How Cloudflare DNS Helps Solve 4 Big DNS Privacy Risks

The Problem With DNS and Privacy

The Domain Name System (DNS) is often called “the internet’s phone book.” It’s the technology responsible for linking the domains we all use every day (e.g. with the IP address of that site’s web server.

Of course, you could enter a site’s IP address and you would still end up at its homepage, but text-based URLs are much easier to remember, hence why we use them.

Unfortunately, DNS technology comes with many privacy issues. The issues can undermine your online safety, even if you take all the usual precautions elsewhere on your system. Here are some of the worst privacy issues associated with DNS.

1. Your ISP Is Watching

Because of the way DNS works, it acts as a log of the websites you visit. It doesn’t matter whether the site you’re visiting uses HTTPS—your ISP, mobile carrier, and public Wi-Fi providers will still all know exactly which domains you have visited.

Worryingly, since mid-2017, ISPs in the United States are allowed to sell their customers’ browsing data for financial gain. Indeed, the practice is common around the world.

Ultimately, your browsing history is helping vast corporations make money. It’s why you should always use a third-party DNS provider.

2. The Government Is Watching

Like ISPs, authorities can also use your DNS log to see what sites you’ve been visiting.

If you live in a country which takes a less-than-tolerant approach to political opponents, LGBTQ activists, alternative religions, and so on, visiting sites of that nature could land you in trouble.

Sadly, your DNS lookup history could reveal your private beliefs to entities who will potentially clampdown on you as a result.

3. Snooping and Tampering

You are also at risk from DNS’s lack of “last mile” encryption. Let’s explain.

There are two sides to DNS: Authoritative (on the content side) and a recursive resolver (on your ISP’s side). In broad terms, you can think of DNS resolvers asking the questions (i.e., “where can I find this site?”), and authoritative DNS nameservers providing the answers.

Data moving between the resolver and the authoritative server is (theoretically) protected by DNSSEC. However, the “last mile” —the part between your machine (called the stub resolver) and the recursive resolver—is not secure.

Sadly, the last mile provides plenty of opportunities for snoopers and tamperers.

4. Man-in-the-Middle Attacks

When you browse the web, your computer will frequently use DNS data that’s cached somewhere on the network. Doing so can help to reduce page loading times.

However, the caches themselves can fall victim to “cache poisoning.” It’s a form of man-in-the-middle attack.

In simple terms, hackers can take advantage of vulnerabilities and poor configurations to add fraudulent data to the cache. Then, the next time you try and visit the “poisoned” site, you’ll be sent to a server controlled by the criminal.

The responsible parties can even replicate your target site; you might never know you’ve been redirected and accidentally enter usernames, passwords, and other sensitive information.

This process is how many phishing attacks take place.

Leave a Reply

Your email address will not be published. Required fields are marked *