Since the myth of anonymity on the Internet was dispelled, the issue of user privacy has joined the list of the most pressing ones. Not only can your online activities be tracked search engines and the websites you visit, but also your own internet service providers. Technically, this is not so difficult if DNS is issued to you by the provider, and this most often happens, everything passing through DNS traffic can be tracked by it, especially since DNS-requests are sent over an unencrypted connection.
It is clear that replacing intercepted packets will not be difficult even if you use VPN-services.
The only way to close the hole is through encryption. DNS-traffic, but for this you will need a special software, since none of operating systems does not support encryption DNS from the box. The simplest encryption tool DNS- traffic is - small free utility, advantageously distinguished by the fact that it does not require additional settings, which means it can be used by beginners. There is a console tool - DNSCrypt Proxy, but you need to tinker with it - execute a series of commands in PowerShell, change address DNS manually and so on. Anyone who has the time and desire, please, can familiarize yourself with it on the page github.com/jedisct1/dnscrypt-proxy .
We suggest using the simpler and more convenient desktop version DNS- cryptographer. Download from the developer's website simplednscrypt.org The version of the program that corresponds to your OS bit level and install.
Equipped with easy, intuitive clear interface and besides, it’s in Russian, so you can easily figure out what’s what. Basic settings are made in the section "Menu". To start using the program, immediately after installation, click the button "Apply", and then select yours below network card, it should be ticked as shown in the screenshot. Switch "DNSCrypt Service" must be active.
It's easy to check if everything works. Execute in the window Run team ncpa.cpl, open the properties of your connection, select from the list IP version 4 (TCPIPv4) and open its properties. Radio button "Use the following DNS server addresses" must be active, and the field must indicate the preferred DNS-server. We have it 127.0.0.1 , your address may be different.
By default, the program automatically selects the fastest server, but you can change your preferences by selecting it yourself in the section.
The section parameters do not need to be changed if you are not using the protocol IPv4. IN general settings you can enable additional tabs "Black list of domains", "Domain Blocking Log", but this again, if you are going to work with the functions they offer, in particular, composing "black" domain lists.
The program scans DNS responses from servers (this is enough, there are queries inside the responses), and if the domain name matches a regular expression, it prints the address from the A record (what was obtained as a result of resolution).
Using this utility, you can collect almost all the statistics - which domain name was resolved into an IP address, and when this happened. A trained user, of course, can hide this information (by writing the node to the hosts file, or using another channel for DNS queries, for example), but for the majority of nodes we will get a satisfactory picture.
How it works:
$ sudo ./sidmat eth0 "." iu
We see domain names and what they resolve to (eth0 is the interface on which DNS traffic passes).
$ sudo ./sidmat eth0 "." iu | while IFS= read -r line; do printf "%s\t%s\n" "$(date "+%Y-%m-%d %H:%M:%S")" "$line"; done
We fix the time. All that remains is to redirect the result to a file, and you can use the correspondence table. The utility can capture DNS responses using pcap (on Linux/BSD) or using the nflog mechanism on Linux.
The same technique can be used to control traffic. Filter by domain, get domain addresses from keywords in names, etc.
You need to keep in mind that control may not be very accurate. If by the time the DNS response reaches the user and he starts transmitting traffic to this node, we do not have time to add the address to the ipset/iptables/routing table/somewhere else, then the traffic will go the “normal” way.
In addition, a qualified user can generate false DNS responses, meaning it is better to use this with caution for reprisals.
A few examples:
How to get a list of IP addresses to which vk.com and its subdomains resolve? (Without the "u" option, only unique IP addresses will be printed)
$ sudo ./sidmat eth0 "^vk.com$|\.vk.com$" d
With options “d” or “i” you can see which domain is resolved to the IP address, “d” prints the domain name to stderr.
How to block addresses that allow vk.com, its subdomains and all domains with the word odnoklassniki? (domains like avk.com will not fall under the rule, odnoklassnikii.com will).
$ sudo sh -c "/sidmat eth0 "^vk\.com$|\.vk\.com$|odnoklassniki" | /usr/bin/xargs -I () /sbin/iptables -A INPUT -s () - j DROP"
In addition to small regular expressions, you can use lists in a file (option “f”, the second argument is interpreted as the file name, its contents as one large regular expression). The lists can be quite large, we looked at the performance on the RKN domain list (traffic to prohibited domains was redirected to VPN), a regular PC router coped with this quite calmly.
