DNS over TLS (DoT) is a new technology for encrypting DNS requests. This is to protect the user from manipulation and spying out the name resolution by man-in-the-middle attacks. With standardization by the Internet Engineering Task Force (IETF) and support in the recently released new Android version “Pie”, this forward-looking technology is just emerging from its infancy. As the first VPN provider, we are pleased to be able to offer our users DNS over TLS exclusively with immediate effect.
Computers, smartphones and all devices with network access communicate with each other via IP addresses. For example, to access our website (host name: www.perfect-privacy.com), the user needs the corresponding IP address. The Domain Name System (DNS) was invented back in 1985 for this name resolution. It is therefore one of the most important services on the Internet.
Over thirty years ago, Internet security and protection against manipulation and spying was not a big issue. This has changed in the by now: The encryption of web traffic with HTTPS has been the standard for many years. But normal DNS requests are still unencrypted by default.
Therefore we welcome the fact that there is now a standard proposed by the IETF to encrypt DNS requests: the DNS over TLS (DoT). Similar to HTTPS being the encrypted version of HTTP, DoT is the encrypted version of DNS. The conventional DNS requests are packed into an encrypted TLS connection (Transport Layer Security, more widely known as SSL / Secure Sockets Layer).
The encryption of DNS requests protects against reading and listening the name resolution requests and replies and thus contributes to the protection of the user’s privacy. DNS over TLS can also protect against manipulation of DNS requests. Changing DNS requests is common practice: our TrackStop filters also work at DNS level. If the user turns on these filters, e.g. tracking services, advertising and known phishing sites are blocked by not responding to DNS requests. Of course, our users can always deactivate the filters at any time and enjoy an unfiltered Internet.
For instance, Deutsche Telekom means well with its customers: If a Telekom customer makes a typo in the browser and a host name could not be resolved to an IP address, the Telekom DNS server returns an (incorrect) IP address that leads the user to the “t-online navigation aid”. But DNS manipulation is often only the first step to censorship mechanisms. German users will still remember “Zensursula” and its Access Obstruction Act, which would have resulted in a Germany-wide censorship infrastructure at DNS level. But many countries have had such manipulation systems for years. The most prominent example is the “Great Firewall” in China, which blocks not only illegal content but also other content unwanted by the government.
Encrypting DNS requests with DNS over TLS can be a first step to avoid these threats. This allows the user to choose a trustworthy DNS server that answers the queries truthfully. Since the communication is encrypted, the answer cannot be manipulated on the way back.
DNS over TLS is a young technology for which unfortunately there is no comprehensive support yet. But at least with the new Android version “Android 9.0 Pie”, DNS over TLS is available by default on all current Android smartphones and tablets and is preferred over unencrypted DNS if the configured DNS server offers DoT. If you want to use DNS over TLS on all other platforms, you have to set up the software yourself.
The DNS Privacy Project is the primary point of contact for this. Here you can find DNS clients for different operating systems that support DNS over TLS. For Windows and macOS, for example, Stubby is available, and for Linux there are node, unbound and powerdns.
DNS over TLS makes name resolution a bit more secure. However, it is only a small step and should not be overestimated as a safety factor. Three points of criticism have not yet been resolved: Firstly, with DNS over TLS, only the communication channel between the end device and the DNS server is protected. The DNS server can continue to “lie” and return incorrect answers. Secondly, the requested DNS server asks the next responsible server for requests that it cannot answer. This communication between the servers remains unencrypted.
The third reason is only indirectly related to DoT: Immediately after a successful name resolution a browser usually establishes an HTTPS connection, for example to load a website. In order for the web server to know which web page to deliver, the browser must submit the desired host name via Server Name Indication (SNI). This must be done before the encrypted HTTPS connection can be established. So the request, which was initially transmitted in encrypted form via DNS over TLS, is now being transmitted in unencrypted form and disclosed to possible attackers.
Using Perfect Privacy’s VPN access protects against most of these flaws. We operate DNS servers within our encrypted VPN network. This means that even normal, plain-text DNS requests are routed through the encrypted VPN tunnel and answered internally. For this reason an additional encryption of the DNS requests is not necessary within the VPN tunnel. DNS requests leaving the VPN network are anonymized and can not be correlated to a VPN user. Our users do not have to worry about additional DNS encryption (e.g. via DNS over TLS) since all DNS requests are already encrypted thanks to the VPN tunnel. Perfect Privacy VPN access is also the best solution for encrypting all Internet traffic – not only DNS requests.
Besides DNS over TLS, there is another approach to encrypt the name resolution: DNS over HTTPS. This is an experimental and much more complex protocol designed to perform DNS queries over an HTTPS connection. It is still in the design phase and is being tested by the Mozilla Foundation and Google.
Users of Perfect Privacy benefit from the encryption of all their Internet traffic via the VPN tunnel. VPN access thus protects users’ privacy as well as against eavesdropping and manipulation of DNS queries. At the same time, we are pleased to be the first VPN provider to offer DNS over TLS, a new forward-looking technology that is well on its way to becoming the generally recognized standard, at the latest since the new Android version.
For users without VPN access we recommend to consider this encryption feature. It can make a small contribution to the protection of privacy, but usually requires manual installation.