There have been a few articles recently about Secure DNS or DNS over TLS, and the first question that a buddy asked me (@Pratik) was “what the hell is DNS, technology has too many acronyms”. Have no fear my friend, I’ve got your back.
DNS, or Domain Name Service, is like a phone book. If you get into an Uber and say “drive me to Jack’s house”, chances are the Uber driver isn’t going to know who Jack is, much less where he lives. With a little bit more information, you can look up Jack in the phone book and get a public address to go to. Computers work the same way! Domains are significantly easier to remember than an IP, and with dynamic DNS, the IP address of a website can change daily. When you type http://www.google.com or http://www.sciencemoez.com into your web browser, your computer doesn’t know what that is until it uses DNS to figure out how to get to that website.
How does it work?
Every computer connected to the internet has an IP address. On your local network it probably looks like 192.168.1.XXX. When you type http://www.sciencemoez.com into your browser, your computer has to look up what the IP address of that domain is to connect to it. To do that, a computer takes 8 steps
- You type http://www.sciencemoez.com into your browser, your browser asks your DNS resolver for an IP
- The resolver asks the DNS root nameserver for the IP
- The root server tells your computer to check with a Top Level Server (like .com or .net or .org) to get a more specific query
- The resolver asks the Top Level Server for the .com level
- the Top Level Server responds with the sciencemoez.com nameserver
- the resolver asks the sciencemoez.com nameserver for the webserver IP
- the IP address is returned
- the resolver response to your browser with the correct IP
There are 4 main moving parts here, the resolver, the root nameserver, the Top Level Server, and the domain nameserver, all of which work together to make your DNS lookups as fast as possible.
This entire process doesn’t happen every time you try to go to a website though, most of the time your resolver will save some of your recent lookups so it doesn’t have to go all the way to the Top Level server to ask for the IP. If you went to sciencemoez.com an hour ago, its unlikely the IP has changed, so it just sends you straight to the IP it remembers.
So whats with Secure DNS and DNS over TLS?
DNS lookups are all sent in clear text, so anyone that sniffs your network can see exactly which sites you’re looking up to go to. This is how most ISPs can keep track of your browsing, even when you’re in private or incognito mode. DNS over TLS sends your DNS over an encrypted tunnel so no one can see your requests. Secure DNS has filters in place to stop you from visiting known malicious sites.
Are there other vulnerabilities with DNS?
I wouldn’t call them vulnerabilities as much as security blind spots. If you’re on a hotel’s guest wifi but don’t want to pay for internet, you can use the DNS protocol to tunnel your connection out over port 53 and get free internet. You can steal data using fake DNS requests to a DNS server that you control (I built an attack using this method, write up coming soon!), you can even set up your own fake nameserver (DNS spoofing/poisoning) and send clients to a website you control when they try to go to a legitimate website.
Most companies believe DNS is harmless, and don’t even restrict port 53 to known good DNS, or apply a policy to force users to use an internal DNS that can be logged and monitored.
What secure DNS should I use?
Most people have a DNS server set up through their ISP, but I always change mine at the router level to use Cisco’s OpenDNS (184.108.40.206). The most popular DNS server by far is Google’s (220.127.116.11), but it isn’t secured or filtered. You can use CloudFlare’s new secure DNS (18.104.22.168) or the new Quad9 service (22.214.171.124).