🔐 Secure DNS

DNS snooping is a hot topic in information security

By this point, probably everyone is aware of the lengths that companies will go to in order to advertise to you, sell information about you to advertisers, and/or go to gather information about you to do all of the above.

But let's say you're savvy, and that you know about being tracked via cookies and other means delivered as part of almost every website you visit (including this one, you may see an ad at the top of this very page). Maybe you occasionally or regularly browse using Chrome's "incognito mode", Firefox's "private browsing", or similar functionality in other browsers. Or maybe you have ad blocking software or extensions like Ghostery or uBlock Origin. Maybe you even blackhole IP addresses or ranges of advertisers using a hosts file.

What tricks could advertisers and their "partners" possibly have left? DNS Snooping! Transcript of Security Now episode #723

Review: How does DNS Work?

DNS stands for "Domain Name Service" and its purpose is to translate readable domains names to IP addresses. Readable domain names, like leeadams.dev, are for the benefit of humans, whereas the machines need to know IP addresses in order to initiate and maintain communication of IP (Internet Protocol).

Domain name lookup consists of making a request from the local machine to the Domain Name Server(s) configured for its network in which the A record is requested. This record is the mapping from name to IP. There are many other record types, and you can read about them and other deails on Wikipedia.

#TimestampLocal IPRemote IPProtocolLength (bytes)Info
52.71110.0.0.2031.1.1.1DNS74Standard query 0x752a A leeadams.dev

Now, DNS queries such as the example above are over UDP. That means there is no inherent security protecting the contents of the request and response. This leaves the door pretty wide open for someone on your network, and certainly the owner of the DNS server, to inspect this traffic. Who could be on your network already!? Well, your ISP of course! Usually when your machine's network interface(s) are configured to join the network provided by you Cable, DSL, etc. provider, it is configured to utilize the ISPs Domain Name servers for resolution.

You might think, well fine. I'll just switch to one of the publicly and freely available Domain Name Service providers like Google's, CloudFlare's, or even IBMs "quad9" Two things about that:

  1. You would need to trust those DNS service providers -and-
  2. You ISP can still snoop the traffic since it will be traversing over their network to reach the DNS service providers.

What we really need is an encrypted communications protocol with Domain Name servers so that the traffic can't be snooped, and we still have to trust the Domain Name server's operator.

Enter DNSSec, DNSCrypt, DNS over HTTPS (DoH), and DNS over TLS (DoT)

I'll explain a little bit about DoT here, and try to cover the other options in additional articles later on.

Screenshot confirming my Android device running 'Pie' is using Cloudflare and DNS over TLS

DNS over TLS (DoT)

TLS (Transport Layer Security) is used to "wrap" the DNS communications between client and server, and since it provides encryption and data integrity features, it covers the above concerns nicely. I think you can kind of summarize it as being a similar approach to when HTTPS came along. Regular, unencrypted HTTP traffic was wrapped in TLS (previously SSL) and therefore the communication between clients and Web servers became secured. It may be that this option is becoming less popular in the advent of DoH, but the set up is dead simple for many devices and scenarios.

Example set up

Setting up DoT on Android is as easy as ... Pie

So DNS over TLS is a nice option, especially is your client platform – like Android Pie – can support it natively. Just turn it on! 1

  1. Go to Settings ? Network & internet ? Advanced ? Private DNS.
  2. Select the Private DNS provider hostname option.
  3. Enter one.one.one.one or 1dot1dot1dot1.cloudflare-dns.com and hit Save.
  4. Visit to verify DNS over TLS is enabled.


I'll cover DNS over HTTPS next, and the other options as time allows. Stay tuned!

  1. Security Now ep. 723 Notes