Encrypt your DNS queries, stay anonymous
We think if we connect to a website over HTTPS is secure which is true(not true sometimes!), but what about DNS queries that you(browser) sent?
I got this question back in a while, so after a quick Internet search, I found DNSCrypt protocol which is really cool that I can encrypt DNS queries.
First of all what the heck is DNS? in simple, DNS or Domain Name System is a service that resolves/translates domain “name” to “IP” or vice versa. So once you hit google.com in your browser, a DNS query fired to DNS host(for example 220.127.116.11) like asking “what is the IP of google.com” and gets DNS responses which contains IP of google.com. Now we got the IP of google.com, browser initiates connection and establish HTTPS.
So, you see these DNS queries are not part of “HTTPS”. So let’s encrypt DNS queries with DNCrypt.
Why should we care about “DNS queries encryption”? well, sometimes the eavesdroppers are interested in meta data of communication rather than actual communication.
What is DNSCrypt?
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
It is an open specification, with free and opensource reference implementations, and it is not affiliated with any company nor organization.
There are some points to be noted
- In order to use this protocol, we should install a package called dnscrypt-proxy
- Normal name servers(like 18.104.22.168) won’t support this protocol. We should use these DNS resolvers
dnscrypt-proxyby default binds on loopback interface (127.0.0.1) 53 port. So, have to do tittle configuration change.
1. Install dnscrypt-proxy
From Ubuntu 16/ Linux Mint 18.x, dnscrypt-proxy is available in the offical repo.
I found a PPA for Ubuntu 14.04 and Linux Mint 17.x
After installation, with
--help argument get options and run accordingly. But luckily I created a python script which will do it for you.
After you run the script, it will lists the DNS reslovers details like below.(The script downloads reslovers csv and passes this file as argument to
Select one name sever. You can see these name servers have options
No Loggging which provider can logs your queries, choose one accordingly (These options/table header you cant see in above screeshot. You have to scroll up)
Next, configure your network settings like below
Restart network (disconnect and connect wifi) and your done!
To verify run
tcpdump -i any -n port 2053 (Why
2053 port? because in above screenshot I selected
66 option which has
Go beyond this script!
init script which runs at system boot. So that no need to run above script again and again.
- Download reslovers csv file with –>
python dsncrypt.py -d
resolver_name(By default it has
No Loggingpolicy and
DNSSec) in the script.
Github Repository Link
DNSCrypt in Windows
Other resources you can try