Anonymity of DNS queries (caching + encryption)

Anyone who thinks about anonymity on the Internet knows a great way to hide their IP address on the Internet – it’s a VPN service. However, even with a VPN connection, often queries to the DNS server remain unprotected, and you can easily track where your DNS requests go. Otherwise, this is called “DNSleaks” or “DNS leak”.

Let’s take a closer look at what DNS is and what problems there are.

As you know, every computer on the Internet has its own IP-address, without knowing the IP-address of the computer, it is impossible to send him information or a request. The IP address has the form of a 4-byte number, separated by periods (for example, 162.234.12.110 or 78.31.54.226).

For a simple person to remember a large number of IP-addresses is not easy, so at the beginning of the development of the Internet there was a need for a tool that should make life easier for Internet users. Such a tool was the DNS-system of domain names. DNS server is a tool that allows you to determine the IP address for a domain name.

For example, you entered the address of the site in the browser’s bar, the browser sent a request to the DNS server specified in the settings of your Internet connection. The server sends back a packet with a response that contains the IP address of the desired site.

On the one hand, everything is done conveniently – you just stuck the cable in a network card, you automatically assigned the DNS server of the provider with a fast response and everything works. But on the other hand, there are two problems with this scheme:

1) There is no encryption of the connection . This means that any attacker can intercept your traffic and make a substitution of IP-addresses. For example, show you a fake Internet bank page. It is also desirable to hide this traffic from the provider or from law enforcement (it’s not enough that J).

2) The ISP’s DNS servers are legally required to keep logs (from which IP, to which sites they visited, and the connection time), and upon request from law enforcement to provide these logs (I hope everyone knew this? J). I will say even more, 99% of DNS servers in the world write logs and do not hide it.

If suddenly you do not want your data to be intercepted or read by the logs of your visits there is a reliable option. What should be done:

1) You need to encrypt the connection . For this, there is a DNSproxy program. It connects to the DNS server not directly, but is encrypted through the DNS resolver (it just redirects the requests to the DNS server). In turn, the resolver sends the data to the DNS server also via the encrypted connection. That is, in this way, using sniffers (for example WIreshark) you can only find the resolver’s IP address. But since packets are encrypted using “Elliptic curve cryptography” (elliptic cryptography), we can not determine which DNS server we are exchanging data with.

2) It is necessary to use DNS-servers that do not maintain logs . As you understand, the server of the provider immediately disappears. Also, for anonymity, you can not use Google’s DNS servers or Yandex, as they honestly admit to storing information (read their Privacy Agreements). But there are DNS-servers that will help us. This is www.opennicproject.org . The site says that the server does not write any logs (well, we’ll believe it). But, unfortunately, these servers are unstable and sometimes fall off. To solve this problem, you can use the program “Acrylic DNS Proxy “. It allows you to make requests not on one DNS server, but on 10 at once. And the packet from the server that comes soonest will be accepted by the program. Therefore, we will solve two problems at once: minimize the loss of query speed (because the fastest data exchange usually happens with the ISP’s DNS servers), and level out the instability of any servers.

So, we need to encrypt the connection to a secure DNS server. This is useful not only for those who do not use VPN (how to solve the problem of DNS leak will be written later). Let’s start:

1) Download AcrylicDNSProxy from here: http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome

Install. Change the configuration file in the folder with the installed program to the one already configured on the server www.opennicproject.org . The configuration file already configured by me here: https://www.sendspace.com/file/u51lus

2) In the settings of your network connection, you need to manually register a DNS address. We go to the “Network and Sharing Center” -> “Local Area Connection” -> “Properties” -> “Internet Protocol version 4 TCP / IPv4”. There we put 127.0.0.1. The second line should be left blank.

[Img]
Fig. 1

3) To start AcrylicDNSProxy go through Start and click ” Start Acrylic Service”. A message should appear about a successful start.

4) Now we check our DNS servers at www.perfect-privacy.com/dns-leaktest . It should be something like the screenshot:

[Img]
Fig. 2

You can add the file AcrylicController.exe to startup.

5) Now we encrypt our queries to DNS servers using DNScrypt.

Download the complete assembly: https://www.sendspace.com/file/o1pe2q

6) Unpack and run dnscrypt-winclient.exe. There we select our network card and click Install. Now the connection to DNS servers is encrypted.

7) Let’s check that now our services of verification will show us. Go to www.perfect-privacy.com/dns-leaktest . None of our servers should be defined.

And if you go to http://whoer.net , the only thing that it can show is the DNS resolver address through which DNS queries pass. The servers themselves are “unknown”.

[Img]
Fig. 3

VPN + DNS encryption

The figure shows a typical diagram of your connection when connecting to VPN servers.

[Img]
Fig. 4.

As you can see, there is a vulnerability – DNS queries can be sent simultaneously and through the VPN server, and directly to the specified DNS server of your network connection.

It would seem that you can simply manually register the DNS server in the connection settings as 127.0.0.1, so that there are no unnecessary requests to the DNS provider. But, obviously, if you disconnect from the VPN, the Internet will not work, because when connecting to the VPN, their own DNS servers are used. If you simply enter the two servers of the project www.opennicproject.org , this will reduce the speed of surfing on the Internet when the VPN is disabled. In this case, it is also recommended to install the program AcrylicDNSProxy, which will not allow you to drop the speed of surfing. But once AcrylicDNSProxy was installed, why not install DNScrypt? ;)

If you use VPN services 100% of the time, you can simply register one IP-address in the DNS settings: 127.0.0.1. It would be enough.

Thus, an interesting scheme was found that allows anonymizing and hiding DNS queries, which will help a little if you encounter “authorities”, and if the local evil hacker decides to redirect DNS requests and show your children sites instead of “Well, wait” – adult sites .

Note: if you do not need it all, just install AcrylicDNSProxy with your provider’s servers, Yandex, Google, etc., which will give you a tangible acceleration of Internet surfing.

Thank you for attention.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s