Encrypted DNS and DNS over HTTP (DOH)
DNS - aka how we locate the server addresses on internet is one of the weakest links of privacy and security. This is often used by the ISPs and others for DPI (Deep Packet Inspection), censorship and various types of traffic shaping.
The DNS system is generally a UDP traffic send to port 53 of various DNS servers. Named seems to the the major DNS server used everywhere. Recently much attention is provided on how to encrypt the DNS traffic. Perhaps the first such effort was from OpenDNS with DNSCrypt. There are numerous servers which provides DNScrypt now.
Encrypting DNS traffic
client -----> DNS server
The traffic can be easily encrypted preventing someone like an ISP to track and log the DNS queries and use the same for say ad-targeting.
For a fairly advanced user on both MacOS and Linux, its quite easy to setup the DNS encryption using DNSCrypt-Proxy.
DOH aka DNS over HTTPS
In the recent times, ie in 2019 Mozilla Firefox entered news for activating DOH. This itself shows much the DNS is exploited right now. Its a fairly simple mechanism where DNS traffic is sent encapsulated as encrypted HTTPS traffic making it difficult to trace. Well, the SNI aka Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication_ ) could be a deal breaker - and honestly I am not well aware of how SNI impacts DoH.
How to ensure secure DNS ?
While this is in no way a 100% secure mechanism, enabling DoH in Firefox and other browsers that supports it a good starting point.
Zdnet has a detailed article on enabling DoH : http://web.archive.org/web/20190927221427/https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/
A better mechanism
A safer, more efficient mechanism is to setup a local DNSCrypt-Proxy to both speed up the DNS & secure it even further.
An excellent how-to on the topic is below.
A sneak-peak:
First DNS query of the day / TTL period:
;; ANSWER SECTION:
slashdot.org. 599 IN A 216.105.38.15
;; Query time: 53 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 06 19:14:03 IST 2019
;; MSG SIZE rcvd: 140
Second Query, yay! zero milliseconds
; ANSWER SECTION:
slashdot.org. 473 IN A 216.105.38.15
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 06 19:16:10 IST 2019
;; MSG SIZE rcvd: 128
This post has been rewarded with 100% upvote from @indiaunited-bot community account. We are happy to have you as one of the valuable member of the community.
If you would like to delegate to @IndiaUnited you can do so by clicking on the following links: 5SP, 10SP, 15SP, 20SP 25SP, 50SP, 100SP, 250SP. Be sure to leave at least 50SP undelegated on your account.
Please contribute to the community by upvoting this comment and posts made by @indiaunited.
MacOS instructions are here https://news.ycombinator.com/item?id=16729705
[2019-10-09 17:26:26] [CRITICAL] Unable to retrieve source [public-resolvers]: [No IP found for [download.dnscrypt.info]]
[2019-10-09 17:26:26] [FATAL] No IP found for [download.dnscrypt.info]
https://github.com/DNSCrypt/dnscrypt-proxy/issues/866
Congratulations @bobinson! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :
You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPDo not miss the last post from @steemitboard:
Vote for @Steemitboard as a witness to get one more award and increased upvotes!