DNS determines where my devices go asking for directions on their way about the internet. My DNS setup thus has impacts upon my security, safety and convenience. My default DNS from my ISP is subject to AFAICT the highly criticised within which your local council gets to know where you are browsing.
- I might like a DNS services that does not record where I browse, so that I am less easily tracked and profiled by corporate interest or nascent police states etc. One way to fix this is with a VPN, but if I don’t want that overhead, I can also specifically encrypt my DNS queries to a supported DNS server.
- I might like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from vimeo, I cannot do so without DNS hacks because otherwise I am redirected to a site which tells me that vimeo is pornographic (!). In China I understand this tactic is one way they enforce the great firewall. One way around this is DNSSEC, which does guarantee authenticity.
- Contrariwaise, I might like a DNS service that is deliberately broken and will simply not work for malevolent sites such as malware distributors and advertisers, because filtering this myself is becoming difficult with some browsers. Some people maintain their own blocklists, but I am sometimes happy to entrust a third party DNS provider with this power if they seem trustworthy.
Alternate DNS servers
There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisers (and optionally “family unfriendly” content) by simply not resolving them and DNS-over-TLS.
Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What that says about the risk and benefit profiles of these organisations I leave you to decide for yourself.
Cisco’s opendns will do ad blocking, but not TLS-compatible.
Whirlpool’s list of DNS Servers to use in Australia. AFAICT only my ISP is required to log my DNS usage, so presumably I improve privacy somewhat by using any DNS server that is not my ISP’s.
CCC’s recommended DNS servers globally:
- 18.104.22.168 (FoeBud)
- 22.214.171.124 (f.6to4-servers.net, ISC, USA)
- 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
- 126.96.36.199 (dns.as250.net; Berlin/Frankfurt)
- 188.8.131.52 (dnscache.berlin.ccc.de)
The Google Public DNS IP addresses (IPv4) are as follows:
The Google Public DNS IPv6 addresses are as follows:
Blocking some DNS records
I could do this myself with dnsmasq plus much love and attention and OCD, but I’m not quite anal retentive enough to get around to it. More comfortable might be to run a single board computer or vm as a net filter via pi-hole, which gives a nice GUI and monitoring system.
Encrypting DNS for privacy
encrypted responses: DNS-over-TLS
Want privacy about which sites you are requesting? This, de facto, means a standard called DNS-over-TLS.
How do we get our OS to make these encrypted queries?
I guess proxying them?
That seems to mean using
Authenticated responses: DNSSEC
The authenticated DNS option is
That might need extra config.
The server app of choice seems to be
I suspect there is substantial overlap between
stubby etc in practice.
Geeks usually try to get All The Cryptography at once.
So I’m going to reconfigure my DNS to be more secure. To do this I will update DNS servers to be some DNS-over-TLS servers. and flush out the old poisoned records.
The OS can benefit from a DNS flush; but also the browser can keep stinky stale records around. Clearing browser DNS caches is also advised.
tl;dr you can and should use fancy encrypted DNS servers,
but you can make life somewhat better by simply putting a new DNS service in your
If I want to encrypt,
see Linuxbabe on DNS-over-TLS for Ubuntu
using some app called
I presume it is doing something to improve my confidentiality.
In practice installing it is easy. On e.g. Ubuntu, this is as simple as
sudo apt install stubby
Settings go in a text file
/etc/stubby/stubby.yml; there is no
The default settings work, but are slow.
Then I am running your own DNS thingy on
127.0.0.1 (IPv4) or
0::1 (IPv6) on port 53 which will in turn forward queries to the DNS-over-TLS servers I configured.
Now! We have an easy-to-remember secure DNS server to put into the ‘dns server’ box of the wifi settings window.
Shortcoming: the GUI config for network settings in Ubuntu seems to want me to
configure it anew for every
different Wifi network, for both IPv4 and IPv6. Needs a universal workaround.
I think this is achievable via
Having done that, I also needed to flush out the bad old records
Changing the default DNS is obvious —system settings. Making it specifically do something secure…
Lazy mode: macos config to set the system to use as much encrypted stuff as possible with the
184.108.40.206 resolver, using a
Setup: MacOS and DNS over HTTPS or DNS over TLS – Quad9 Internet Security & Privacy
For encrypted DNS, see
Dan Pfiffer on DNS-over-TLS for macOS woh walks through
(watch out, there
a typo in his config file and the identity keys don’t match the ones I got).
DNS flush command keeps changing, eh? I think this is the latest:
sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder
AFAICT this flushes more than the DNS cache — the
dscacheutil commands control Directory Services cache, which is a lot of stuff.
One simple way seems to be the app dnscloak?
Fancy stubby config
Pro-tip if you use stubby and you want faster DNS, don’t rotate through the default long list of slow servers settle on a short list of fast servers and rotate through them, disabling the others. e.g. Adguard and cloudflare:
upstream_recursive_servers: # Adguard servers - address_data: 220.127.116.11 tls_auth_name: "dns.adguard.com" - address_data: 18.104.22.168 tls_auth_name: "dns.adguard.comcloudflare-dns.com" #CloudFlare servers - address_data: 22.214.171.124 tls_auth_name: "cloudflare-dns.com" - address_data: 126.96.36.199 tls_auth_name: "cloudflare-dns.com"
You can choose whether to rotate though them constantly or not with the following parameter:
There is a (more) fully secure version of DNS-over-TLS where you verify the
server’s keys, presumably over a trusted network, to ensure you are connecting
to the correct server.
To find the encryptey verify key whatsit for
188.8.131.52 I am told you do this:
echo | openssl s_client -connect '184.108.40.206:853' 2>/dev/null | \ openssl x509 -pubkey -noout | \ openssl pkey -pubin -outform der |\ openssl dgst -sha256 -binary | \ openssl enc -base64
Surely this step is in itself vulnerable to spoofing, because I need to trust some set of intermediate certificates? Anyway, this should at least detect server identity changes hereafter? Probably?
If we do that, we get the following config. (You can copy this from me, but obviously it would be wiser to verify for yourself because if our identifiers differed it would mean we were being messed with).
upstream_recursive_servers: # Adguard servers - address_data: 220.127.116.11 tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= - address_data: 18.104.22.168 tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= # The Cloudflare servers - address_data: 22.214.171.124 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= - address_data: 126.96.36.199 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= #You probably also want to avoid little accidents by configuring IPv6 also? # Adguard servers - address_data: 2a00:5a60::ad1:0ff tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= - address_data: 2a00:5a60::ad2:0ff tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
sudo systemd-resolve --flush-cache sudo systemd-resolve --statistics
For bog standard purposes, a cheap registrar is fine. I use GANDI (and that is my affiliate link, use it to give me 5 Euros please).
For privacy-enhanced tinfoil-hat business, one might wish to anonymously own a domain. I am not sure about all the mechanics of this, but here are some recommendations I was given when I was curious about it:
We’re not actually a domain name registration service, we’re a customer to these. We sit in between the domain name registration service and you, acting as a privacy shield.
When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.
PRQ is a 1337-lookin’s swedish domain registrar that host weird hacker stuff.
Vindo offers anonymous domain registration as part of its hosting.