DNS Privacy Explained

Networking Feb 29, 2020

cso_security_image_purple_with_umbrella_jpg_by_akindo_gettyimages-165962625-100827475-large.3x2-1

References:

https://dnsprivacy.org/wiki/display/DP
https://github.com/DNSCrypt/dnscrypt-proxy
https://developers.google.com/speed/public-dns/docs/secure-transports

DNS explained

Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP. Microsoft Windows Server 2003. DNS is implemented using two software components: the DNS server and the DNS client (or resolver). Both components are run as background service applications.

Network resources are identified by numeric IP addresses, but these IP addresses are difficult for network users to remember. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP address used by those resources for communication. In this way, DNS acts as a mnemonic device, making network resources easier to remember for network users.

The Windows Server 2003 DNS Server and Client services use the DNS protocol that is included in the TCP/IP protocol suite. DNS is part of the application layer of the TCP/IP reference model.

DNS in TCP/IP

Further reading from: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772774(v=ws.10)

Secure transports for DNS

(quote from Google)

Traditional DNS queries and replies are sent over UDP or TCP without encryption, making them subject to surveillance, spoofing, and DNS-based Internet filtering. Responses to clients from public resolvers like Google Public DNS are especially vulnerable to this, as messages may pass through many networks, while messages between recursive resolvers and authoritative name servers often incorporate additional protections.

To address these issues, in 2016 we launched DNS over HTTPS (now called DoH) offering encrypted DNSSEC-validating DNS resolution over HTTPS and QUIC. And in 2019, we added support for the DNS over TLS (DoT) standard used by the Android Private DNS feature.
DoH and DoT enhance privacy and security between clients and resolvers, complementing Google Public DNS validation of DNSSEC to provide end-to-end authenticated DNS for DNSSEC-signed domains. With Google Public DNS, we’re committed to providing fast, private, and secure DNS resolution for both DoH and DoT clients.

Joshua Tu

ExcellentOps Advisory founder, ICT solution designer, CBAP certified business analyst, TOGAF certified enterprise architect.