Taking steps to hide your internet traffic from prying eyes is something that we’re passionate about here. Which is why we feel like we should warn you: there’s a potential vulnerability hiding in plain sight. Your DNS queries might be unencrypted.
If you have no idea what this means, don’t worry; we’ll explain it for you. And if you do know what this means, you probably know about DNSCrypt. But DNSCrypt.org is no longer working, and it might be time to find an alternative.
Let’s start with the basics, and then we’ll get to our recommendations.
Why Your DNS Queries Should Be Encrypted
DNS stands for “domain name system,” and it servers a bit like the internet’s phone book. When you type a URL into your browser, like www.thebestvpn.com, your computer gets in touch with a DNS server, and the server sends an IP address back. The IP address is the actual location of the site.
Once your computer has the IP address, it can connect to the server where the site is hosted. All of this happens in the background, and you might not even knows it’s happening.
There’s a problem, though: your query to the domain name server might be unencrypted. And if it is, someone snooping on your web traffic might be able to see the sites you’re going to, even if you’re using HTTPS or a VPN.
They won’t be able to see what you type into the site, or what you do there, but just knowing which site you’re going to could be enough to make you a bit less secure. Remember the big controversy over the NSA collecting cell phone metadata? This is sort of like that. No one can see what you’re doing on those websites, but they can still see which sites you’re going to. And that’s enough to make a lot of people (including us) uncomfortable.
If you’re worried about government surveillance, you definitely don’t want your DNS queries unencrypted.
In addition to security problems, it can also be cause for concern about privacy. If you’re using your ISP’s DNS server, they’ll know which sites you’re going to. And if they’re under national jurisdiction — or you’re in the US, where that information could be sold to advertisers — that’s a violation of your privacy.
Many people use Google’s DNS servers because they’re very fast. But that’s another potential privacy concern, as Google is always collecting as much information as possible about every user they can. And while they state that they don’t keep permanent records of DNS queries or match your DNS queries to personally identifiable information, the fact remains that they’re out to make money. And if they can use your DNS traffic to do it, they will.
These are all reason why unencrypted DNS queries are bad. It’s time to start encrypting your DNS traffic.
Do VPNs Protect DNS Queries? What About HTTPS?
You’d think that using a VPN would protect all of your DNS queries. In many cases, you’re right. But that’s not always the case. Some VPNs, when confronted with certain situations, will send your DNS queries along normal lines of communication — which means they’re probably going to your ISP. And you won’t even know it’s happening.
So the answer is “yes . . . most of the time.” The best VPNs out there have DNS leak protection, and it works well. But if you’re using another VPN or you have this particular feature turned off, you could be exposed to data collection or snooping.
We always recommend VPNs with DNS leak protection, which stops this behavior before it can become a problem.
And if you’re not using a VPN, your DNS queries are definitely unencrypted, even if you use HTTPS. The secure version of HTTP encrypts all of the information that you send to sites. So no one can see what you’re doing on the site, the password you used to access it, or which pages you go to. But an unencrypted DNS query allows snoopers to see which sites you’re making requests to.
HTTPS is a great security feature — and we strongly recommend using it at all times to protect your online privacy. But it still leaves you open to DNS query surveillance, and that’s something a lot of people don’t realize.
The Best Alternatives to DNSCrypt
DNSCrypt is a protocol that encrypts your DNS requests, and it’s long been one of the most popular options. It encrypts your queries to the OpenDNS servers, which are maintained by Cisco. But DNSCrypt.org was taken offline at the end of 2017, as its creator stated that he no longer uses it.
A group called Dyne.org has taken over maintenance of DNSCrypt-Proxy, an interface for using the protocol, but has committed only to patching bugs, and not further developing the technology. The proxy will be available for the foreseeable future, but there’s no telling what the future holds for the app.
You can also still get DNSCrypt directly from Cisco, but it’s not going to do you any good if you’re not using their DNS servers.
While DNSCrypt is certainly one of the more robust options, there are others. Here are four choices you have when you want to encrypt your DNS traffic.
1. Use a VPN with DNS Leak Protection
This is the simplest alternative to DNSCrypt. You should be using a VPN anyway, and all you need to do is make sure that the one you’re using has DNS leak protection.
Both of these services run their own DNS servers, so all of your DNS queries are routed through secure channels, both to and from the servers. This is the ideal situation; if your VPN has its own DNS servers, you won’t need to use those provided by your ISP (or another traffic spy, Google) and potentially reveal your browsing habits.
