... making kittens cry since 2001

The DNS Thing 2018-08-07

The Problem Of DNS Privacy:

A couple days back I saw someone land on my web site from the dd-wrt forums. Turns out someone mentioned me in this post here, and I thought it might be a good idea for me to whip up a post explaining part of what is going on with DNS. I signed up for an account and started typing, but I started to worry that maybe they'd be irritated that I necromanced and hijacked an eight month old thread. So I saved what I had typed so far and figured I'd put it here in case anyone cared. Here's some of what fizikz had said:

The problem I see with DNSCrypt is that it still requires trust in the one running the resolver or at least their server. There's no guarantee that person isn't keeping logs, or that unknown to them their server might be compromised, etc. So, the value of DNSCrypt is unclear to me, especially given the serious usability impact from potential resolver failures.

This is a good summary of DNS's privacy problem. The bottom line is that anyone who requires name resolution services (which is essentially anyone wishing to use the Internet) has to trust the privacy of their name resolution to somebody. There is no reasonable way to avoid this.

858 Jack Elam in Once Upon A Time In The West.

Here's Why:

There are generally three kinds of DNS servers...

  • Recursive: These servers start at the root servers and work their way down to resolve names to IP addresses
  • Authoritative: These servers provide the DNS records defined by individual domain owners
  • Stub: These servers forward queries to other DNS servers, and often provide additional features such as caching or blocking

A typical [somewhat simplified] fully recursive lookup might look like this:

  • You type in to your browser (your PC needs to lookup the IP address of
  • Your PC checks it's own cache and doesn't find the answer
  • Your PC asks your router (stub) or some other device on your network
  • Your router checks it's cache and doesn't find the answer
  • Your router asks your ISP's DNS server (recursive)
  • Your ISP's DNS server checks it's cache and doesn't find the answer
  • Your ISP's DNS server asks a root server (authoritative for root)
  • The root server provides IP of server for .ca
  • Your ISP's DNS server asks the .ca server (authoritative for .ca TLD)
  • The .ca server provides IP of server for
  • Your ISP's DNS server asks the server (authoritative for
  • The server provides the answer to your ISP's DNS server
  • Your ISP's DNS server provides the answer to your router
  • Your router provides the answer to your PC

On a typical "high speed" Internet connection this often happens in less than half a second. In most cases, all DNS traffic is clear text and readable by every hop along the way. Even with an encrypted provider, the traffic between recursive servers and the other various servers is clear text. Because of this, if you are doing name resolution (and you almost certainly are), then someone can "see" those DNS queries.

If you use your ISP's servers, then they can see your queries. If you run your own recursive server at home, your ISP can still see the plain text queries going to to the root and authoritative servers. If you use a VPS as your recursive server, your ISP can see the traffic to the VPS and the VPS provider can see the outbound traffic to the root and authoritative servers. If you use Google, Cloudflare, DNS.Watch, Hurricane Electric, or another public resolver then they can see your queries (and your ISP can too). If you use a VPN then your VPN provider can see your queries. If you use a DNSCrypt server, then your ISP can't see the queries, but the owner of the DNSCrypt server can. Additionally, network providers between the DNSCrypt server and the root/authoritative servers can also see the traffic (though not associated with you personally). If you use a DNS-over-TLS provider, the server owner can see your queries and the upstream recursive traffic is still plain text, just like DNSCrypt.

So What Is The Solution?:

Well, you could maybe use Tor, but my understanding is that if you just use Tor browser then perhaps DNS queries for your browsing would be routed through Tor, but your other applications won't be using it. My further understanding is that there is a way to pump all of your DNS queries through tor using socat, but it is a complicated mess that doesn't play well with DNSSEC.

If you use an encrypted solution such as DNSCrypt or DNS-over-TLS then the only the provider is able to associate a query with the actual source of the query. Any traffic beyond the provider is seen to be "coming from the provider" and is basically mixed-in with the queries of everyone else using the same provider. However, as others have pointed out, not all providers of encrypted DNS claim to be log-free, but those who do claim not to be logging could simply be lying.

If anyone has any alternatives I'd like to hear them, but as far as I can tell the fact that the root servers and authoritative servers all comminucate in clear text means that pseudo-anonymization via an encrypted provider is the closest we can get to DNS privacy.

Single Point Of Failure:

The problem of using one DNS server being a single point of failure is true whether you use an encrypted provider or not. Most modern operating systems are obviously capable of using multiple normal unencrypted resolvers without too much extra effort. I have been using a separate small Linux machine (not a dd-wrt router) on my network(s) with dnsmasq and multiple dnscrypt-proxy instances, and it has been very solid. As a result I have not looked at using dnscrypt with dd-wrt, but I imagine it might be possible. Ultimately, the issue of being a sigle point of failure is real, but perhaps not as important [to me] as DNS's privacy/security issues.

Made using Notepad++ & FastStone. Hosted on Debian with nginx & php. Powered by North Korean mushrooms.