Is Your DNS Data Being Hijacked?
Whether you’ve actually heard of the Domain Name System (DNS) or not, let’s make something crystal clear: you use it every day… a lot!
The DNS is the Internet’s directory, the system that actually connects you to the websites you want to visit (and no, that doesn’t happen by magic). It’s is made up of different servers which store the world’s IP addresses (websites), which allows it to connect your browser to the site you’re wanting to visit.
There are two main types of servers within the DNS:
- Authoritative – used for hosting records and DNS zone file management
- Recursive/resolver – simply used as a directory
It’s this second type that you use every day, and the ones we’re talking about when we mention the DNS in this blog.
The DNS was built as a directory to handle lots of website requests across the world. It wasn’t built for security, which is why it’s now easy to exploit. For example, your data can be (and probably is) harvested and sold by your own Internet Service Provider (ISP). The system can also leave you exposed to cyber threats such as man-in-the-middle-attacks.
But how? And how can you stop it?
Let’s Start with Some DNS Basics
When you want to visit a website, you type in a domain name (like www.namecheap.com). The DNS translates the domain names (words) into the corresponding IP addresses, codes, and records (numbers) that computers use. Why? Because we can’t remember all those numbers, and computers don’t understand words. But the DNS also has to find the right IP address too.
When we type in a domain name and press enter, we’re sending what’s called a ‘query’ out into the DNS to look for the right IP address (i.e. the website we’re looking for). The query needs to find the right DNS server (where the IP addresses are stored). But not all servers are the same, and they don’t all hold the same information. This can often mean the query has to pass through a whole bunch of different DNS servers in order to find the right IP.
If you want to find an obscure jewelry website in south Peru, your query will probably pass through a few DNS servers en route. Each will direct your query closer and closer until it finds the right IP address. The server that hosts the website will then answer your query by connecting you to the website—resolving your query. Of course, all this takes just milliseconds.
So What’s Being Hijacked?
The danger comes from the fact that your ‘queries’ travel around the DNS unencrypted. It may not seem like a big deal, but these queries can reveal quite a lot about you—not just the websites you visit, but also important metadata around things like chat services or the domains of email contacts.
Right now, ISPs around the world are harvesting and selling this data to third-party advertisers. It’s then easy to form a digital profile of you, your interests, and lots more. They’re basically tracking and eavesdropping on your Internet browsing.
How can they do this? Your ISP pretty much decides which DNS servers you use by default. It doesn’t stop at advertising, either. In more extreme cases, ISPs and governments have used query information to track and censor entire populations. It’s serious stuff.
The DNS Is More Open to Cybercrime Too
As the ‘queries’ searching around the DNS aren’t encrypted, they are also open to attack from cybercriminals. One of the most popular (and dangerous) threat is a man-in-the-middle attack. Within the DNS the attackers can track and redirect your queries to fraudulent IP addresses. Back in the real world, this means you land on a site that looks exactly like the one you wanted to visit, only it’s a fake that’s been designed to defraud you.
But I Have DNSSEC So I’m Safe, Right?
DNSSEC is certainly a great feature to have and should stop you landing on spoof websites. But’s only available on authoritative nameservers (the ones where people add different host records and so on). We’re talking about recursive/resolver servers.
The DNSSEC feature also only validates the identity of DNS servers within the DNS. That means it checks you’ve found the right website with a cryptographic signature, but it can’t protect your query on its journey to the server/website. And it’s on that journey when most of the data is being harvested and exploited. Because your queries and responses are still sent in clear text on the wire, that means they’re not secured by encryption.
The Simple Answer? DNS over TLS…
DNS over TLS (DoT) encrypts the entire DNS level of your computer or device with Transport Layer Security (TLS). Put simply, TLS is like giving each of your queries (and the answers/resolutions) an invisibility cloak so no one can see or track which websites you’re visiting.
The best thing is, this kind of DNS service (often called Public DNS) is now readily available from many third-party providers across the world. It’s still important, however, to make sure the provider you choose really is looking after your data. Many may claim to offer private resolver DNS services but are still harvesting your information to make a profit. Others will charge you for using their services. Some might even do both.
Welcome to SafeServe
If you’re looking for a fast and free public DNS, Namecheap’s very own (and freshly launched) SafeServe DNS is now available. The best news is that you don’t even have to register to use it. It’s completely free and ready to encrypt the entire DNS level of your computer, or whatever device you want to use. It’s fully compatible with:
- And general routers too
You just need to switch a few network settings over, which is surprisingly easy with our simple step-by-step guides.
I know what you’re thinking… “Where’s the catch?”
Well, there really isn’t one. Namecheap has long been on a mission to support the rights of individuals and consumers online. We want to keep the Internet open, free, and safe for everyone. No hidden costs. No hidden agendas. That’s why you can have this service on us, and rest assured that we will never, ever, ever, sell your data to anyone.