A quick intro
The internet was built on trust. In the early days of the Internet as we know it, security and privacy of communications were not priorities when it came to developing esential protocols. DNS, just like email, is broken by design and very little has been done to add security and privacy layers to it. In modern times, hackers and state entities figured out how to take control over it.
When the internet was created, everyone assumed it will be only used for the good, for information sharing, education, and freedom purposes. So nobody thought about making it secure in the first place.
Recent events such as the Arab Spring, and political regimes like the ones in China or Iran, have shown us how easily web censorship can be implemented because of one single design error of the internet's structure: DNS, the service that helps us write google.com in our browser instead of the IP of this website, 184.108.40.206.
The main issue is that DNS requests are sent unencrypted, in clear text. This means:
- little or virtually no privacy for the user
- favor the lowest-cost, easiest to implement and most efficient tools for mass-censorship, profiling and blocking Internet resources/websites
- a fairly easy way for hackers, government agencies and internet providers to get access to your Internet activity
Some more info on how DNS works
Whenever you want to access a website, your are sending a DNS request to resolve that website's hostname (e.g. google.com) to an IP address (e.g. 220.127.116.11). The DNS request is sent to a recursive DNS resolver to handle that request for you. That resolver is operated either by your ISP (in most cases) or by a 3rd party service providing public recursive DNS services (e.g. OpenDNS, Google and others). Normally, all these DNS requests are insecure - sent and received in clear-text.
Why clear text DNS requests is bad news
Essential information, such as the websites you visit, is out in the open, as a consequence of these unencrypted DNS requests.
Based on your browsing history, an attacker can even build a list with the software you use on your computer - as most software call back home for updates and such. By knowing these, attackers can launch targeted attacks, using dedicated exploits and tools which may be virtually impossible to detect by the antivirus you use, and exploit vulnerabilities in specific software that you are using.
Also, a MiTM (Man in the Middle) attacker can see the DNS requests you send, along with other information. Such an entity can be a hacker, a government agency or your ISP.
Not only that attackers can see the DNS requests that you make, but they can also manipulate them easily, for example hijacking those requests to serve non-legitimate IPs to distribute malware/spyware.
What does my Internet provider know about me?
Most people use DNS services offered by their ISPs, without being aware that such a habit makes censorship and mass-surveillance much easier, as nearly all providers log DNS queries and may easily implement system-wide rules to hijack or block queries. Or simply implement logging policies, resulting in logging your entire browsing history, accurate to the second.
Basically, the provider sees virtually everything you access online by simply focusing on the DNS requests you make. It knows who, when and how someone has accessed a website and adds this info into a database. Therefore, the ISP can even profile you.
Your DNS records might end up in the hands of advertisers. AT&T for instance is known to sell such data, unless customers pay the company not to allow this to happen. Also, it might end up in the hands of the government forcing ISPs to log and provide DNS logging data.
Some might argue that if you care about browsing anonymously, you’re probably doing something illegal. The truth is that there’s plenty of online content you simply might not be comfortable sharing.
There are several things you can do to conceal your online activity. First, never use DNS services offered by your ISP. We recommend to go for third-party services instead. They might even offer features your internet provider does not. OpenDNS and Google Public DNS will know less about you compared to your own ISP. Also, there are many privacy conscious DNS services to choose from. A list of alternative DNS is provided by Wikileaks.
Compared to ISP DNS services, third-party DNS services can be faster, more reliable and even offer security features that aren’t implemented by most ISPs. Such solutions often come with parental control for filtered web traffic and access to geo-blocked content.
Keep in mind that even if DNS is insecure by design, in general, if an ISP doesn't have DPI (Deep Packet Inspection) measures in place, you're fairly safe by using a 3rd party DNS. DPI is very expensive and not as easy to implement efficiently as simply enabling logging on the own DNS recursive resolvers. Therefore, that's a main reason why most ISPs wouldn't engage in such practices and likely focus on their DNS resolvers hosted on-premise.
These, however, will not help Chinese users browse the internet freely. Even through a third-party DNS, their internet provider might still be able to intercept and hijack DNS queries by using DPI solutions. Yet, this is the exception, not the norm. This only applies to standard DNS queries made through port UDP-53 (even in China). Therefore, if someone uses a DNS server on a different port, they can easily bypass country-wide censorship.
Another solution is DNSCrypt, which provides DNS query encryption. For the moment, however, there isn’t any user-friendly software that can easily offer this. Mobile users can change DNS service for WiFi connection only. In the case of a mobile connection, it only works for rooted smartphones.
ICYDK: What DNS is and how it works
In the early ages of the internet, you had to type a number in order to reach a website. Today, if you want to access Google, you can either hit Google.com on your browser, or its IP address, 18.104.22.168. The first option is, however, more convenient.
In the beginning, the link between websites and IP addresses was a text file. At some point, it became too large to manage. The University of Wisconsin created, in 1983, the Domain Name System or DNS, a system that automatically associates IP addresses with names.
DNS servers receive requests to convert domain names such as Google.com into IP addreses. If they can solve them, the website will automatically load. Otherwise, they ask another DNS server for help. If no server can track down the domain name, you get an error message.
Quick sum-up, conclusions and advice
- DNS is broken as it is. Very little effort has been made to improve it, from security and privacy points of view.
- Not much can be done for mobile devices using mobile broadband connections (requires root). They will always use the carrier DNS.
- It is the easiest, cheapest and most effective mass-surverillance and censorship method. All repressive governments and spying agencies love it.
- There are some easy fixes, such as using a 3rd party DNS instead of own ISP. Not a perfect method, but good enough.
- Attackers can easily profile your browsing history as well as software that you have installed, then launch accurate targeted attacks against such software.
- This is not about "DNS leaks" or using VPNs in general, but about one of the elephants in the room. DNS leaks will be detailed in other article.
- Never use your ISP DNS. Use 3rd party services. Any 3rd party DNS service is better than your ISP. Most common services use anycast to ensure low-latency regardless of your geo-location. Therefore, there's no noticable delay.
- Use DNSCrypt.
- Increase awareness by telling others what are the problems with DNS. The more people will know about it, the better chances we will have that encryption will be standardized into DNS protocol so that will be use by the masses.
- DNS hijacking
- Pretty Bad Privacy: Pitfalls of DNS Encryption
- DNS Censorship (DNS Lies) As Seen By RIPE Atlas
- Turkish Internet Censorship Takes a New Turn
- Accidental DDoS? How China's Censorship Machine Can Cause Unintended Web Blackouts
- The Collateral Damage of Internet Censorship by DNS Injection
- Towards a Comprehensive Picture of the Great Firewall’s DNS Censorship