October 8, 2015
Stop ISP Espionage and Transparent Proxies Using DNS Cryptography
October 8, 2015
Stop ISP Espionage and Transparent Proxies Using DNS CryptographyHello,Today, I'll show you how to properly setup a DNSCrypt to prevent monitoring and logging on your DNS by your default provider. We'll do this by changing our DNS provider to an off-shore or other DNS service that does NOT log our requests, and encrypts DNS queries and responses. Before we explore how this works, we have to understand a bit about DNS and what it is. DNS:Short for Domain Name System or Domain Name Service, a DNS is an Internet or network server that helps point domain names or hostnames to their associated Internet Protocol (IP) address. Without a server to resolve a domain name or the proper rights, users would have to know the IP address of each of the web pages or computers they wanted to access. DNS was introduced by Paul Mockapetris and Jon Postel in 1983.Now that we have a little basic knowledge of DNS, let's look into Transparent DNS Proxies and how Internet Service Providers (ISP's) use them to monitor and spy on users. Some ISP's are now using a technology called "Transparent DNS Proxy." Using this, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results. This effectively forces you to use their DNS service for all DNS lookups. If you've changed your DNS settings to use an 'open' DNS service such as Google, Comodo or OpenDNS expecting that your DNS traffic is no longer being sent to your ISP's DNS server, you may be surprised to find that your ISP is using transparent DNS proxying. When using an anonymity or privacy service, it's extremely important that all traffic originating from your computer is routed through the anonymity network. If any traffic leaks outside of the secure connection to the network, anyone monitoring your traffic will be able to log your activity. Remember DNS is used to translate domain names such as www.privacyinternational.org into its numerical IP address - e.g. 220.127.116.11, which is required to route packets of data on the Internet. Whenever your computer needs to contact a server on the Internet when you enter a URL into your browser, your computer contacts a DNS server and requests the IP address. Most ISP's assign their customers a DNS server that the ISP controls and uses for logging and recording your Internet activities. Under certain conditions, even when connected to an anonymity network, the operating system will continue to use its default DNS servers instead of the anonymous DNS servers assigned to your computer by an anonymity network. DNS leaks are a major privacy threat, since an anonymity network may be providing a false sense of security while private data is leaking. DNSCrypt:Now that we understand why ensuring security on our DNS is so important, we'll use a script to activate DNSCrypt on our DNS. The script will also allow us to change DNS providers. Remember, DNSCrypt is a protocol for securing communications between a client and a DNS resolver by encrypting DNS queries and responses. It verifies that the responses you get from a DNS provider have actually been sent by that provider, and haven't been tampered with. Supported providers include:
|DNSCrypt.eu||Europe||No logs, DNSSEC|
|Soltysiak.com||Europe||No logs, DNSSEC|
Open a terminal - we can do this by pressing CTR+ALT + T or finding it in the accessories section of your system.
We'll first download the script from it's official Github by running the following - https://raw.github.com/simonclausen/dnscrypt-autoinstall/master/dnscrypt-autoinstall.sh
Once the script has downloaded into your current directory, change its permission so that we're able to run it.
To do this, run the following:
chmod +x dnscrypt-autoinstall.sh
When the permissions have been changed, run the installer script by inputting the following:
Once you start the process, it will ask you:
"Would you like to see a list of supported providers? (DNSCrypt.eu is default) [y/n]: n"
Hit Yand enter.
You should see a list of DNS providers:
"Which DNSCrypt service would you like to use?
1) Off (Regular, unencrypted DNS)
2) DNSCrypt.eu (Europe - no logs, DNSSEC)
3) Cisco OpenDNS (Anycast)
4) OpenNIC (Japan - no logs)
5) OpenNIC (Europe - no logs, whitelisted users only)
6) OpenNIC (Toronto, Canada - no logs)
7) OpenNIC (San Francisco, USA - no logs)
8) OpenNIC (Seattle, USA - no logs)
9) OkTurtles (Georgia, USA - no logs)
10) Soltysiak.com (Europe - no logs, DNSSEC)
Select an option that's right for you.For this exercise, I'll select the DNSCrypt provider, which sits in Europe and does not log requests, to option 2 by typing 2 and hitting Enter.The system will update. The installation and provider change will start, as well as the key authentication. This process will take around 10 to 15 minutes depending on your connection at the time. If all goes well, the desired output should be:DNSCrypt is now installed. You can run this script again to reconfigure, turn it off, or uninstall it. Finally, to test the changes, a great service is: https://dnsleaktest.com If everything went according to plan, the test results should be something like: