Secure DNS for Online Privacy

Table of Contents

  1. Introduction
  2. The Metadata Problem
    2.1 IP Addresses and DNS
    2.2 Why DNS Matters
  3. HTTPS and Its Limits
    3.1 How Web Connections Work
    3.2 What HTTPS Protects
    3.3 What Remains Visible
  4. ISP Visibility and Monetization
    4.1 What ISPs See in DNS
    4.2 How ISPs Monetize Metadata
    4.3 Legal and Regulatory Boundaries
  5. VPNs: Capabilities and Limitations
    5.1 What VPNs Hide
    5.2 Trust Shift to VPN Providers
    5.3 Situations Where VPNs Are Useful
  6. Encrypted DNS Solutions
    6.1 DNS over HTTPS (DoH) and DNS over TLS (DoT)
    6.2 Encrypted Client Hello (ECH)
    6.3 Practical Configurations (Windows, macOS, iOS, Android, Browsers)
    6.4 Running Your Own Resolver (Pi-hole, AdGuard, Unbound)
  7. Anonymization and Fingerprinting
    7.1 Weakness of Aggregated Data
    7.2 Browser and Device Fingerprints
    7.3 EDNS Client Subnet (ECS) Trade-offs
  8. Performance Considerations
    8.1 DNS Speed vs Privacy
    8.2 Local Recursive Resolvers
    8.3 IoT and Hardcoded Resolvers
  9. Conclusions and Recommendations
  10. Glossary of Acronyms

1. Introduction

This post is based on a post in the Dave’s Garage YouTube channel.
Dave Plummer is a retired Microsoft engineer who worked on the internals of Microsoft’s OS.

Modern internet privacy challenges often come not from unencrypted content, but from metadata leaks. Two primary metadata sources are IP addresses and DNS queries. DNS is particularly revealing, exposing what domains a user visits even when the content itself is encrypted.

TOC

2. The Metadata Problem

2.1 IP Addresses and DNS

  • IP addresses: Identify the servers you connect to.
  • DNS queries: Reveal the exact domain names you look up.

2.2 Why DNS Matters

DNS acts like a “table of contents” for your browsing activity. Even if ISPs can’t see the article you read, they can still see the site you requested.

TOC

3. HTTPS and Its Limits

3.1 How Web Connections Work

  1. Browser requests example.com.
  2. DNS resolves example.com to an IP address.
  3. TLS handshake begins, and encrypted HTTPS traffic follows.

3.2 What HTTPS Protects

  • Page contents
  • Passwords
  • Video streams

3.3 What Remains Visible

  • The initial DNS query
  • Destination IP addresses

TOC

4. ISP Visibility and Monetization

4.1 What ISPs See

  • Domains queried via their resolver
  • Connection timestamps
  • Frequency patterns

4.2 How ISPs Monetize Metadata

  • Aggregate browsing patterns into marketable categories
  • Sell anonymized trend data
  • Target ads or upsell services

4.3 Legal and Regulatory Boundaries

  • US: FCC broadband privacy rules repealed in 2017; FTC/state laws regulate data use.
  • EU: GDPR treats DNS logs as personal data with stricter protections.

TOC

5. VPNs: Capabilities and Limitations

5.1 What VPNs Hide

  • DNS lookups from the ISP
  • Destination IPs from the ISP

5.2 Trust Shift to VPN Providers

  • ISPs lose visibility, but VPN providers gain it.
  • Logs and policies vary widely between providers.

5.3 Situations Where VPNs Are Useful

  • Public Wi-Fi (airports, hotels, cafés)
  • Bypassing geographic restrictions
  • Avoiding captive portals and DNS hijacking

TOC

6. Encrypted DNS Solutions

6.1 DNS over HTTPS (DoH) and DNS over TLS (DoT)

  • Encrypts DNS queries between client and resolver.
  • Prevents ISP from seeing domain lookups.

6.2 Encrypted Client Hello (ECH)

  • Encrypts the Server Name Indication (SNI) in TLS handshakes.
  • Reduces metadata leaks when connecting to shared servers.

6.3 Practical Configurations

  • Windows 11: System-wide Secure DNS option.
  • macOS/iOS: DNS profiles for DoH/DoT.
  • Android 9+: Private DNS setting.
  • Browsers (Chrome, Firefox): Secure DNS toggle.

6.4 Running Your Own Resolver

  • Pi-hole / AdGuard / Unbound on a Raspberry Pi.
  • Centralized DNS logging and filtering.
  • DHCP router configuration ensures all devices use it.

TOC

7. Anonymization and Fingerprinting

7.1 Weakness of Aggregated Data

  • “Anonymized” data can still re-identify individuals through patterns.

7.2 Browser and Device Fingerprints

  • Unique browser characteristics (fonts, rendering, time zones) act like undeletable cookies.

7.3 EDNS Client Subnet (ECS) Trade-offs

  • Improves performance by revealing approximate location.
  • Reduces privacy by leaking geographic hints.

TOC

8. Performance Considerations

8.1 DNS Speed vs Privacy

  • Well-run DoH/DoT resolvers with caching perform as well as ISP defaults.

8.2 Local Recursive Resolvers

  • May improve speed for repeated queries.

8.3 IoT and Hardcoded Resolvers

  • Some IoT devices bypass local settings.
  • Routers or firewalls can block direct external DNS queries.

TOC

9. Conclusions and Recommendations

  • You cannot eliminate metadata leaks entirely, but you can reduce them.
  • Main protective steps:
    1. Use encrypted DNS (DoH/DoT).
    2. Prefer ECH-capable browsers/servers.
    3. Run your own resolver if possible.
    4. Be aware that VPNs shift, not remove, trust.

By adjusting default DNS settings, users can reduce ISP profiling and retain more control over their data.

TOC

10. Glossary of Acronyms

  • CDN: Content Delivery Network
  • DHCP: Dynamic Host Configuration Protocol
  • DNS: Domain Name System
  • DoH: DNS over HTTPS
  • DoT: DNS over TLS
  • ECS: EDNS Client Subnet
  • ECH: Encrypted Client Hello
  • EFF: Electronic Frontier Foundation
  • FCC: Federal Communications Commission
  • FTC: Federal Trade Commission
  • GDPR: General Data Protection Regulation
  • HTTPS: HyperText Transfer Protocol Secure
  • IP: Internet Protocol
  • ISP: Internet Service Provider
  • NSA: National Security Agency
  • SNI: Server Name Indication
  • TLS: Transport Layer Security
  • VPN: Virtual Private Network

TOC

WordPress Appliance - Powered by TurnKey Linux