And that provides all the security you could need.
If you’re not sure whether your VPN is protecting your DNS traffic, we recommend using ExpressVPN’s leak test. It will tell you whether your DNS queries are visible to people who are trying to see them. If you’re not protected, it’s time to get a new VPN (and make sure to use it all the time).
In fact, you should use a leak test like this one whenever you’re working to secure your DNS traffic. They’ll let you know if your chosen solution, no matter what it is, is working.
2. Use DNS-over-TLS
Transport layer security (TLS) is a cryptographic protocol that’s used around the internet for secure data transfer. And some DNS services are now compatible with DNS queries sent over TLS. That means your requests are encrypted and safe from your ISP’s snooping.
Interestingly, the original creator of DNSCrypt-Proxy now recommends using DNS-over-TLS. This protocol is becoming more popular, but there aren’t too many options yet. Your best bet is probably Tenta, an open-source DNS project.
Their servers support DNS-over-TLS, and they have setup guides for using those servers on numerous systems. If you’re not using a VPN, it’s a good way to add security to your DNS requests. Of course, we always recommend that you use a VPN, as it protects more information than just your DNS queries. But if you can’t use a VPN, Tenta is a good security system to have in place.
You can also use their Android browser, which has a built-in VPN and automatically uses their secure DNS servers. The browser is only offered on the Google Play Store at the moment, but you can sign up for updates so they can let you know when they release the browser for other platforms.
At the moment, Tenta is the best choice for DNS-over-TLS. As more people realize the importance of securing their DNS traffic, and as more development goes into this protocol, we’ll have more options. Active work is taking place in this area, and it’s a good bet that we’ll see useful innovations that bring DNS-over-TLS to the masses in the near future.
3. Use DNSCurve
While not as widely supported as DNSCrypt, DNSCurve is another option for cryptographically protecting your DNS queries. Any request sent between a user and a DNS server is protected using elliptical curve cryptography, which is extremely secure; even more secure than the RSA encryption used by other security measures.
DNSCurve is an older project, and OpenDNS replaced it with DNSCrypt a while back. So it’s very difficult to tell whether or how many servers support it. There’s documentation online, but it’s not especially user-friendly.
Your best bet is to install DNSCurve, make sure you’re using the OpenDNS servers, and run a leak test. You can try it with other servers, too.
It’s not clear whether this is an effective option, but it’s one of the few alternatives to DNSCrypt that uses similar tactics. You’ll require more technical skill and understanding than you’d need for the previous options, but if you’re willing to put in the time and you want to support a system that uses very strong cryptography, DNSCurve is worth looking into.
4. Stick with DNSCrypt-Proxy 2
This isn’t really an alternative, but it’s an important option to mention. The future of DNSCrypt is unclear, but you can still download clients that use the specification. DNSCrypt-Proxy is one of the best options available, and the second version is actively maintained.
DNSCrypt can still protect your DNS traffic, but after DNSCrypt.org went down, it cast a bit of doubt on the future of the project.
Still, if you use DNSCrypt-Proxy 2 and you pass a DNS leak test, you know that your DNS queries are protected. But we’d recommend that you test regularly, in case anything changes.
The Simplest Way to Encrypt Your DNS Queries
As you can see above, using a VPN with its own DNS servers and DNS leak protection is definitely the best way to protect your DNS traffic from spying. There certainly are other solutions, but many of them are quite technical. If you have the technical literacy to implement these or other cryptographic methods, we encourage you to do so!
If you’d like to find out more about DNS privacy and what people are doing to improve it, DNSprivacy.org is a great resource. There’s lots of technical information there about the problems, potential solutions, and ongoing work in DNS privacy. You can even get involved with development and testing if you’re so inclined.
But for most people, the best way to further increase your privacy is to use a solid VPN. When we review VPNs, we look for proper DNS leak protection. If a particular VPN doesn’t have it, we’ll let you know. Our top recommendations, however, will always encrypt your DNS traffic.
And remember that you should always run a leak test with your VPN. There are lots of useful DNS leak test tools (we like ExpressVPN’s tool because it’s very easy to use), and they’ll all let you know if your DNS queries are protected. If they’re not, it’s time to tweak your settings or get a new VPN.
No matter what you decide to do, if you’re concerned about your security and privacy, you need to make sure your DNS queries are safe! It’s an easy thing to forget, but it’s also an insidious backdoor into your browsing habits.