Private or Secure DNS

The domain name system (DNS) connects URLs / Links with their IP address. With DNS, it’s possible to type words instead of a string of numbers into a browser, allowing people to search for websites and send emails using familiar names. Traditionally these queries are not encrypted when they traversing an internet connection.

Private DNS (aka Secure DNS) is available now and encrypts DNS queries, ensuring they cannot be tampered with and are unintelligible to ISPs, mobile carriers, and any others in the network path between you and your DNS resolver.

At least newer Android devices support Private DNS but it may not be configured or active by default and not all internet providers or connections support it.

You can test if you current DNS is using Secure / Private DNS

https://www.cloudflare.com/ssl/encrypted-sni/

Currently OpenDNS (acquired by Cisco) is a popular provider of public (free) or paid DNS services to improve security for home, business and other internet users.

They offer DNSCrypt service for Windows and Mac computers that has improvements to traditional DNS and can work along side Private DNS.

More info on Private DNS

DNS Security and Privacy — Choosing the right provider – medium.com

Nykolas Z
Apr 18, 2018


There are many options for DNS security and privacy available right now. You do not need to use your ISP DNS or plain-text DNS anymore and open yourself to DNS hijacking, sniffing and abuse by third parties (looking at your Marriot).

However, with all great options out there (eg: 1.1.1.1, 8.8.8.8, 9.9.9.9), come great responsibilities. Which provider to choose? Which protocol to choose? DNSCrypt? DNS over HTTPS or TLS? What about DNSSEC? …

Here is a list and more info on Public and Private DNS providers.

https://www.allconnect.com/blog/best-free-dns-servers

https://www.cloudflare.com/ssl/encrypted-sni/

Enable Private DNS with 1.1.1.1 on Android 9 Pie – blog.cloudflare.com

Stephen Pinkerton 2018-08-16

Cloudflare: Consumer Privacy is Priority 1.1.1.1 – whatismyipaddress.com

Configuring 1.1.1.1

Android Pie (v9) only supports DNS over TLS. To enable this on your device:

  1. Go to Settings → Network & internet → Advanced → Private DNS.
  2. Select the Private DNS provider hostname option.
  3. Enter 1dot1dot1dot1.cloudflare-dns.com and hit Save.
  4. Visit 1.1.1.1/help (or 1.0.0.1/help) to verify that “Using DNS over TLS (DoT)” shows as “Yes”.

And you’re done!

Partial archive

Cloudflare: Consumer Privacy is Priority 1.1.1.1 – whatismyipaddress.com

Is Cloudflare’s 1.1.1.1 Really About Privacy First?

So basically, despite its “privacy-first” policy, Cloudflare will be sharing DNS query data with APNIC Labs (Asia-Pacific Network Info Centre, the Regional Internet address Registry for the Region) for the next 5 years in exchange for the use of its 1.1.1.1 network address along with the chance of permanently acquiring the IP address — including 1.0.0.1.

On APNIC’s blog post, they stated that their deep interest is in understanding the technical infrastructure of the internet including the intricacies of DNS in order to mitigate malicious denial of service attacks. They were also quick to reiterate Cloudflare’s commitment to data privacy:

“In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.”

Further, Cloudflare argued that they’re not a media or advertising company (unlike Google or broadband providers) so they see a user’s personal data as “toxic asset”. They claim that they never store information that could identify an end user and that all logs on their public resolver are never kept for more than 24 hours. They also submit to annual audits published publicly to show their commitment to their privacy policy.

About Kevin Yaworski

I use my blog to write about things that I think are a matter of public interest or that I think others will be interested in
This entry was posted in Computers and Internet, News and politics, security and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s