You can help and transfer some funds for the development of the site
In browsers, and in this article we will talk about DNS traffic leaks. Which affects everyone, and even those who use VPN services and believe that they are behind a stone wall.
Hello, friends! Today I will tell you what a DNS leak is, why you should know about it, and how to protect yourself from it using the free DNSCrypt utility.
- Preface
- What does DNS leak mean?
- How to check for DNS leak
- How to fix DNS leak using DNSCrypt
- Downloading DNSCrypt
- Installing DNSCrypt
- Using DNSCrypt
- DNSCrypt in Yandex browser
- DNSCrypt in the router
- Conclusion
- Rating and reviews
What does a DNS leak mean?
When using HTTPS or SSL, your HTTP traffic is encrypted, meaning it is secure (not perfect, but secure). When you use a VPN, all your traffic is completely encrypted (of course, the level and quality of protection depends on correct settings VPN, but usually everything is configured and working correctly).
But there are situations in which, even when using a VPN, your DNS requests are transmitted in clear, unencrypted form. This opens up great opportunities for creativity for the attacker. can redirect traffic, use a MITM (man in the middle) attack, and do a bunch of other things that can compromise your security and anonymity online.
Let's try to understand this issue deeper. If you're not interested in theory but are concerned about safety, you can skip straight to the next chapter. If you want to know more, sit back, now I’ll blow your mind.
In our example in the figure below, you see how the user (computer) is trying to access the site www.. In order to get to the site, he must first resolve the symbolic host name to an IP address.
If the network configuration is such that the provider’s DNS server is used (an unencrypted connection, marked with a red line), then the resolution of the symbolic name to the IP address occurs over an unencrypted connection.
What's so scary about that?
Firstly, in such a situation, the provider can view your DNS history and find out which sites you visited. Of course, he won’t know what data was transmitted, but he can easily view website addresses.
Secondly, there is a high probability of being a victim of a hacker attack. Such as: DNS cache snooping and DNS spoofing.
What is DNS snooping and spoofing?
Briefly for those who don't know.
DNS snooping— with this attack, an attacker can remotely find out which domains were recently resolved on the DNS server, that is, which domains the victim recently visited.
DNS spoofing— an attack based on infecting the victim’s DNS server cache with a false entry about the correspondence of the DNS name of a host that the victim trusts.
Since the requests are not encrypted, someone between you and the ISP can intercept and read the DNS request, and then send you a fake response. pages, but also the URL in address bar), after which you will enter your username and password, and then you yourself will understand what will happen. The authorization data will be in the hands of an attacker.
The situation described is called DNS leaking. It occurs when your domain name resolution system continues to query your ISP's DNS server even after connecting to a VPN server or Tor network. Every time you try to access a website, connect to a new server or launch some network application, your system will contact the ISP's DNS servers to resolve the name to an IP address. Eventually, some hacker or your ISP will be able to find out all the names of the hosts you access.
If you have something to hide, then I suggest you use a simple solution - DNSCrypt. You can, of course, register some other DNS servers and send traffic through them. For example, Google server 8.8.8.8 or the same OpenDNS 208.67.222.222, 208.67.220.220. In this case, of course, you will hide your website browsing history from your provider, but tell Google about your online travels. In addition, there will be no encryption of DNS traffic, and this is a big drawback. I don’t know about you, but this doesn’t excite me, I’d rather install DNSCrypt.
How to check for DNS leak
Before we move on to the utility itself, I would like to introduce you to special online services. They allow you to check for DNS leaks.
The program requires Microsoft . NET Framework 2.0 and higher.
You can download DNSCrypt for Mac OS X using this link from Gitab or from file sharing using the link above.
Developer of the OpenDNS program.
Installing DNSCrypt
In this article we will look at working with the console version of the utility. We will configure DNSScript on Windows 10. Installation on other versions of Windows is no different.
So, unpack the downloaded archive and place the contents of the dnscrypt-proxy-win32 folder anywhere on the computer. In my example, I placed it in the “C:\Program Files\DNSCrypt\” folder.
Then open a command prompt as administrator.
Run Command Prompt as Administrator in Windows 10 Now in command line go to the DNSCrypt folder. You can do this using the command:
cd "C:\Program Files\DNSCrypt"
Click if you can’t copy the commands.
