DNS Query Anonymity: Caching and Encryption

Tomcat

Professional
Messages
2,689
Reaction score
981
Points
113
Anyone who thinks about anonymity on the Internet knows a great way to hide their IP address on the Internet - this is a VPN service. However, even with a VPN connection, queries to the DNS server are often left unsecured, and you can easily track where your DNS queries are going. This is also called “DNSleaks” or “DNS Leak”.
Let's take a closer look at what DNS is and what problems exist.
As you know, every computer on the Internet has its own IP-address, without knowing the IP-address of the computer, it is impossible to send it information or a request. The IP address is in the form of a 4-byte number, separated by dots (for example, 162.234.12.110 or 78.31.54.226).
It is not easy for an ordinary person to remember a large number of IP addresses, so at the beginning of the development of the Internet, a need arose for a tool that would make life easier for Internet users. DNS became such a tool - the system of domain names. DNS server is a tool that allows you to determine the IP address by the domain name.
For example, you entered the site address in the browser line, the browser sent a request to the DNS server, which is specified in the settings of your Internet connection. The server sends back a response packet containing the IP address of the desired site.
On the one hand, everything is done conveniently - you just plugged the cable into the network card, you were automatically assigned the provider's DNS server with a quick response, and everything works. But on the other hand, there are two problems with this scheme:

1) There is no encryption of the connection. This means that any attacker can intercept your traffic and spoof your IP address. For example, show you a fake Internet bank page. It is also advisable to hide this traffic from the provider or from law enforcement agencies (you never know J).

2) DNS servers of providers are legally obliged to save logs (from what IP, which sites they visited, and connection time), and also provide these logs upon request from law enforcement agencies (I hope everyone knew this? J). Even more, 99% of the world's DNS servers write logs and do not hide it.

If suddenly you do not want someone to intercept your data or read the logs of your visits, there is a reliable option. What should be done:
1) You need to encrypt the connection. For this there is the DNSproxy program. It does not connect directly to the DNS server, but is encrypted through the DNS resolver (it simply redirects requests to the DNS server). In turn, the resolver transmits the data to the DNS server also over an encrypted connection. That is, in this way, using sniffers (for example, WIreshark), you can only find out the IP address of the resolver. But since the packets are encrypted using "Elliptic curve cryptography", it is impossible to determine which specific DNS server we are exchanging data with.

2) You need to use DNS servers that do not keep logs. As you yourself understand, the provider's servers disappear immediately. Also, for anonymity, you cannot use Google's or Yandex's DNS servers, since they honestly admit to storing information (read their Privacy Agreements). But there are DNS servers that can help us. This is www.opennicproject.org. The site says that the servers do not write any logs (well, let's believe). Unfortunately, these servers are unstable and sometimes crash. To solve this problem, you can use the program "Acrylic DNS Proxy". It allows you to make queries not to one DNS server, but to 10 at once. And the packet from the server that arrives the fastest will be accepted by the program. Therefore, we will solve two problems at once - we minimize the loss of query speed (because the fastest data exchange usually happens with the provider's DNS servers), and level the instability of any servers.

So, we need to encrypt the connection to secure DNS servers. This is useful not only for those who do not use VPN (how you can solve the DNS leak problem will be written later). Let's start:

1) Download AcrylicDNSProxy from here: http://mayakron.altervista.org/wikibase/show.php?id=AcrylicHome

Install. Change the configuration file in the folder with the installed program to the one already configured on the www.opennicproject.org server. The config file I already configured here: https://www.sendspace.com/file/u51lus

2) In the settings of your network connection, you need to manually register the DNS address. Go to "Network and Sharing Center" -> "Local Area Connection" -> "Properties" -> "Internet Protocol version 4 TCP / IPv4". We put 127.0.0.1 there. The second line should be left blank.

3) To start AcrylicDNSProxy go through Start and click " Start Acrylic Service". A successful start message should appear.

4) Now we check our DNS servers at www.perfect-privacy.com/dns-leaktest. It should be something like this:

You can add the file AcrylicController.exe to startup.

5) Now we encrypt our requests to DNS servers using the DNScrypt program.

Downloading a ready-made assembly: https://www.sendspace.com/file/o1pe2q

6) Unpack and run dnscrypt-winclient.exe. There we select our network card and click Install. The connection to the DNS servers is now encrypted.

7) Let's check what our verification services will show us now. Go to www.perfect-privacy.com/dns-leaktest . None of our servers should be defined.

And if you go to http://whoer.net , then the only thing it can show is the address of the DNS resolver through which DNS requests pass. The servers themselves are "unknown".

VPN + DNS-encryption

The figure shows a typical diagram of your connection when connecting to VPN servers.

As you can see, there is a vulnerability - DNS requests can be sent simultaneously both through the VPN server and directly to the specified DNS server on your network connection.

It would seem that you can simply manually register the DNS server in the connection settings as 127.0.0.1 so that there are no unnecessary queries to the provider's DNS. But, obviously, when disconnecting from the VPN, the Internet will not work, because when connecting to the VPN, their own DNS servers are used. If you just enter the two servers of the www.opennicproject.org project, then this will reduce the speed of surfing the Internet when the VPN is disabled. In this case, it is also recommended to install the AcrylicDNSProxy program, which will not let your surfing speed drop. But since AcrylicDNSProxy is installed, why not install DNScrypt as well?
If you use VPN services 100% of the time, you can simply register one IP address in the DNS settings: 127.0.0.1. It'll be enough.
Thus, an interesting scheme was found that allows you to anonymize and hide DNS requests, which will help a little if you come across "authorities", and if a local evil hacker decides to redirect DNS requests and show your children sites instead of "Wait a minute "- sites for adults ...
Note: if you don't need all this, just install AcrylicDNSProxy specifying the servers of your provider, Yandex, Google, etc., which will give you a tangible acceleration of Internet surfing.
 
Top