You might have heard that very recently Google has launched their DNS over TLS which is based on their Google Public DNS service the most commonly used DNS recursive resolver worldwide.
In a statement Google published the following article
Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.
(DOH) Support for Google Chrome
Although the service is now available however, you still can’t use it on your Windows 10 OS since Microsoft didn’t add the support yet. Linux OS like Ubuntu supports DOT.
Alternative Browsers with DOH support
Firefox’s Nightly browser which is dedicated to power users or developers already have the support for DNS over HTTPS (DOH) and upon testing it I could clearly see no indication of any plain text in my wireshark traffic for the websites that I have visited.
I used Godaddy.com as an example to see if whether Wireshark would show the requested website in the DNS filtered traffic. Using Firefox Nightly, didn’t show any DNS result in Wireshark.
Checking result with Chrome
visiting Godaddy.com on Chrome gave a different result. Here everything is clear text. Although I am using Simple DNScrypt app but still exposes the DNS traffic.
Even if I changed the DNS settings on my NIC to 126.96.36.199 (cloudflare’s DOT) it would still show the result on Wireshark.
On November 3rd 2018, Chromium released the following article stating:
Add DoH UI setting. This CL adds a UI setting allowing users to enable DNS over HTTPS (DoH). Users may select a DoH server from a dropdown menu of preapproved options or enter a DoH server of their choosing. Bug: 878582 Test: out/Default/chrome –enable-features=”SecureDnsSetting” Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I1138c3b8e77aea10a0d4e8a542b889a285a1a492
How to secure your Windows 10 ?
Lots of tools out there that support Dns over TLS, one of them is dns simple DNSCrypt which uses the protocol dnscrypt. The application can be used temporarily or as a service.
I have installed the tool on my Windows 10 as a service and ran a test to see if resolving Google or any other domain would come as clear text but result was negative.
The app uses various range of DNS recursive resolver services like Google, Cloudflare, Freesta… etc
To Encrypt your DNS traffic, use Simple DNSCrypt