How DNS Works

When you enter a URL, your device queries a DNS resolver (often provided by your ISP) to find the corresponding IP. This process involves multiple servers:

  1. Root Servers: Direct queries to Top-Level Domain (TLD) servers (e.g., .com).
  2. TLD Servers: Point to the domain’s authoritative nameserver.
  3. Authoritative Nameserver: Provides the final IP address.

Traditional DNS queries (over UDP/53 or TCP/53) lack encryption, exposing your browsing activity to surveillance, spoofing, or censorship by network operators.

Risks of Unencrypted DNS

  1. Surveillance: ISPs or third parties can log visited domains.
  2. Manipulation: Responses can be altered to redirect users (e.g., government censorship).
  3. Filtering: Networks may block access by withholding DNS responses.

Example: Monitoring DNS Traffic
Use packet-capture tools to observe unencrypted requests:

tshark -w dns_log.pcap udp port 53 and host 9.9.9.9

Then, perform a DNS lookup:

nslookup example.net 9.9.9.9

Analyze the capture in Wireshark to see the plaintext query and response.

Encrypted DNS Protocols

To mitigate risks, modern protocols encrypt DNS traffic:

1. DNS over HTTPS (DoH)

  • How It Works: Encapsulates DNS within HTTPS (port 443).
  • Adoption: Supported by Firefox, Chrome, and iOS/Android.
  • Drawback: Can be blocked via deep packet inspection (DPI).

2. DNS over TLS (DoT)

  • How It Works: Uses TLS encryption on port 853.
  • Adoption: Common in Android and enterprise networks.
  • Drawback: Easily blocked by firewalls targeting port 853.

3. DNSCrypt

  • Legacy Protocol: Encrypts DNS using shared keys on port 443.
  • Status: Largely replaced by DoH/DoT due to lack of standardization.

Limitations of Encrypted DNS

While encryption hides DNS content, other metadata leaks persist:

1. Server Name Indication (SNI)

  • Risk: TLS handshakes expose the domain via unencrypted SNI.
  • Solution: Encrypted ClientHello (ECH) in TLS 1.3 masks SNI, but adoption is limited.

2. IP Address Correlation

  • Risk: Destination IPs can reveal sites hosted on dedicated servers.
  • Mitigation: Use CDNs (e.g., Cloudflare) that share IPs across multiple sites.

3. OCSP Requests

  • Risk: Certificate revocation checks leak domain-specific serial numbers.
  • Fix: Enable OCSP Stapling on servers to pre-validate certificates.

Advanced DNS Features

DNSSEC

  • Purpose: Verifies DNS response authenticity to prevent spoofing.
  • Mechanism: Uses cryptographic signatures across DNS hierarchy.
  • Limitation: Does not encrypt data; only ensures integrity.

QNAME Minimization

  • Privacy Boost: Resolvers request only necessary DNS hierarchy details.
  • Example: Querying blog.example.org reveals only .orgexample.orgblog.example.org.

EDNS Client Subnet (ECS)

  • Function: Shares partial client IP (e.g., 192.0.2.0/24) to optimize CDN routing.
  • Privacy Issue: Leaks approximate location. Use anonymizing resolvers (e.g., Quad9).

When to Use Encrypted DNS

Consider this decision tree:

  1. Avoiding Censorship: Pair encrypted DNS with a VPN or Tor.
  2. ISP Privacy Concerns: Use DoH/DoT with a trusted third-party resolver.
  3. Minimal Risk: If your ISP supports encrypted DNS, use their service to reduce latency.

Implementation Guide

Enable Encrypted DNS

  • Windows: Settings → Network → DNS → Encrypted (DoH).
  • macOS: Configure via System Preferences or third-party apps like DNSecure.
  • Linux: Use systemd-resolved (DoT) or dnscrypt-proxy (DoH).

Test for Leaks

Verify DNS encryption and SNI masking:

curl -vI --doh-url https://dns.example/dns-query https://example.net/

Check for unencrypted SNI in Wireshark.

Conclusion

While encrypted DNS enhances privacy, it’s not a complete solution. Combine it with VPNs, Tor, or HTTPS to minimize exposure. Always evaluate trade-offs between speed, compatibility, and anonymity based on your threat model.