The competition in the free DNS service has became more fierce as Cloudflare with 184.108.40.206 had joined google’s 220.127.116.11, Cisco’s OpenDns, Quad9’s 18.104.22.168 and many more Providers and ISPs resolvers out there.
Cloudflare main claim to fame is their speed, and indeed recent benchmarks had shown that other than your own ISP servers, they’re true to their word.
Another often disregarded feature that was emphasized with this release is the support for DNS over TLS and DNS over HTTPS (DOH), which allows for increased privacy from anyone snooping on your queries, either the local internet cafe or your own ISP (or state?). It also provides protection from attacks such as the all-too-easy DNS Man-In-the-Middle, cache poisoning and many others.
It is apparent that no service is fully TNO (Trust No One) compliant. So what does one who wants to keep his full DNS usage from reaching one of these vendors? There are few options that comes to mind:
- Use a local ISP DNS Resolver. This of course will put all data in hands of the ISP, which might or not use that data. It is certainly been the case in recent years that ISPs use this data as a mean of added income, like placing ads and redirects on non existing lookups, or just sell the data to other vendors.
- Run your own DNS Resolver. This will probably put your mind at ease in regards to the usage of data of the local resolver, but keep in mind as that as a sole user on that server the DNS Resolvers upstream will still get your queries. It is also quite difficult technically to properly and securely maintain a DNS resolver (think hosting, bandwidth, security updates, configurations…)
- Split your queries across multiple vendors. This way, none of them will have your entire DNS activity. For the paranoid: create some background queries of random domains to further skew your profile.
Obviously we prefer № 3. But how is it done? It is actually quite easy to do using DNScrypt-Proxy — A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2 and DNS-over-HTTPs.
Once installed and configured as our main DNS resolver, we’ll use DNScrypt to randomly select a different DNS server for every query we make. The resolvers will be selected from a list of vetted DNS list according to a criteria that we’ll select: Resolvers who claim not to save any logs, does not filter any data and are either using DNSCrypt, DoT or DoH.
Sounds easy right? it surprisingly is.
Once that’s done, we’ll configure it according to our needs. We’ll start with the example config file:
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
The example script is actually pretty well configured for our needs. we really need to change very few things. First is the load balancing strategy, which will determine which server will be elected for every query. we will go with random:
lb_strategy = 'random'
We want to make sure no UDP plaintext protocol will be used:
force_tcp = true
Disable tls session tickets to make it harder for passive tls decryption on continuous connections:
tls_disable_session_tickets = true
Make sure the configured system dns never get used:
ignore_system_dns = true
We let DNScrypt know what kind of restrictions we want for the DNS resolvers it connects to, to make sure we only connect to resolver that meet out demands (no filtering, no logging, use only secure connection):
dnscrypt_servers = truedoh_servers = true# Enforcing DNSSEC is optional at your discretion
require_dnssec = falserequire_nolog = truerequire_nofilter = true
Finally, if you plan on using the proxy on any other machine other the one its currently running on, change the listening address:
֫listen_addresses = ['XX.XX.XX.XX:53', '[::XX]:53']
now we’re ready to run DNScrypt:
[2018-04-19 15:32:35] [INFO] Loading source information from URL [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md]
[2018-04-19 15:32:35] [INFO] Loading source information from URL [https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md.minisig]
[2018-04-19 15:32:35] [NOTICE] Source [public-resolvers.md] loaded
[2018-04-19 15:32:35] [NOTICE] dnscrypt-proxy 2.0.9
[2018-04-19 15:32:35] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2018-04-19 15:32:35] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2018-04-19 15:32:35] [NOTICE] Now listening to [::1]:53 [UDP]
[2018-04-19 15:32:35] [NOTICE] Now listening to [::1]:53 [TCP]
[2018-04-19 15:32:36] [NOTICE] [arvind-io] OK (crypto v2) - rtt: 196ms
18-04-19 15:32:53] [NOTICE] [soltysiak] OK (crypto v1) - rtt: 77ms
[2018-04-19 15:32:53] [NOTICE] [trashvpn] OK (crypto v2) - rtt: 88ms
[2018-04-19 15:32:54] [NOTICE] [ventricle.us] OK (crypto v2) - rtt: 153ms
[2018-04-19 15:32:54] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 62ms)
[2018-04-19 15:32:54] [NOTICE] dnscrypt-proxy is ready - live servers: 30
DNScrypt will choose resolvers that answer your criteria and will try to establish a connection with them, measuring their speed and checking the connection to them. Once done, it will announce the fastest server (Cloudflare, no surprises here) and the number of servers it was able to contact and validate.
Now, set you local machine DNS to the ip address DNScrypt is listening on, and you’re done! Every DNS query your machine makes will go out thru one of the 30 (!) different resolvers. How’s that for extra layer of privacy?
Not happy with running DNScrypt-proxy as a service on your local machine? no worries. It can easily be enabled in DD-WRT or Tomato firmwares of various popular routers.
So Here we are. The most secure and private DNS setup that I know of. Hopefully this short guide was helpful for you privacy nutters out there. If you have any comments or remarks please comment below!