Protect your browsing with DNS over TLS

What is DNS Over TLS?

You alre­ady know that there’s been a lot of buzz in the last few years around encryp­ting web traf­fic. Even if you haven’t payed much atten­tion, you have to have noti­ced the influx of green locks near URLs and HTTPS popping up everyw­here. That’s because more sites than ever are encryp­ting traf­fic.

Encryp­ting web traf­fic protects both the site and the people visi­ting it. Attac­kers can’t easily spy on encryp­ted traf­fic as it passes between your compu­ter and a website, keeping your login infor­ma­tion and anyt­hing else you submit safe.

There’s one piece that doesn’t get encryp­ted by using HTTPS, the DNS query. If you’re not fami­liar, websi­tes actu­ally exist at an IP address. When you punch in the URL of a site, you make anot­her request to a DNS server asking which IP address that URL belongs to. More often than not, that DNS server belongs to your ISP. So, they, and anyone else that might be liste­ning in, can see which sites you’re going to and log them. Because DNS isn’t encryp­ted by default, it’s fairly easy for any sort of third party to be moni­to­ring DNS queries.

DNS Over TLS brings the same type of encryp­tion that you expect with HTTPS to DNS queries. So, the only person that recei­ves your query and the data about which site you’re visi­ting is the DNS server that you choose, and you can choose. You don’t need to use your ISP’s DNS, and you shouldn’t.

What Can You Do?

Support for DNS over TLS isn’t as mature as HTTPS yet, but it’s still easy enough to get set up and use. There are a number of opti­ons that you can use to protect your DNS traf­fic. First, it’s worth noting that using a properly confi­gu­red VPN will alre­ady protect you. Your DNS traf­fic will be tunne­led over the VPN to the provi­der’s DNS servers. If you’re alre­ady using a VPN, don’t worry, though you can set up addi­ti­o­nal protec­tion if you like.

If you aren’t using a VPN, you can still encrypt your DNS traf­fic with DNS over TLS. There’s an exce­llent open source project, called Stubby, that auto­ma­ti­cally encrypts your DNS queries and routes them to a DNS server that can handle DNS over TLS. Because the project is open source, it’s freely avai­la­ble for Windows, Mac, and Linux.

Set Up Stubby

Windows

Stubby has a conve­ni­ent Windows .msi insta­ller that will install Stubby along with a default confi­gu­ra­tion file. Head over to the insta­ller page and down­load the Windows .msi insta­ller.

Once you have it, run the insta­ller. There isn’t a grap­hi­cal setup wizard or anyt­hing. You only need to confirm that you’re giving the insta­ller access. It’ll take care of the rest.

Everyt­hing for Stubby on Windows is loca­ted at:

C:Program FilesS­tubby

That inclu­des the YAML confi­gu­ra­tion file.

Open up a command prompt. You can use Run and type cmd. Change into the Stubby direc­tory. Then, run the .exe and pass it the confi­gu­ra­tion to get Stubby star­ted.

C:User­sU­ser­Na­mecd C:Program FilesS­tubby

C:Program FilesS­tubbys­tubby.exe -C stubby.yml

Stubby will now be running on your system. If you want to test it out, run the follo­wing command to see if it’s running correctly.

C:Program FilesS­tubby­getdns_query -s @127.0.0.1 www.google.com

If that works, Stubby is set up correctly. Now, if you want to change the DNS servers that Stubby uses, open up stubby.yml, and modify the DNS server entries to match the servers of your choo­sing. Make sure that the servers that you pick support DNS over TLS.

Before you can use Stubby system wide, you’re going to need to modify Windows’ upstream resol­vers(DNS servers). To do that, you’re going to need to execute a command with admin privi­le­ges. Close your exis­ting command prompt window. Then, go back to your start menu and search for ‘cmd.’ Right click on it and select “Run as Admi­nis­tra­tor.” In the resul­ting window, run the follo­wing:

PowerS­hell -Execu­ti­on­Po­licy bypass -file  "C:Program FilesS­tubbys­tubby_setdns_windows.ps1"

None of this is very good if you can’t make the chan­ges perma­nent. To do that, you’re going to need to create a sche­du­led task that runs on star­tup. Thank­fully, the Stubby deve­lo­pers provi­ded a template for that. In the running command prompt window you have, make your chan­ges perma­nent.

schtasks /create /tn Stubby /XML «C:Program FilesS­tubbys­tubby.xml» /RU <you_user_name>

That’s all! Your Windows PC is now confi­gu­red to use Stubby to send your DNS over TLS.

Linux

On Linux, this process is very simple. Both Ubuntu and Debian based distri­bu­ti­ons have Stubby alre­ady avai­la­ble in their repo­si­to­ries. You just need to install it and change your DNS to use Stubby. Start by insta­lling Stubby

$ sudo apt install stubby

Next, edit the Stubby confi­gu­ra­tion file, if you choose. It’s avai­la­ble at /etc/stubby/stubby.yml. Open it in your favo­rite text editor with sudo.

If you’ve made any chan­ges to the DNS servers, restart Stubby.

$ sudo systemctl restart stubby

You’re also going to need to change the name­ser­ver entries in /etc/resolv.conf. Open that up with your text editor and sudo as well. Create a single entry like the one below.

name­ser­ver 127.0.0.1

Now, test that Stubby is working. Go to dnsle­ak­test.com and run the test. If the servers that you confi­gu­red Stubby to use appear, your compu­ter is success­fully running Stubby.

OSX

Setting up Stubby on OSX is also fairly simple. If you have Home­brew, the process is dead simple, but it’s also fairly easy other­wise.

With Hombrew, you can install the Stubby package.

$ brew install stubby

Before you start Stubby up as a service, you can modify the YAML confi­gu­ra­tion at /usr/local/etc/stubby/stubby.yml.

Once you’re happy with things, you can start up Stubby as a service.

$ sudo brew servi­ces start stubby

If you don’t have Home­brew, you can install the Stubby GUI. It’s avai­la­ble here.

Closing Thoughts

DNS over TLS is begin­ning to gain trac­tion. Soon, it will be common­place. Until then, setup and programs like Stubby are neces­sary. Clearly, though, it’s not too diffi­cult to get set up.

In the near future, support for DNS over TLS will see a huge push forward when Google inclu­des support by default with Android. As a result, it should only be a matter of time before Apple follows with iOS support. The desk­top plat­forms probably won’t lag too far behind. Then again, they alre­ady do have support, and you just enabled it.