The Domain Name System (DNS) is like the phonebook of the Internet. Computers on a network need IPs (AKA addresses of the server’s hosting the website or app). It would be hard for people to remember to type: 172.217.21.238 every time they wanted to visit Google.com. DNS is here so domain names (like my domain www.sharkey.io) can be used instead.
We rarely think about what DNS service we’re using on our phone or laptop. We think if our network is “secure”, then SURELY our traffic is safe.
Do you know what DNS service YOU are using?
The answer to the above is usually no. And that is fine. DNS isn’t a buzzword like VPN, blockchain, crypto or encryption.
Who manages the address books of the internet?
Who provides your DNS can make a huge difference to your experience online. Most users do not change their resolver settings and will likely end up using the DNS resolver from their network provider.
The most obvious observable property of which DNS you use is the speed and accuracy of name resolution (AKA how quick you get the domain address back). Features that improve privacy or security might not be clear or easily understood, but a secure DNS will help to prevent others from profiling or interfering with your browsing activity. This is especially important on public Wi-Fi networks where anyone in physical proximity can capture and decrypt wireless network traffic.
What’s the risk?
Ever since DNS was created in 1987, it has been largely unencrypted. Everyone between your device and the resolver is able to snoop on or even modify your DNS queries and responses. This includes anyone in your local Wi-Fi network, your Internet Service Provider (ISP), and in-transit providers (or your government). This may affect your privacy by revealing the domain you are visiting.
Metadata can be obtained by your ISP or malicious actor about what you search for. Maybe they can’t read your messages or emails, but they can tell what services you use, how often you use them, where you use them and much more.
Imagine, you sit down in a cafe, and open your laptop. I am sitting in the corner and I have decided I am going to learn about you. I watch your unencrypted DNS requests go to cat-memes.com and every few minutes you check out webmd.com. I can easily tell maybe that you’re sick and have a cat. A lot can be learned by watching someone’s internet usage and privacy becomes an issue from other users or your ISP (or government).
Using a VPN can protect you here easily also. But encrypting your DNS request and specifying the DNS server for your request can help protect you without slowing you down (or costing you too much — NextDNS is free).
Unencrypted DNS has been abused by ISPs in the past for injecting advertisements, but also causes a privacy leak. Nosey visitors in the coffee shop can use unencrypted DNS to follow your activity and see what sites you are viting and doing. All of these issues can be solved by using DNS over TLS (DoT) or DNS over HTTPS (DoH) (These are the 2 methods of encrypting DNS requests).
What can I do?
There are several options out there to protect yourself and ensure your DNS requests are encrypted.
Warp (1.1.1.1)
The first is Warp from Cloudflare. Cloudflare have been advertising heavily their free service and DNS resolver. Advertising quicker speeds and “optimized routing”. Their service is backed by the huge company which protect many sites online. They protect several of my domains and have informed me of attacks as they happen.
NextDNS
The alternative and whole reason for this post is NextDNS. They take a different approach to DNS. They not only encrypt your requests, but they also block ads, trackers and malicious websites on all your devices. It’s one of the few times, you can turn on a service and watch it work in real time. It works much like a PiHole. (PiHole is a self hosted DNS resolver that “points ads to a black hole”). The service is modeled to be the same functionality as a PiHole, without any of the hardware costs.
They are currently in a Beta stage, and traffic is unlimited through their service. With new partnerships with Mozilla, they have proven themselves to be formidable newbies.
They have setup guides for every device you could want, and their client is open sourced on Github.
Their privacy policy is very clear, and simple, and can be read by anyone without a law dictionary. They clearly state on the first line:
We do not (and will never) sell, license, sub-license or share any of the data submitted directly or indirectly by our users with any person or entity.
Their privacy policy, simple (download and go) applications, and customization, has convinced me this is the real deal. You can see it working (image below from the Irish Independent App). See “Sponsored Content” that is not visible once NextDNS is active.
Conclusion — Do I trust NextDNS? (Yes, but no, but yes?)
NextDNS is fantastic. It’s free for now, and will have a free tier once they are out of beta. Their paid tier (for more than 300,000 requests) will be very affordable at $2 per month for unlimited usage.
The other option is to host your own PiHole. NextDNS’s service is modelled on PiHole, and openly admit this in their FAQ. I personally host my own PiHole on a RaspberryPi 3b+ and have my traffic in my apartment routed through this. I trust NextDNS to protect me while I am on my mobile data, or in a coffee shop, but at home, I enjoy knowing that I have 100% control over my connection and DNS settings.
(I also use ExpressVPN when I am using Public WiFi I don’t trust and it is the best VPN I have used to date.)
Some stats from my personal NextDNS configuration:
