[Crypto Security] - Increase security by using encrypted DNS

in LeoFinance2 months ago

image.png

This post is part of my Crypto Security series. I recommend checking out all of them.


What is DNS?

DNS (Domain Name System) is one of the most critical components of the Internet. It is the system that converts IP addresses like 104.17.155.108 to human readable host names like bittrex.com. Without it, the Internet would be virtually unusable to humans.

Every time you enter an address into your browser, your computer queries your assigned DNS servers for the IP of the host name you entered. For example, if you entered bittrex.com, DNS would respond with the 104.17.155.108 IP and your browser would connect to that IP. While it is possible to have multiple host names assigned to the same IP, that's beyond the scope of this guide.

What is the risk with unencrypted DNS?

These DNS requests are unencrypted and can easily be picked up by any computer on your network and any service in the middle like your Internet Service Provider or VPN provider. These requests can be stored to build a profile of your activity on a daily basis.

While you may not care if someone knows you visit http://papertoilet.com/ or even https://pornhub.com, there are other risks to using unencrypted DNS. There are attacks called MitM (Man In The Middle) that can hijack your DNS requests and return a potentially malicious IP instead of your legitimate destination. Using third party networks like schools, libraries, even your friends house can potentially intercept your DNS requests and log them or worse modify them.

How do I encrypt my DNS?

There are many ways to encrypt your DNS and most modern browsers have built-in DNS encryption built in. Unfortunately, most of them require a lot of work on your end and few are fully supported.

There is one option that is free and easy and I highly recommend doing immediately to take advantage of encrypted DNS now.



Change your DNS servers to 1.1.1.1 & 1.0.0.1.

That's it!

Cloudflare spent a fortune to buy those IPs back in 2018 to provide faster DNS with more security. At the time it did not support encrypted DNS but it provided other security features such as a promise not to use and sell your data, something that most ISPs are doing right now. They also promise not to censor your activity, another problem currently happening with certain ISPs.

Not only will using Cloudflare's DNS provide you with more security, you will also notice it is the fastest DNS resolver on the planet according to DNSPerf.



You can verify if you are using encrypted DNS by visiting here and clicking **Check My Browser).

You should see something like this.


image.png

The final option ESNI is being abandoned for a new protocol and you will likely fail on this as most browsers do not support it.

If you are going to be your own bank, you need to act as if you are one by locking your doors.

Posted Using LeoFinance Beta

Sort:  

Hmmm...I am using 1.1.1.1 as my DNS server but that site is reporting that my DNS is not secure. It says:

We detected you’re using 1.1.1.1 (a secure DNS resolver) but not over a secure connection. Anybody listening on the wire can see the DNS queries you make when using the Internet.

Any idea why that is and how I can fix it?

 2 months ago (edited)

What browser? Depending on browser/version you may need to go into config page and turn on Secure DNS.

https://developers.cloudflare.com/1.1.1.1/dns-over-https/web-browser
^ This may help for configuring browsers.

Posted Using LeoFinance Beta

I'm using Brave. Secure DNS was turned on in the settings but for whatever reason I had to tell Brave to use Cloudflare for secure DNS even though it's set at my router also.

image.png

That's a new setting they just added. I noticed for me it works without specifying that but I did change it to specifically choose 1.1.1.1 recently to see if I could get ESNI working, but it is no longer being supported.

Glad you got it working, it's especially useful when traveling with a laptop on untrusted networks.

Posted Using LeoFinance Beta

Fantastic advice and part of a really valuable series. I haven’t even considered encrypted dns but the stakes are growing and it is definitely a must for those looking to block out snoopers looking to steal crypto. This will only increase in urgency based upon unfortunate cases of theft.

Thanks Marky!

Did you see the recent news about the US government doubling up efforts and now looking for hackers to get into hardware wallets.


Posted via proofofbrain.io

The government has been working on ways to de-anonymize blockchain for years now, among other things I'm sure.

Posted Using LeoFinance Beta

I used OpenDNS a while back. I see they were bought by Cisco if that makes any difference. I had not set my DNS since I last installed Ubuntu, so it's using my ISP for now. I may try Cloudflare soon. Had to look up how you set it these days. This site tells you what you are currently using.

Update: Seems it's a bit more fiddly. netplan doesn't seem to like something about the file. Doesn't seem to like the device name even though it looks like it should be right. Oh well, it's a learning experience.

Update 2: Okay, so I can actually configure it in a GUI, but maybe encrypted DNS needs something else installing. In any case my email stops working when using 1.1.1.1. I'll revert it for now and investigate further.

Thank your for sharing this security tip.. I will click on the link right away to check and do as you have said in this post

Posted Using LeoFinance Beta

This is a great article and thanks for creating this series of posts.
One more thing that all the browser support ( think all) is they validate the SSL certificate associated with the DNS. if response is coming from another malicious IP they wont have the correct certificate and browser will highlight that. But for that you need to make sure that you access and trust only HTTPS websites.


Posted via proofofbrain.io

I always had this question in my mind about which is probably the fastest DNS resolver on the planet and your post has given me the answer to that in addition to how to secure and encrypt the dns. Wonderful piece of information.

Upvoted and thanks for sharing this.

Any idea how I can make this work with using a VPN? I download the Warp App and turned it on I lose my VPN connection.

Normal DNS always sucks 8.8.8.8 is too better ( google) as the standard ones. 1.1.1.1 is IMO one of the best, if not the best.

Posted Using LeoFinance Beta

Thanks for this article. You just made me curious, so I wanted to check if my VPN provider is actually encrypting my DNS inquiries or not... and luckily, it does! But I also realized looking around that many VPNs don't, so this is useful! :)

111.jpg

a good capture of a lock, my eye really captured (as hundred thousand times before, in other cases at other sites).

It is Creative Commons zero licensed artwork. Meaning it is free to use however you like without attribution. You can find CC0 artwork to use in your posts on pixabay.com.

super, thanx for clarifying that. i've educated myself recently about both the family of CC license and its certain species, and OPL license (for free fonts).

Amazing article****

Let them do it Marky.

Just 1 up them.

Shh no tears.

For the not so clever outdated boys.

D386CB2C-5276-4021-ACAD-3C2802D08EF0.gif

Good day. Thanks for the informative post. There is something to think about now. Voted for you as a witness. I wish you success.

The rest of the lyrics @themarkymark. Let's jam at your place.

Do you have some tips to help me reach my goal? In turn, I'll drop a major futuristic need to know.

This is not about leapfrogging.

Let's exchange some peer-to-peer electronic cash.

HANDSHAKE = DECENTRALIZED DNS