If you are not familiar with what DNS is, it basically the postal system of the internet.
Everything on the internet or local network consists of IP addresses – this is hard for people to relate to, and therefore we have DNS.
DNS translates the name-based addresses we use, that are easier to remember, to IP addresses – and vice versa – making sure you land on the wanted destination.
When you write an address like google.com in your web browser, the question goes to your DNS server (in most cases the one automatically configured from your internet provider), the DNS server looks up the destination IP for this address and sends you there – the short version.
Now, you may be thinking, why do you need to change this to something else?
There may be more than one reason for this, and for most people, they don’t care – because at long as it works everything is ok.
But times are changing when it comes to the internet, both when it comes to making money as well as just monitoring user activity – both for good reasons and for malignant reasons.
Targeted advertising, collecting information on user’s internet activity – with the purpose of selling this to third parties – controlling what you access, limiting access based on location are some things to be weary of.
Now, for most people – as mentioned – they just go with the DNS that comes along automatically on your computer or internet router from your ISP and lives along happy and unbothered. But, what people seldom realize is that the people/organization that handles your DNS server an in actuality see everything you do on the internet, in terms of what websites you visit etc
(They cannot see what your are doing on encrypted sites – HTTPS – and the details there, but they can see that you did visit the named websites, from what computer, when, and so on.)
This information is valuable to third parties to target ads, marketing +++, and so many ISP’s or DNS provides sell this information to make money – remember one thing of today’s digital society – Information is the new gold, especially your information. (Why do you think the popular services used by many people today are free – YOU, are their asset, the information you provide, your activity etc, that is where they make their money, and we are giving it away freely).
Now, most of the traffic on the internet is encrypted via HTTPS/SSL today, but DNS queries are sent in clear text, this means that everyone listening on the network can see what you are visiting on the web – so why should you not take steps to limit the leakage of this information, and in turn keep a bit more of your online privacy?
The good thing here, is that there exist services that make combating this rather easy, and simple to setup, both for your computer(s) as well as your mobile device(s).
A company called Cloudflare – has released a service called 1.1.1.1 – this is a DNS service provided by them world wide with the purpose of both securing your DNS queries, but also speeding up these queries to a greater degree than i.e Googles free dns (8.8.8.8).
They have also made a promise that all DNS information they get from the users using the service are purged every 24 hours, and they will under no circumstance sell this information to third parties.
Here is a some bulletpoints from Cloudflare around this:
Source here: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
Cloudflare commits that 1.1.1.1 was designed for privacy first, and as a result:
- Cloudflare will never sell your data or use it to target ads. Period.
- All debug logs, which we keep just long enough to ensure no one is using the service to cause harm, of are purged within 24 hours.
- Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
- Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.
- Cloudflare will only retain or use what is being asked, not who is asking it. Unless otherwise notified to users, that information may be used for the following limited purposes:
- Under the terms of a cooperative agreement, APNIC will have limited access to query the transaction data for the purpose of conducting research related to the operation of the DNS system.
Frankly, we don’t want to know what you do on the Internet — it’s none of our business — and we’ve taken the technical steps to ensure we can’t.
So, what do you need to get started using this?
For android or iOS mobile devices:
Just download the app called 1.1.1.1 from the play store (android) or App Store (iOS)
Start the app, and accept when asked to install a VPN profile, turn on the slider from off to on in the app, and your all set – DNS queries are both secured, and you may also experience faster web browsing from the device.
For Windows machines:
If you only want to change the DNS provider – but not secure the queries themselves – you can just change the DNS servers directly on the network card(s) for the computer, to the following:
IPv4 addresses:
Primary: 1.1.1.1
Secondary: 1.0.0.1
IPv6 addresses:
Primary: 2606:4700:4700::1111
Secondary: 2606:4700:4700::1001
To edit these, go to the adapter properties by (windows 10):
Right click start button > select run > type ncpa.cpl > Press enter. (or windows key+R for the run dialog).
Right click your network adapter>click properties
In the properties dialog:
Find Internet Protocol version 4 in the list > Click Properties > Insert the preferred and alternate DNS servers for IPv4 from above > Click OK.
Find Internet Protocol version 6 in the same list > click properties > insert the preferred and alternate DNS servers for IPv6 from above > Click OK > Click OK.
Repeat for every network adapter you are using (wifi + cable based)
Your DNS queries now flow through Cloudflare’s DNS service – and your privacy is now more private.
Do note – this does not encrypt your DNS traffic, so the owners of the DNS server still sees this, but as stated – Cloudflare has its own regulations around this, and will not misuse this, and the also purges this information every 24 hours.
Setting this up for DNS over TLS or HTTPS (encrypted DNS traffic) is not natively supported on windows and will require some additional steps – I will cover ways for this in another post.
PS: you can also edit the DNS server for your home router etc to reap the benefit for all connected devices in your home.
PS2: also note that if your changing this in a domain environment you probably should change the DNS forwarders for you organizations DNS server to Cloudflare, and not directly on the devices, as this will result inn errors looking up local resources on your company network.
Consultant manager & SME @ iteam, localized in Kristiansund, Norway.
Focused on EUC, security, mobility, virtualization, management and a modern workplace. Highly specialized around RDS/Citrix/EUC/Mobility.
