DNS Security

OK, if you are really into nerdville, then you know that the DNS queries (what tells the computer where google.com is) is easy to spoof and hack. This let’s people divert traffic from google.com to their own servers. Bad, bad, bad. So there are three solutions:

  • DNSSec. This essentially means that every DNS record you get has a public key on it so you can validate that it is from the correct place. You need two things. First is a DNS Server (Google’s 8.8.8.8 servers for instance) has this enabled. And then you need software on your client that does the checking like the DNSSEC/TLSA Validator you load into your browser.
  • DNSCrypt. This works fine except that it is all sent in clear text so your ISP or someone listening on your network can see the queries. DNSCrypt encrypts DNS traffic so you aren’t vulnerable. 

  • DNS Server that doesn’t log. Unfortunately, the DNS server themselves will log your queries (OpenDNS does this), so you need a DNS provider that doesn’t do logging like OpenNIC (thanks lowsnr.com) and you need a server that is OpenNIC and also support DNSCrypt from this list.

Gosh complicated!

One thing that is a little strange on a Mac is that if you want to change your DNS settings manually you start System Preferences/Network and then pick one of the connections. You don’t set DNS for the entire system, you do it for each network interface. So you have to do for “Wi-Fi” and for “Ethernet” for instance. You drill to the DNS Tab, click on the plus sign and add the DNS address and press OK.

Then you have to make sure to click “Apply” when you are done, otherwise the changes don’t stick. It’s a case where OK is not OK 🙂

You can check if it all works by looking at dnsleaktest.com