Encrypt your DNS queries, stay anonymous

We think if we connect to a website over HTTPS is secure which is true(not true sometimes!), but what about DNS queries that you(browser) sent?

HTTPS Example

Sure if we use HTTPS, all your (POST or GET) data is encrypted end-to-end which prevents eavesdropping, MITM attack and have Confidentiality, but again what about DNS queries?

I got this question back in a while, so after a quick Internet search, I found DNSCrypt protocol which is really cool that I can encrypt DNS queries.

First of all what the heck is DNS? in simple, DNS or Domain Name System is a service that resolves/translates domain “name” to “IP” or vice versa. So once you hit google.com in your browser, a DNS query fired to DNS host(for example 8.8.8.8) like asking “what is the IP of google.com” and gets DNS responses which contains IP of google.com. Now we got the IP of google.com, browser initiates connection and establish HTTPS.

So, you see these DNS queries are not part of “HTTPS”. So let’s encrypt DNS queries with DNCrypt.

Why should we care about “DNS queries encryption”? well, sometimes the eavesdroppers are interested in meta data of communication rather than actual communication.

What is DNSCrypt?

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.

It is an open specification, with free and opensource reference implementations, and it is not affiliated with any company nor organization.

There are some points to be noted

  • In order to use this protocol, we should install a package called dnscrypt-proxy
  • Normal name servers(like 8.8.8.8) won’t support this protocol. We should use these DNS resolvers
  • dnscrypt-proxy by default binds on loopback interface (127.0.0.1) 53 port. So, have to do tittle configuration change.

1. Install dnscrypt-proxy

From Ubuntu 16/ Linux Mint 18.x, dnscrypt-proxy is available in the offical repo.

sudo apt-get install dnscrypt-proxy

I found a PPA for Ubuntu 14.04 and Linux Mint 17.x

sudo add-apt-repository ppa:anton+/dnscrypt
sudo apt-get update
sudo apt-get install dnscrypt-proxy

2. Start dnscrypt-proxy

After installation, with --help argument get options and run accordingly. But luckily I created a python script which will do it for you.

wget -qO dnscrypt.py https://goo.gl/zjZYVR
sudo python dnscrypt.py

After you run the script, it will lists the DNS reslovers details like below.(The script downloads reslovers csv and passes this file as argument to dnscrypt-proxy`)

Run the script

Select one name sever. You can see these name servers have options DNSSec & No Loggging which provider can logs your queries, choose one accordingly (These options/table header you cant see in above screeshot. You have to scroll up)

Next, configure your network settings like below

Network Config

Restart network (disconnect and connect wifi) and your done!

To verify run tcpdump -i any -n port 2053 (Why 2053 port? because in above screenshot I selected 66 option which has 178.216.201.222:2053)

What’s happening?

Diagram

Go beyond this script!

I create init script which runs at system boot. So that no need to run above script again and again.

  • Download reslovers csv file with –> python dsncrypt.py -d
  • Specify resolver_name(By default it has soltysiak which has No Logging policy and DNSSec) in the script.
sudo wget -O /etc/init.d/encryptdns https://goo.gl/opZ78J
sudo chmod +x /etc/init.d/encryptdns
sudo update-rc.d encryptdns defaults
sudo service encryptdns start

Github Repository Link

https://github.com/veerendra2/useless-scripts

DNSCrypt in Windows

Simple DNSCrypt

Other resources you can try

Written on January 22, 2018