Privacy Online – DNS over TLS


Your Internet Service Provider [ISP] is watching everywhere you go on the internet. They are harvesting that information and selling it to the highest bidder. The easiest way for them to do this is to watch the DNS – Domain Name Service – requests coming from your network. DNS is the Internet Phone Book and every time you visit a website, or play a video or anything – from your phone over WiFi or from your computer, your computer or phone looks up the IP address – a number – based on the Domain Name – a text string. And DNS is the protocol that does this. Normal DNS is completely in the clear. That is, it is not “Encrypted” in any way. Once you reach a website, to purchase something or look at your Facebook page or whatever, almost all sites are “Encrypted” so that nobody can eavesdrop on what you are doing. This all happened a few years ago after folks were sniffing everyone’s Facebook pages in coffee shops and libraries. But I digress.

DNS has only just recently been fixed. And up until now, and until you fix your network, as I outline below, your ISP is sniffing all your DNS requests, because they can. This means they know everyplace you go on the network.

DNS Security

The Insecurity of DNS has been known for a long time. Back in 1997 someone wrote a paper about the problems. But that solution, DNSSEC, didn’t work. Recently two new approaches have appeared. DNS over HTTPS, and DNS over TLS. Both are gaining traction, but DNS over TLS is the easier to put in place, since it is, or will soon be, supported in your Home Router. As long as you buy your own router, and not use the one that is provided by your ISP. They aren’t going to put DNS over TLS in their router, now are they.

This whole issue has been brewing for sometime, and I’ve been watching it. But recently something new happened that perked up my ears. Firefox put DNS over HTTPS or DoH into Firefox. DoH allows all your browsing DNS requests to be secure since DoH uses an encrypted connection to the DNS server for those requests. The requests can’t be snooped and can’t be changed – Which some ISPs actually do. Can you believe it? Changing the phone book? Anyway.

To use DoH in Firefox is easy. Under Options, scroll to the bottom of the general settings and click [Settings…] next to Network. Then at the bottom of that page, enable DNS over HTTPS and use the Default cloudflare address provided. There are so many Cloudflare servers that your performance will be just fine or better than with your ISP.

The Chrome browser does not [yet] support DoH. I could not find anything on the subject so I’m not sure of any plans. But the next section will solve your problem for everything, including Chrome, and the Firefox fix is unnecessary if you upgrade your router.

What About Everything Else?

So that takes care of the Browser, if you use Firefox. But what about everything else?

It seems that Cloudflare, Google and Quad9 are leading the effort around DNS over TLS, which puts the DNS protocol in a secure connection away from man-in-the-middle, eavesdropping and other attacks. This page gives a link to Chocolatey which is a DNSoverTLS solution for windows. If you have one Windows computer that you use, this may be the easiest solution for you.

For your Android Phone, if you have a very recent phone running Pie the DoTLS support is in the phone and you can turn it on. But Cloudflare appears to have made an App for both Android and IOS so your phone can have secure DNS no matter where you are.

But what about your home network?

The best solution is have a DoTLS solution in your home router. I have an ASUS RT-AC5300 router. So I could upgrade the firmware to an Open Source Merlin Firmware.

While this is an expensive router, ASUS have more affordable solutions. Amazon shows good prices for ASUS RT-AC56U and ASUS RT-AC1900 routers, both of which support the recent releases of Merlin firmware.

Installation on my router was easy. The installation was the same as for the normal firmware. Your mileage may vary.

As you can see, the router firmware came with lots of built in choices for DNS servers, including ones that Filter for security and “Family Friendly” browsing. I’m not clear whether “Adult Filter” means it lets in Adult content or restricts it. I’m using the  Security filter. I could not find descriptions of these choices on the Cloudflare site.

I think we will see several router manufacturers building DNS over TLS support into their routers soon. Of course the Router from your ISP will never have it, but you don’t want to use their router anyway.

Don’t Use a Router From Your ISP

If the only option you have from your ISP has a router in it, ask them to turn off the NAT  and Firewall features – Network Address Translation – of the ISP router and then connect your own router, which supports DNS over TLS to the ISP router / modem and manage your own network on your own router. I was surprised to find a while ago that a friend, who just got cable service, got a “Router” from the ISP that didn’t have a NAT or Firewall features in it at all. We had to rush to get a Router with a NAT Firewall so that their network could be safe. If you don’t understand why you need a NAT Firewall enabled in your router, please go study the issue using Google so that you can be safe online.