UPDATE (26-Jan-2018): If you use a Virtual Private Network (VPN), then you do not necessarily need to worry about encrypting your DNS traffic as long as a), your VPN offers a DNS service and b), you trust them. The other primary advantage of using a VPN is that, like Tor, all of your internet traffic between you and the VPN exit node is encrypted, meaning neither your ISP nor anyone else should be capable of monitoring it. Yes, a VPN is yet another expense and as much as i dislike paying more to access the web on top of what my ISP charges, it doesn't cost much and i can't see myself ever going back to not using one.
After having done quite a bit of research, i originally chose AirVPN somewhere arougn 2015 and was happy with their service. Currently i'm using NordVPN and their service seems quite good also. The reason i switched is because i hated the AirVPN client app for Linux which depends on Mono, however that niggle is now obsolete since my VPN connection is done on my network router. Both companies tell us they keep no longs and block no ports or protocols, meaning you can torrent all you want without any bandwidth caps. AirVPN has some nice tools in their control panel that NordVPN doesn't, but there was nothing there i needed. Both providers offer client apps to make connecting to their service easy, though so do many other VPN providers.
DNS — Domain Name System — is the service responsible for converting a domain name, such as '12bytes.org', to an IP address that is understood by computers routing internet traffic. The DNS server(s) that you are currently accessing to convert domains to IP addresses are configured in the properties of your network adapter, each adapter having its own DNS configuration, or perhaps your router or modem.
DNS is a weak link in the internet chain because this traffic is most often unencrypted and open to man-in-the-middle (MITM) attacks, even when visiting an encrypted (https) website. An attacker can easily set up their own DNS server and, using a little social engineering and/or malware, convince you to change your current DNS server, or change it without your knowledge, to the one controlled by the attacker. One possible result is that you could visit 'your-bank.com' but actually land on a forged website that may look exactly like the authentic one and thus there would be no cause for alarm while you log on with your user name and password, which would then be in the hands of the attacker. I am quite sure the tactic of DNS spoofing is used by law enforcement as well.
Lastly, i wrote this tutorial while using Windows and have since switched to Linux. A tutorial for the Debian flavors of Linux can be found here.
Securing your DNS traffic is easy using DNSCrypt (don't download the client from the OpenDNS page). If you're not afraid of the command-line and wish to keep the process as efficient as possible, i would suggest reading the article How to Encrypt Your DNS for More Secure Browsing by How-To Geek. If you prefer a point-and-click approach however, along with a nice GUI for controlling DNSCrypt and selecting your DNS server, here's how to install and configure Simple DNSCrypt:
If you have another version of DNSCrypt installed, uninstall it first. If there is no uninstaller, then run the following command:
Next, download Simple DNSCrypt from the authors site and install the .msi package. The GUI to configure the DNSCrypt client should start automatically after the installation is complete. Configuring the DNSCrypt client is easy:
- Enable DNSCrypt for your network adapter.
- Select a DNS service.
- Enable the Primary DNSCrypt Service. If the service does not start, try disabling DNSCrypt for your adapter and then enabling the service. Note that the Secondary Resolver settings are disabled because this feature is not completely implemented at the time of this writing.
- In the 'Advanced Settings' you can download a fresh copy of the DNS resolvers list and by clicking the 'Plugins' button you can disable IPV6.
- Open port 443 in your firewall to allow outgoing UDP traffic for dnscrypt-proxy.exe if you need to.
- If you installed the 'dnscrypt-proxy' service, you can exit the Simple DNSCrypt GUI, otherwise it will need to be left running.
Verify DNSCrypt is working…
To verify that everything is working, check the properties for your network adapter and make sure the primary DNS server is set to 127.0.0.1 and that the secondary server is empty as seen in the screen-shot. If it is not, make it so. Next, try visiting a website to make sure everything is working.
If necessary, reboot your machine or flush the Windows DNS cache by opening a command prompt and entering:
ipconfig /flushdns, then load a web page to ensure DNSCrypt is working.
If you're wondering about the default Windows 'DNS Client' service, leave it running. You can also leave in place any firewall rules for DNS look-ups on port 53 to enable easy switching of the DNS servers in your network adapter for troubleshooting purposes.
At this point i'm not entirely sure what happens with DNS caching, but it appears that a query is sent with every request, which is not optimal. I hope to write more about this after i figure out exactly what is happening in this regard.