A Privacy Focused DNS Setup
Intro
For the last couple of years, I have been using PiHole as my local DNS server. When revisiting it recently, I was surprised to not see any options to use an encrypted DNS protocol, so I started looking for an alternative. In this post, I want to talk about my considerations while redoing my DNS setup.
Topology wise, I use a local DNS proxy to talk to public resolvers, which then fetch the records from the DNS servers.
How does DNS affect your privacy
Every time you use a domain name (for example cwoellner.com) it needs to be translated into an IP address, this done via the DNS protocol. These DNS queries contain your IP Address and the domain name you want to have resolved, by collecting the packages it is possible to reconstruct a rough version of your digital activities. This includes not only your browsing habit, but for example also the typical time frame in which you use your PC, by looking for requests towards update servers for your operating system or NTP servers. In countries with weak privacy related laws the data is collected and sold by the ISP, even if your ISP is not allowed to spy on your government agencies might collect this data.
Encryption
Encryption was the main feature my old setup was missing. The DNS protocol is not encrypted, so if you don’t want your traffic to easily sniffed you will need to use DNS-over-HTTPS (DoH), DNS-over-TLS (DoT) or DNSCrypt.
I don’t see much reason to encrypt DNS requests in my own network, so the connection between the clients and the local DNS proxy will keep using plain DNS, while the connection between the local DNS proxy and the public resolver will be encrypted. The choice of the protocol does not matter, all of those three do the job.
There is no way to influence the connection from the relay to the root servers and in most cases it will be a plain connection, but since it uses the relays address or will already be cached it doesn’t matter too much.
DNSSEC
The second core issue with DNS is that the DNS relay might send us manipulated data, this issue can be partially resolved using DNSSEC. DNSSEC allows the name server to sign the answer to our query, we can then check the signature to ensure the data has not been manipulated.
DNSSEC needs to be enabled on the local DNS proxy and supported by the relay. Since most software for DNS proxies already supports DNSSEC, enabling it on the proxy usually boil down to changing one setting.
Some domains do not have DNSSEC configured, sadly there is no way to validate result from these domains.
Domain without DNSSEC:
Domain with DNSSEC:
Caching and loadbalancing
A privacy risk I did not talk about yet is the public resolver, even though I made sure to only pick resolvers that promise to not log queries, there is no way for me to prove that.
The fewer queries we send to a public relay, the less accurate the potentially created profile will be.
We can reduce the amount of requests sent by caching the results we get back from the relays, since DNS records do not change all the time this can be done without much of an issue.
The remaining requests can be split between multiple resolvers, when enough different resolvers are being used any harvested information becomes close to worthless. A positive side effect is that it also reduces the amount of centralization in the modern web.
Hiding your IP address using Tor
In order to mask our IP address, we can use the Tor network, which will replace our address with the address of an exit node. As long as there are enough people using the Tor network, our profile will become blurry.
Using Tor will add a noticeable lag to our queries, in my experience the response times increase by ~300-600ms. While I see all other measures in the post as necesary, this change might not be optimal if low latency is needed.
When using Tor, make sure to use TCP traffic only, since UDP is not supported by Tor.
Blacklists
Call-home traffic and tracking from smart home devices can be efficiently blocked by using blacklist. In fact this was the main reason I started using PiHole, on average 8% of all requests are related to ads, tracking or call-home and can be blocked without any issues.
This is also being sold to enterprises by companies like Cisco/OpenDNS with a focus on blocking malware and phishing domains.
What am I using?
I ended up using dnscrypt-proxy 2, which supports all the features above. Traffic is proxied through the Tor service running on the same machine. Blacklists are pulled daily via a systemd timer. Dnscrypt-proxy support DoH, DoT and of course DNSCrypt.