After this, let's prepare to install the proxy service. First you need to select a DNS provider. I put the dnscrypt-resolvers.csv file in the archive. This file contains a list of most DNS providers that DNSCrypt supports. Each individual provider has a name, description, location, and support for DNSSEC and Namecoin. In addition, the file contains the necessary IP addresses and public keys.
Select any provider and copy the value in the first column. In my case I will be using CloudNS, so I copied “cloudns-can”. Now you need to make sure that the proxy can connect. You can do this using this command:
dnscrypt-proxy.exe -R "cloudns-can" --test=0
If it doesn't work, try choosing a different provider and try again.
If everything went well, continue with the installation and enter the following command:
dnscrypt-proxy.exe -R cloudns-can --install
If everything works correctly, you will see the following output:
A screenshot of what it should look like on the command line:
Then you need to go to the Windows TCP/IP protocol parameters and change DNS settings to 127.0.0.1.
To remove the DNScrypt service you must return network settings DNS to initial state. This is done using this command:
dnscrypt-proxy --uninstall
This command can also be used to change DNS provider. After application, you need to repeat the installation with the parameters of another provider.
If, after this entire procedure, for some reason, during the check, the DNS IP address of your Internet provider is still determined, click on the “Advanced” button, which is located under the registered IP 127.0.0.1. In the window that appears " Extra options...”, go to the “DNS” tab and delete all DNS server addresses except “127.0.0.1”.
That's it, the DNS leak is now fixed.
You may also be interested in the article "", which talked about deleting DNS records on a computer.
DNSCrypt in Yandex Browser
Recently, the Yandex browser has added support for DNSKript. Well, what can I say, the guys from Yandex are working and trying to protect the user - this is great, but unlike the DNSCrypt utility, Yandex’s protection is implemented only at the browser level, and not at the level of the entire system.
DNSCrypt in the router
DNSKript support is also implemented in popular OpenWrt firmware. More information about installation and other additional information you can find out on this page.
Conclusion
Of course, the DNSKript utility and DNS encryption in general are not a panacea, and indeed in information security there is no such thing as a panacea. We can only improve our security and anonymity as much as possible, but unfortunately, it will not be possible to make our online presence 100% invulnerable. Technologies do not stand still and there will always be loopholes. Therefore, I invite you to subscribe to our news at in social networks to always be up to date. It's free.
That's all friends. I hope this article helped you solve your DNS leak problem. Good luck to you in the new 2017, be happy!
Evaluating the DNSCrypt utility
Our assessment
DNSCrypt is a free utility for protecting DNS traffic by encrypting DNS traffic and using DNS servers. Our rating is very good!
User Rating: 4.26 (39 votes)
Using nstx it is possible to create an IP tunnel within DNS. The protocol of the same name that allows you to achieve this is called “” and stands for “ NameServer Transfer Protocol».
So, suppose the provider issues and allows you to use its DNS server. Let's imagine a regular DNS request: we request information on the provider's name server, the provider's server passes the request to another name server, which is responsible for the zone we need. And the last DNS server in the chain sends the received response back along the same route.
Now imagine that you can format IP packets into DNS queries of a name server and “shape” incoming traffic into the packets we need. And now we already have everything to build a full-fledged “IP over DNS” - our own hidden tunnel for forwarding traffic through almost any third-party firewalls!
Now all that remains is to configure the fake nameserver and client, but in practice this is not always so easy.
The maximum packet size that can be transmitted is a maximum of 512 bytes over UDP. Therefore, we will need a assembler/disassembler mechanism that will collect and disassemble fragmented packets and check them for correctness. In this scheme, our fake DNS client can communicate with our fake DNS server constantly, but our DNS server can only respond. Therefore, the client will be responsible for reconciliation and maintaining two-way communication.
The first time I tried to do this was in 2008. For two weeks I slowly worked through this package, adjusted the source code to suit myself, re-read the manuals, and as a result, I got a working tunnel successfully built through our ultra-secure firewall corporate network. Then it was simply incredible for me!
In general, with a little desire and time, you can independently launch a fake client name server to create an “IP-over-DNS” tunnel.
Play, try. Look for ways to protect yourself from this. I warn you in advance that there are a lot of technical nuances here.
