Re: Clioudfare's free DNS: Fwd: [IP] How to keep your ISP's nose out of your browser history with encrypted DNS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Re: Clioudfare's free DNS: Fwd: [IP] How to keep your ISP's nose out of your browser history with encrypted DNS

Fritz Mills

Begin forwarded message:

From: "Dave Farber" <[hidden email]>
Subject: [IP] How to keep your ISP's nose out of your browser history with encrypted DNS
Date: April 9, 2018 at 8:01:54 AM CDT
To: "ip" <[hidden email]>
Reply-To: [hidden email]

Begin forwarded message:

From: Dewayne Hendricks <[hidden email]>
Date: April 9, 2018 at 8:29:58 AM EDT
To: Multiple recipients of Dewayne-Net <[hidden email]>
Subject: [Dewayne-Net] How to keep your ISP's nose out of your browser history with encrypted DNS
Reply-To: [hidden email]

[Note:  This item comes from friend Robert Berger.  DLH]

How to keep your ISP’s nose out of your browser history with encrypted DNS
Using Cloudflare’s, other DNS services still require some command-line know-how.
Apr 8 2018

The death of network neutrality and the loosening of regulations on how Internet providers handle customers' network traffic have raised many concerns over privacy. Internet providers (and others watching traffic as it passes over the Internet) have long had a tool that allows them to monitor individuals' Internet habits with ease: their Domain Name System (DNS) servers. And if they haven't been cashing in on that data already (or using it to change how you see the Internet), they likely soon will.

DNS services are the phone books of the Internet, providing the actual Internet Protocol (IP) network address associated with websites' and other Internet services' host and domain names. They turn into, for example. Your Internet provider offers up DNS as part of your service, but your provider could also log your DNS traffic—in essence, recording your entire browsing history.

"Open" DNS services provide a way of bypassing ISPs' services for reasons of privacy and security—and in some places, evading content filtering, surveillance, and censorship. And on April 1 (not a joke), Cloudflare launched its own new, free high-performance authoritative DNS service designed to enhance users' privacy on the Internet. This new offering also promised a way to hide DNS traffic completely from view—encryption.

Named for its Internet Protocol address, is the result of a partnership with the research group of APNIC, the Asia-Pacific Internet registry. While it's also available as an "open" conventional DNS resolver (and a very fast one at that), Cloudflare is supporting two encrypted DNS protocols.

While executed with some unique Cloudflare flare, isn't the first encrypted DNS service by any means—Quad9, Cisco's OpenDNS, Google's service, and a host of smaller providers support various schemes to encrypt DNS requests entirely. But encryption doesn't necessarily mean that your traffic is invisible; some encrypted DNS services log your requests for various purposes.

Cloudflare has promised not to log individuals' DNS traffic and has hired an outside firm to audit that promise. APNIC wants to use traffic data to point to the IP address, which has the unfortunate legacy of being a dumping ground for "garbage" Internet traffic, for research purposes, according to APNIC's Geoff Huston. But APNIC won't have access to the encrypted DNS traffic in this case, either.

For users, taking advantage of encrypted DNS services from Cloudflare or any other privacy-focused DNS services is not as easy as changing a number in network settings. No operating system currently directly supports any of the encrypted DNS services without the addition of some less-than-consumer-friendly software. And not all of the services are created equally in terms of software support and performance.

But with consumer data as product all over the news as of late, I set out to see just how to get Cloudflare's encrypted DNS service working. And overcome by my inner lab-rat, I ended up testing and dissecting clients for multiple DNS providers using three of the established protocols for DNS encryption: DNSCrypt, DNS over TLS, and DNS over HTTPS. All of them can work, but let me warn you: while it's getting easier, choosing the encrypted DNS route is not something you'd necessarily be able to walk Mom or Dad through over the phone today. (Unless, of course, your parents happen to be a seasoned Linux command-line user.)


Dewayne-Net RSS Feed:

____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at:
Unsubscribe at:
____Mailing List Manners: ____