Today we cover mitigations against DNS attacks concerning redirection, privacy, and security concerns. (DDoS attack, also possible).
First, a primer: the basics on DNS:
π DNS: π PHONEBOOK FOR THE π₯οΈ INTERNET
DNS standing for: Domain Name System
IP Address: set of numbers in the format of xxx.xxx.xxx.xxx when IPV4 (IPV6 making up a combination of both letters and numbers).
DNS: application layer of TCP/IP converting easy to remember domains (ie: yahoo.com) to their appropriate server IP addresses (for your network based applications).
π Think Of DNS As Your "Phonebook" For The Internet.
When you type a web address (domain), your computer application passes this request, cache is checked (for stored answers), finally making conversion to the domain's appropriate IP address.
Entire purpose: allow for usage of domains we can both recognize, and remember.
DNS Simplified Diagram:
IN THE CONTEXT OF DNS BEING: THE INTERNET'S PHONEBOOK...
IMAGINE...
If contacts in your phone switched out (midcall), redirecting you to a skilled scam artist.
You know who you called. Afterall, it's in your phonebook.
These are your saved contacts. You saved them. You trust them.
But as with phones, on the internet we rely on 3rd parties to handle DNS resolves...
DNS π PROBLEMS
DNS requests pass the domain names over network, through your ISP, in cleartext (by default)
That means all domains requested could be seen by others inside your shared network environment. They can see which computer requests what. A simple nmap sweep reveals your uniquely identifying machine hostname, mac address, within LAN (solution see: wipri)
This means your ISP can certainly see those domains too, even redirect / proxy them (mitigation below).
It also means using various techniques, malicious individuals (in the right position) can transparently proxy your DNS, redirecting you to other servers (especially within shared environments).
π DNS REDIRECTION: EXAMPLES
Above we see an example DNS redirection attack performed with 'dns-hijacker'.
Attacker injecting fake DNS entries takes our device to a malicious server (using real domain)
The connection to your bank may not arrive at your bank at all. Instead, redirecting you to load a phishing login page (showing the correct domain). It's another reason we need to pay serious attention to encryption, anytime it's in use.
(check https fingerprints).
As I've mentioned, (in USA for ex): ISP's are now allowed to sell customer information, "without explicit consent" (since 2017).
UPDATE: My analysis article / video on ISP's selling access to 90% internet activity here.
π ISP DNS CONCERNS
Censorship
Blocking domains by DNS request has been one of the top "go to methods" for ISP's around the world to perform censorship (in areas where this occurs). If you are still using your ISP's default DNS, you are vulnerable to this possibility. More on that below, in solutions.
It's one reason so many people use Tor Browser around the world.
By using Tor Browser, DNS requests aren't performed by us at all. In fact the exit node performs DNS lookups (when over Tor).
TIP: set 'https only' when Tor Clearnet Browsing. Tor cannot encrypt traffic from the exit, unless it is an onion address (your browser using https encrypts it).
(Image: Tor over clearnet: not hidden service).
Forcing https and ensuring a secure lock / cert helps mitigate this.
π£οΈ ISP DNS TRANSPARENT PROXYING
Other times ISP's work with partner 'advertising companies'. Many times this involves the transparent proxying of your DNS requests. Even redirecting them. Something I've come across with a major ISP.
One such company partnering with major ISP's was Barefruit. During a failed DNS query I discovered non-existing domains were resolving to Barefruit's servers, who then redirect machines to their "find what you were looking for" advertising partnership.
inetnum: 92.242.130.0 - 92.242.132.255
netname: BAREFRUIT-ERRORHANDLING
descr: NU
country: GB
org: ORG-BL53-RIPE
admin-c: PR42-RIPE
tech-c: PR42-RIPE
status: ASSIGNED PA
mnt-by: CATALYST2-MNT
source: RIPE # Filtered
This particular company is no longer in service (or at least changed their name).
π‘ SOLUTIONS: "ONE SIZE DOES NOT FIT ALL"
Now that we've gone over basic privacy and security implications, let's move into solutions.
The right solution depends on our goals. Each carries a differing level of risk to benefit.
TIP #1: Always ensure https certificates appear valid. It's why https exists.
Key Point: When redirected maliciously (via DNS), the cert will no longer be valid (unless the attacker is able to compromise cert auth).
This holds true for whatever solution you choose, including pihole, OpenDNS.
See image below for an example of a 'broken' cert:
π DNS SECURITY / π₯· PRIVACY SOLUTIONS
As with most security, encryption is here to assist us.
DNSSEC: DNS Security Extensions; This validates DNS using public key cryptography - Mitigates cache poisoning.
Downside: more complexity. Needs to be enabled for individual websites. Does not encrypt communication.
DNS over TLS: encrypts / wraps DNS requests over TLS, adding (DNS) privacy and integrity by design. Mitigate redirection attacks (still ultimately need to trust the DNS server provider you choose). Removes standard cleartext DNS eavesdropping (though the right access can provide domain information through other paths, IP address of server).
With this option, as with others, you still need to trust the DNS server in question not to sell or manipulate requests.
TIP: DNS over TLS prevents ISP proxying of DNS
DNS Over Tor: You can route DNS queries through the Tor Network.
Downside: you rely on exit relays for DNS. (mind TLS certs).
(not ideal for most setups outside full Tor connection)
DNS Over HTTPS: This option encrypts DNS queries (preventing manipulation) using HTTP / HTTP/2 protocols. Prevents ISP proxying DNS.
Benefit: blends in with normal https (TCP port 443) traffic.
Pihole: known for automated network-wide adblocking capabilities. Set computer / phone DNS settings to your Pihole server, and ad servers are automatically blocked in your browser. Works by blocking the connection to specific adservers by acting as a DNS sinkhole.
Add and share your own domains, lists and wildcards. All inside an easy to manage interface.
Nice, fun to use option - and you don't need a Raspberry Pi alone to run it - despite the name.
(donate to Pihole project)
Pihole Dashboard Screenshot: 
Unbound Recursive DNS Server: Combined with Pihole is recommended. Unbound DNS server reduces chance of being victim to DNS poisoning attack (doesn't negate completely). As with all options, there is some level of trust required (developers, upstream DNS).
(automated setup WiFi router image with internal Pihole adblocking + Unbound DNS server + firewall + more in "extras" section + available to regular β supporters to say"thank you" (ask).
π‘οΈ DNS SERVERS: WHO DO WE TRUST? π€
This is what it comes down to. Some level of trust is required with any of the DNS solutions we choose. Afterall, DNS servers we use have the capability to collect, sell information, and redirect to outside servers (using and paying attention to https / certs, are one way to root out this effort).
TIP: browser settings: set https only. Look out for broken certs.
At the same time, if we don't use outside DNS servers, we never know what our ISP's could be doing with our DNS data.
ISP's already have special access by having our personal information (raises value of data if sold).
It's up to us to weigh our options, and make that choice.
One thing is for sure: by decentralizing our data from the centralized ISP (wherever possible), we can take some of that power back.
-RTP
π Sharing Article Appreciated (Once Public)
π― Support Options (full option list / crypto)
π Membership (bonus posts / ideas & early content releases)
ποΈ π» Shop (refurbished coreboot Linux π» laptop / more open hardware supporting this)
π« FOLLOW ON SOCIAL MEDIA
π₯ VIDEO CHANNELS / MIRRORS:
Youtube Odysee Bitchute Peertube
π FEEDBACK / π¬ CONTACT
Share feedback, comments, or suggestions
π¨ EMAIL: righttoprivacy[at]tutanota.com / righttoprivacy[at]i2pmail.org
Share your thoughts βοΈ