security

Authentication is a process by which a client can make certain to a high degree that it connects and communicates with the right server. Data integrity is all about the client knowing with certainty that the data received and sent is perfectly unaltered. Any change to the data would be detected.

Both data integrity and authentication use cryptographic methods to ensure security. Data privacy, as mentioned before, also relies on them.

This is important:

Data can be secure and not private. One relevant example is that of DNS security or DNSSEC. DNSSEC provides protection to the communication channel between an authoritative DNS server and recursive DNS resolvers.

Generally, data related to a given DNS query goes over the wire as a UDP packet with no encryption. A simple packet analysis tool like Wireshark, TCPDUMP or any other deep packet inspection program can decode the data packet and reveal its content. Hackers are most frequently looking for the query name and the query’s source IP address. Additionally, clients who use the NAT network have a port number that is also a useful piece of data for hackers.

The same problem occurs when web browsers try to connect to websites as such an activity can give rise to several primary, secondary and tertiary requests for domain name resolution through the domain name system. More specifically, the primary DNS request would be for the website’s domain while the secondary DNS request would be from the links present on the HTML page that’s been downloaded.

Similarly, the tertiary DNS requests would occur in a situation where a cache server wouldn’t have the requested domain and would have to rely on the authoritative server to find the required domain name. A few mainstream web browsers pre-fetch frequently used domain names so they can autocomplete the URL for the user at a future date.

Another situation where DNS privacy problems can arise is when DNS data isn’t covered by sufficient private policies. More specifically, DNS data is different from DNS transactions.

Note:

Every query generates DNS data in the form of results and answers. All of these are publicly available since there are no confidentiality requirements to be met. With that said, the DNS transaction isn’t supposed to be public. That holds true as much for a single DNS transaction as it does for several DNS transactions in sequence.

For example, a website that serves people with cancer is public and can be accessed by anyone. However, the list of people who visits that website should never be public. This would lead to privacy issues that are similar to the privacy issues associated with DNS.

Since there are so many points where DNS privacy can be compromised, DNS attacks are both broad and varied. Most of them take advantage of DNS lookup requests, authority servers that help with domain name lookup and the caching servers that process DNS requests.

Many other DNS vulnerabilities can also cause DNS privacy issues. The main ones that attackers try to exploit are:

Internal DNS Servers

As their name suggests, internal DNS servers hold the IP addresses and server names of the respective domains. Anyone that asks for them usually gets them. Attackers usually need a lot of information to carry out a cyberattack and internal DNS servers are a great source for it. More specifically, attackers use them for internal reconnaissance.

DNS Caches

An image featuring a cool text with blocks that says cache representing DNS cache

The main problem with DNS caches is that they’re not authoritative, meaning that hackers can manipulate them. Once attackers have poisoned a user’s DNS server with malware-ridden records, they can trick the user’s computer into redirecting the user to undesirable websites.

Another DNS privacy problem comes from the fact that DNS uses internal workstations to get query information which they then send to outsider servers. Since hackers know that this is how the system works, they can use it to initiate covert channels which can help them transfer unauthorized data.

Most Prominent DNS Privacy Improvement Techniques

DNSCurve

This software’s cryptographic techniques are used to secure the communication channel between the DNS server and the client. This ensures that your connection to a DNS server is safe and secure.

DNSCrypt

This software is very similar to DNSCurve but is a more formal application.

Namecoin

This is a blockchain technique for DNS privacy that requires significant changes to the current DNS infrastructure.

Confidential DNS

This technique uses ENCRYPT, a novel DNS record which the DNS server has to return when answering queries. It has a public key that the server can use. Via this protocol, the public key can help transfer data between a DNS server and client securely.

The public key allows both to agree on key material which can then set up a secure channel to exchange encrypted queries and corresponding answers.

GNU Name System

This technique uses peer-to-peer networking and a distributed hash table for extra security.

Google DNS Over HTTPS

This technique uses JSON REST API for completing DNS queries and their responses. DNS over HTTPS uses the HTTPS protocol to increase the privacy of internet users.

Query Minimization

This technique reduces authoritative server numbers that have access to a full client query.

DNS Over TLS

The DNS over TLS technique encrypts DNS queries using the Transport Layer Security protocol. DNS over TLS is offered by many different entities for their DNS service. As opposed to other security measures, DNS over TLS is fairly simple to implement which has led to its popularity.

DNS Over HTTPS

DNS over HTTPS enhances users’ privacy by encrypting the data between the DNS over HTTPS client and the DNS over HTTPS server. This technique is similar to the DNS over TLS technique.

Conclusion

The process of DNS queries and their responses is open for third-party actors to monitor, intercept and change public DNS data and see a user’s IP address. However, there are new DNS environments that, if explored properly, can enhance DNS privacy, data integrity and data privacy.

One of the techniques we discussed earlier, the Query Minimization technique, is very useful for reducing the amount of information that can leak from the DNS. A secure channel to wrap up DNS queries and responses can also come in handy as it makes it difficult for hackers to monitor and intercept DNS queries and the corresponding responses over the wire.

More concretely, using Google’s DNS services for encrypted TLS sessions would also help hide DNS data better. Authoritative name servers should also use DTLS and TLS for queries and should enable local hosts to perform the resolution function while using encrypting query traffic.

Finally, the widespread use of DNSSEC can also help DNS privacy in a time when surveillance and monitoring programs show no signs of slowing down. Privacy is a constant concern in the modern era which means that technologies such as the ones we’ve discussed here will likely grow in importance.

FAQ

What Is a Stub Resolver?
A DNS has several components, one of which is a DNS stub resolver. Applications access the stub resolver when they’re using DNS to transform domain names to IP addresses.

The job of the DNS stub resolver is to act as an intermediary between any and all programs that want to resolve domain names and the recursive DNS resolver.

What Is a Recursive Resolver?
A recursive DNS resolver is another component of DNS. Its main job is to perform several queries in succession to the DNS. A recursive resolver does this to solve a stub resolver’s query. Hosts have the option of implementing their own recursive resolver, but it’s always better to let the system deal with that. That may mean the code remains simple and the performance remains at a high level.
What Is an Authoritative Name Server?
The third component of DNS is the authoritative name servers. Their main responsibility is to maintain domain information for a given DNS zone.

Most of the time, DNS resolution means authoritative name servers would get queried recursively. The querying will start from the DNS’ root zone. The process would continue down the DNS hierarchy until the authoritative name server in question is able to answer the original query.

Is It Safe To Use 8.8.8.8 DNS?
Yes, it’s very safe to use 8.8.8.8 since it’s provided by Google.
Should I Turn off Private DNS?
No. The benefits of using Private DNS outweigh the speed increase you’ll experience.
Can You Be Hacked Through DNS?
Yes, you can be hacked through a DNS hack. Hackers can either poison your query results or hack your router and override its default DNS settings to send you to places you didn’t intend to go to.

Leave a Comment