You think that your anonymity is reliably protected. But unfortunately this is not the case. There is one very important channel for leaking your private information - the DNS service. But fortunately, a solution has also been invented for this. Today I will tell you how to encrypt your DNS traffic using the DNSCrypt utility.
When using HTTPS or SSL, your HTTP traffic is encrypted, that is, protected. When you use a VPN, all your traffic is already encrypted (of course, it all depends on the VPN settings, but, as a rule, this is the case). But sometimes, even when using a VPN, your DNS queries are not encrypted, they are sent as is, which opens up a lot of room for creativity, including MITM attacks, traffic redirection and much more.
This is where the open source DNSCrypt utility comes to the rescue, developed by the well-known creators of OpenDNS - a program that allows you to encrypt DNS queries. After installing it on your computer, your connections will also be protected and you will be able to surf the Internet more safely. Of course, DNSCrypt is not a panacea for all problems, but only one of the security tools. You still need to use a VPN connection to encrypt all traffic, but pairing it with DNSCrypt will be more secure. If you are satisfied with such a brief explanation, you can immediately move on to the section where I will describe installing and using the program.
Let's try to understand deeper. This section is for the truly paranoid. If you value your time, then you can immediately proceed to installing the program.
So, as they say, it is better to see once than to hear a hundred times. Look at the picture.
Let's say a client (the laptop in the picture) is trying to access google.com. First of all, he should
resolve symbolic hostname to IP address. If the network configuration is such that the provider’s DNS server is used (an unencrypted connection, red line in the figure), then the resolution of the symbolic name to the IP address occurs over an unencrypted connection.
Yes, no one will know what data you will transmit to dkws.org.ua. But there are some very unpleasant moments. Firstly, the provider, by looking at the DNS logs, will be able to find out which sites you visited. Do you need it? Secondly, the possibility of DNS spoofing and DNS snooping attacks is likely. I will not describe them in detail; many articles have already been written about this. In a nutshell, the situation could be as follows: someone between you and the provider can intercept the DNS request (and since the requests are not encrypted, it will not be difficult to intercept the request and read its contents) and send you a “fake” response. As a result, instead of visiting google.com, you will go to the attacker’s website, which is exactly like the one you need, you will enter your password from the forum, and then the development of events, I think, is clear.
The situation described is called DNS leaking. DNS leaking occurs when your system, even after connecting to VPN server or Tor continues to query the ISP's DNS servers to resolve domain names. Every time you visit a new website, connect to a new server, or launch a network application, your system contacts your ISP's DNS to resolve the name to the IP. As a result, your provider or anyone located on the “last mile,” that is, between you and the provider, can receive all the names of the nodes that you access. The above option with IP address substitution is quite cruel, but in any case it is possible to track the nodes you have visited and use this information for your own purposes.
If you are “afraid” of your provider or simply don’t want him to see what sites you visit, you can (of course, in addition to using a VPN and other security measures) additionally configure your computer to use DNS servers OpenDNS project (www.opendns.com). On this moment These are the following servers:
208.67.222.222
208.67.220.220
You don't need any other additional software. Just configure your system to use these DNS servers.
But the problem of intercepting DNS connections still remains. Yes, you are no longer accessing the provider’s DNS, but rather OpenDNS, but you can still intercept packets and see what’s in them. That is, if you wish, you can find out which nodes you accessed.
Now we come to DNSCrypt. This program allows you to encrypt your DNS connection. Now your ISP (and everyone between you and them) will not know exactly what sites you visit! I'll repeat it again. This program is not a replacement for Tor or VPN. As before, the rest of the data you transmit is transmitted without encryption if you do not use either a VPN or Tor. The program only encrypts DNS traffic.
AS A CONCLUSION
The article was not very long, since the program itself is very easy to use. But it wouldn't be complete if I didn't mention VPN. If you read this article and are interested in it, but you have not yet used the services of a VPN provider to encrypt your data, then it’s time to do so.
The VPN provider will provide you with a secure tunnel to transfer your data, and DNSCrypt will secure your DNS connections. Of course, the services of VPN providers are paid, but you have to pay for security, right?
You can, of course, use Tor, but Tor works relatively slowly, and, whatever one may say, it is not a VPN - it will not be possible to “torify” all traffic. In any case (whichever option you choose), your DNS connections are now secure. All that remains is to decide on a means of encrypting traffic (if you have not already done so).