After seeing numerous posts regarding ease of implementing secure DNS, some of them being patently wrong and misleading, I’d like to provide a brief clarification on this subject.
If you’ve read that changing your static DNS entries either on your PC or home router to the one provided by Cloudflare (188.8.131.52) or IBMs Quad9 (184.108.40.206) will provide you with a measure of privacy, these statements are incorrect.
You are simply running unencrypted query to the server(s) CAPABLE of secure communication. Your ISP, hotel, etc. will have no trouble at all collecting, analyzing, and selling your information if all you've done is specified 220.127.116.11 as your preferred DNS. If you are really trying to secure DNS, a bit more work is required.
Cloudflare does provide secure DNS services. It is misunderstanding of how it should be used that I have problem with.
If you simply define static IP as your DNS server, any upstream DNS Proxy will be able to log, intercept and reroute it.
DNSSEC can guarantee that the responses are valid but does not provide confidentiality.
DNS over HTTPS/TLS will do both but could either be blocked by upstream routers/firewalls because it is addressed to known servers (i.e. 18.104.22.168, 22.214.171.124, 126.96.36.199, etc...), or decrypted by MITM, if user trusts its certificate.
The only known good way to assure DNS security is to use DNSCRYPT with DNSSEC. This method using elliptic curve algorithm to encrypt DNS traffic, providing confidentiality and DNSSEC, assuring authenticity of replies.
This last one could be blocked, because you are still limited to the relatively short list of known servers, but you will know that someone is meddling with your DNS traffic.
If you want as close to complete security for DNS as you can get, use IPSEC VPN to a cloud-hosted DNS proxy that you've deployed yourself, that is in turn configured to use DNSCrypt with DNSSEC.
Additionally, be aware that the Windows 10 has, what is known as “DNS leakage”. Regardless of your VPN settings, it is going to broadcast DNS requests in the open to all DNS servers identified on all of its interfaces. I.e. if you are connected to an unsecured Wi-Fi and VPN and both supply your computer with DNS servers, queries will go out of both interfaces, the physical and the virtual and the fastest answer will be used for resolution.
Additional tinkering with the registry required to disable this behavior: https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8
Thanks for the post! Definitely gave me stuff to think about. I enjoy seeing content like this here!
Glad you've liked it.
Too many forums now concentrate on career developments.
I rather enjoy sharing technical write-ups on common issues.
If security aspects of AWS, WAF, IDS, IPS, AV etc.. are of interest, I can post links to my content on Check Point forum.
What's Check Point?
They are the dominant enterprise security market player- the company that has invented stateful firewall and are in 100% of Fortune 100 companies.
In the same category as Fortinet and Palo Alto Networks.
Interested in seeing your forum!
Thanks for that post, it was very informative. Hope to see more stuff like this.
No particular interests --- anything relevant to securing IT would be appreciated. Thanks.
Good write up. It's funny how people see secure DNS and think automatically that it becomes secure from the source location.