None

A simple dns request

Regain your privacy: pro tip week one

Doing a little is better than doing nothing

Hello!

Everyone will remember 2020 as the year where people around the world were forced to start living most of their lives online. Remote work is suddenly becoming the norm, and for a lot of social activities people have come up with digital alternatives (online yoga class, why not). The more we "live our lives online", the more we think about the privacy aspect.

Every normal person has curtains to shield his or her livingroom from prying eyes, so it's logical you will want to have digital curtains for your online livingroom or office space. A recent study from the Belgian research organization “Kenniscentrum Data & Maatschappij” found out that 78% of the applicants are worried that data shared with a Covid-19 tracing app might be shared with third parties outside their knowledge or consent.1 Also, an increasing amount of government bodies and businesses are warning to be careful with just any free video conferencing software.

This shows that most people care more about their privacy than one might think. Today, for many it is still quite hard to figure out what can practically be done to protect it. Maybe some people might not even know what privacy actually means. So with this series of posts I want to share a few pro tips to help change this.

First, let’s try to get everybody on the same page, let us begin with a definition of privacy:

To have privacy is to have the ability to selectively disclose information about yourself.

In other words, you choose what others get to know about you. This might seem simpler than it seems, as you leak a lot of information about yourself online, possibly unknowingly. One of your biggest data leaks is probably through DNS, a very important privacy vector.

Pro tip week one: take control over your DNS traffic.

DNWHut?! DNS, dear reader! That’s short for ‘Domain Name System’ and it is an essential part of the internet! Essentially it makes sure you can type https://duckduckgo.com in your browser (or any other url) instead of https://52.213.95.108 , see?

Ok, so how does that DNS system affect my privacy? In devious ways! I’ll explain; whenever you look for a resource on the internet, you make a request for that resource. Requests come in many forms, and can be created by many apps. Your outlook makes requests for emails, your browser makes requests for web and your WhatsApp app makes requests for new WhatsApp messages.

When a request is created, it contains the domain name of the target server. Example: when your Outlook app requests new email, it will look for it at your companies email server. That server might be located at mycompany-mail.outlook.com , and to that name will be included in the request.

Now comes the important part. Your outlook app doesn’t know how to interpret that domain name (mycompany…) to locate the email server, it needs the raw numbers! So before sending the actual email request, it will send the domain name part of the request to a DNS server.

That DNS server isn’t the same server as your email server, and is typically operated by your Telecom provider (a company like Proximus or Orange). So your computer sends to the DNS server “hey, can you tell me the numeric for for mycompany-mail.outlook.com?” and the DNS server replies with “sure, it’s 123.45.6.7”.

An example of a real DNS request

To explain how it can affect your privacy, I recorded some raw DNS traffic from my laptop, the same kind of data that ends up with my DNS provider. You can learn some pretty intimate things from this data. Let’s see, the raw line is:

18:59:31.497513 IP (tos 0x0, ttl 64, id 63989, offset 0, flags [DF], proto UDP (17), length 161) 185.115.216.75.53 > 1.1.1.1.33163: [udp sum ok] 10303 q: AAAA? live-cf-vrt.akamaized.net. 3/0/0 live-cf-vrt.akamaized.net. [9m59s] CNAME a1574.dscw10.akamai.net., a1574.dscw10.akamai.net. [9m59s] AAAA 2600:1400:d::17db:5c28, a1574.dscw10.akamai.net. [9m59s] AAAA 2600:1400:d::17db:5c13 (133)

When we eliminate the geek stuff, some interesting data remains:

Today, at 18:59:31 I stayed at (my ip addresses’ geolocation, here 185.115.216.75) and started watching the live stream broadcasted by VRT (live-cf-vrt.akamaized.net). That’s not super intimate, but imagine your DNS provider records every DNS request and starts analyzing them. After a while the DNS provider can get to know:

All your banking providers, not just the one you use to pay your subscription with

Your prefered social media accounts (also the naughty ones)

Your favorite media outlets, and possibly also your political orientation

Possibly even your sexual orientation.

A DNS provider is often your Telecom provider, but it can also be your employer (when working at a corporate network), a hot-spot operator (like in Starbucks or railway stations), and basically anyone who offers you to logon to their Wi-Fi network.

By default, DNS is not encrypted, which makes it extra vulnerable. If you don’t use encrypted DNS traffic, every device between you and the DNS server can intercept your DNS request. Luckily there are new ways to have encrypted DNS, like DoT and DoH (DNS over TLS and HTTPS respectively). For instance, Android implements DNS over HTTPS from Android Pie and Mozilla will include DNS over HTTPS support in the next release of Firefox. Find software to encrypt your DNS here: https://dnscrypt.info/

 

Configuring your DNS settings

There are also DNS providers that help you protect your privacy. There are pro’s and cons for every provider, we recommend you switch providers regularly. It’s free and that way you don’t give any specific party access to the bigger picture.

A few DNS providers with a good reputation are

OpenNIC (addresses 193.183.98.66 and 94.247.43.254)

DNS Watch (addresses 84.200.69.80 and 84.200.70.40)

Cloudflare (addresses 1.1.1.1 and 1.0.0.1)

Choose one from the list, and take note of the numeric addresses. You will need to add those to your network settings. Most computers and phones have room for two or more DNS server addresses. You can take the two addresses of the same provider, or mix addresses from different providers.

On a Mac, open System Preferences and click on the Network icon.

Click on Advanced and choose the DNS tab. Replace the listed numeric addresses with the ones from your chosen provider (eg. 1.1.1.1 and 84.200.69.80).

Click OK and apply. You’re all set now.

If you have a Windows computer, it’s a bit more tedious. Click on the Start menu, then click on Control Panel. Choose Network and Internet.

Click on Change Adapter Settings, then right click on the Wi-Fi network you are connected to. Choose Properties. Select Internet Protocol Version 4, click Properties.

Tick “use the following DNS Server addresses.” Remove any addresses that may be already listed and add the ones from your chosen provider (eg. 1.1.1.1 and 84.200.69.80)

Click OK and close everything. You’re all set now.

When using an iPhone, you can do it from the Settings. There you click Wi-Fi and click the information ‘i’ icon next to the Wi-Fi name you are connected to.

Scroll down until you see the section called Configure DNS and change the configuration from automatic to manual. Now tap Add Server.

Remove any addresses that may be already listed and add the ones from your chosen provider (eg. 1.1.1.1 and 84.200.69.80). Tap save, that’s it!

Configuring Android, is as simple as configuring an iPhone. Open Settings, tap on Wi-Fi, press down and hold on the name of the network you are currently connected to. Tap Modify Network. Click the check box “Show Advanced Options”. Change the IP Settings to the option called “Static”.

Remove any addresses that may be already listed and add the ones from your chosen provider (eg. 1.1.1.1 and 84.200.69.80). Tap save, that’s it!

Next week.

Doesn’t it feel good knowing that you are a bit more in control now of your privacy? To help you protect your privacy even better, I’ll show you how to add an extra layer of security using a password manager in next weeks post. Stay tuned!