Back to news

Why it matters that your ISP may control your DNS And What if I Use Encrypted DNS?

July 17, 2018    |    Cyber Security    |    Lauren Elkins

What Is a DNS Server?

A DNS Server is a Domain Name System Server. It’s basically the internet’s version of the Yellow Pages: it’s like a massive directory that stores IP addresses and their hostnames. Information from DNS servers across the Internet are gathered together and housed at the Central Registry, and then host companies and Internet Service Providers connect with this registry on a regular basis to collect the DNS information.

How Does a DNS Work?

You hop online and click on your favorite news site to start the day. It shows up on your browser within seconds. You spend fifteen minutes perusing the stories, reading headlines, clicking on the more interesting ones, and scrolling through some images. You use the internet without thinking too much about what information is passed back and forth, who it’s going to, and who might see it along the way. However, with the recent demise of net neutrality rules under the current FCC, there’s one company that can view a lot of information about your browsing habits and who you might not be inclined to trust any more: your ISP.

Sit with us for a few minutes to see how the conversation goes down between your PC and a DNS server as you visit Yahoo and read a few articles. We think it will help you understand what your ISP can see and how they can go about doing it…and the difference it makes when you use a VPN. It can change the conversation.

You visit a website, and it goes like this.

PC: Hey, DNS server.

ISP DNS server: Hey.

PC: I want to go to yahoo.com.

ISP DNS server: Alrighty. That’s at the IP address 12.123.123.12.

PC: Thanks! I got it.

PC: Hey, 12.123.123.12. I want to go to yahoo.com/thispage

12.123.123.12: Sure thing. Here it is!

PC: Thanks! I click on the link to /thatstory

12.123.123.12: Nice. Here is /thatstory

PC: Oooh! Ads! Okay, now I click on the /top7amazonproductswithcultfollowing

12.123.123.12: No problem — here is /top7amazonproductswithcultfollowing

When you get online and enter Yahoo.com into your browser address bar, your Internet Service Provider (ISP) delivers it to you via their DNS server. It translates that to Yahoo’s IP and once you have that, you do the rest of the talking to Yahoo.

Really?

Yes. But only when it’s an HTTPS connection.

The conversation between your PC and 12.123.123.12 stays between you and the IP address. All that your ISP knows is that you initially requested Yahoo.com from the DNS server.

However, if Yahoo were HTTP and not secured, anyone between you and the remote server (including your ISP) could see the contents of your communications. That second conversation would also be “public” knowledge.

In the example above, your ISP would not know the pages you clicked on, delivered by 12.123.123.12. But they would know that you went to Yahoo. Maybe it’s not a big deal to mask what you’re reading from Yahoo, but there may be other domains where you wouldn’t want to be tracked as you browse through links — and there are probably domains you don’t want to have any initial record of visiting at all.

What if I specify a DNS server not operated by my ISP?

Specifying a DNS server not operated by your ISP changes things a little, but not much. Your ISP could basically read the conversation as it goes between the DNS server and your PC, because DNS requests are not encrypted.

Here’s the conversation.

PC: Hey, DNS server I specifically chose.

The Chosen DNS: What’s up?

PC: I’m delivering my request to your specific TCP port on your ISP.

The Chosen DNS: Great. What’s the request?

PC: I want yahoo.com resolved to an IP address.

The Chosen DNS: Great. Yahoo.com is 12.123.123.12.

PC: Got it. I’ll now talk to 12.123.123.12.

The Chosen DNS: Have fun.

If your ISP is watching traffic routed through their networks, they may be checking in on requests to the well-known DNS TCP port, where they can view your request with the domain you looked up.

What if I Use Encrypted DNS?

Using encrypted DNS traffic means the ISP would only be able to see that a .com server was being queried, but would not see the actual domain name that the DNS server asked about.

The problem is, encrypting DNS can sometimes lead to performance issues — so in order to help keep speed up, the secure handshake happens after the first packet. And that first packet contains the domain information. Hmm…

Here’s the conversation:

PC: Hey, Secure DNS, I want to go to yahoo.com, and I sent it in the Server Name Indication (SNI).

Secure DNS: Hey PC. Got your site in the SNI. Let me send you my certificate authentication.

PC: Got the authentication.

Secure DNS: Great. We now have a secure connection. I will give you the IP address for yahoo.com.

An ISP could use SNI inspections to track user browsing in this case and still see that you’re hitting up Yahoo.

What about when you throw a VPN into the game?

When using Private Tunnel VPN, you can mask your browsing data from your ISP. Our VPN prevents them from seeing your sensitive data and protects your computer from common dangers such as Man-in-the-Middle (MiTM) and DNS hijacking attacks.

This is the conversation they see:

PC: Hey, I’m getting on Private Tunnel VPN.

PC: I’m still on Private Tunnel.

PC: Everything I’m doing is all on Private Tunnel. Same address. Over and over. Hours and hours of doing this at this one address. Nothing to see here.

What conversation do you want your ISP to hear? It’s up to you!

Better Safe Than Sorry