Published Mar 25 2020, Updated Dec 19 2020
The domain name system (DNS) connects or resolves URL / Link names to IP addresses, i.e. With DNS, it’s possible to type words instead of a string of numbers into a web browser, allowing people to search for websites and send emails using familiar names. Traditionally these queries are not encrypted when they traversing an internet connection.
Private DNS (aka Secure DNS) is available now and encrypts DNS queries, ensuring they cannot be tampered with and are unintelligible to ISPs, mobile carriers, and any others in the network path between you and your DNS resolver.
At least newer Android devices support Private DNS but it may not be configured or active by default and not all internet providers or connections support it.
You can test if your current DNS is using Secure / Private DNS
Currently OpenDNS (acquired by Cisco) is a popular provider of public (free) or paid DNS services to improve security for home, business and other internet users.
You can change your router to use OpenDNS (or other DNS service’s) servers instead of your ISP’s DNS servers and all devices connecting to your router will be better protected by those services by default. Warning if your kids have mobile phones or devices that allow them to turn off WiFi and using their own wireless data for internet and not your routets they will not be protected. There is restrictions or parental controls that can be enabled that may allow restricting this or the times or duration of use etc…
There is also a OpenDNS agent you can install on at least Windows that will pop up and tell you if you are not using OpenDNS. Your OpenDNS portal allows customizing how aggressive it filters including blocking adult content if you want, white or black list domains (false positive) etc…
They also offer DNSCrypt service for Windows and Mac computers that has improvements to traditional DNS and can work along side Private DNS.
OpenDNS is operated out of the US and and now is part of the Cisco Umbrella service but still branded OpenDNS.
There is a Canadian version to keep your DNS queries and data private and in Canada.
CIRA Canadian Shield – Free malware and phishing protection
They also have paid version for business.
More info on Private DNS
Apr 18, 2018
There are many options for DNS security and privacy available right now. You do not need to use your ISP DNS or plain-text DNS anymore and open yourself to DNS hijacking, sniffing and abuse by third parties (looking at your Marriot).
However, with all great options out there (eg: 126.96.36.199, 188.8.131.52, 184.108.40.206), come great responsibilities. Which provider to choose? Which protocol to choose? DNSCrypt? DNS over HTTPS or TLS? What about DNSSEC? …
Here is a list and more info on Public and Private DNS providers.
Enable Private DNS with 220.127.116.11 on Android 9 Pie – blog.cloudflare.com
Stephen Pinkerton 2018-08-16
Android Pie (v9) only supports DNS over TLS. To enable this on your device:
- Go to Settings → Network & internet → Advanced → Private DNS.
- Select the Private DNS provider hostname option.
1dot1dot1dot1.cloudflare-dns.comand hit Save.
- Visit 18.104.22.168/help (or 22.214.171.124/help) to verify that “Using DNS over TLS (DoT)” shows as “Yes”.
And you’re done!
Is Cloudflare’s 126.96.36.199 Really About Privacy First?
So basically, despite its “privacy-first” policy, Cloudflare will be sharing DNS query data with APNIC Labs (Asia-Pacific Network Info Centre, the Regional Internet address Registry for the Region) for the next 5 years in exchange for the use of its 188.8.131.52 network address along with the chance of permanently acquiring the IP address — including 184.108.40.206.
On APNIC’s blog post, they stated that their deep interest is in understanding the technical infrastructure of the internet including the intricacies of DNS in order to mitigate malicious denial of service attacks. They were also quick to reiterate Cloudflare’s commitment to data privacy:
“In setting up this joint research program, APNIC is acutely aware of the sensitivity of DNS query data. We are committed to treat all data with due care and attention to personal privacy and wish to minimise the potential problems of data leaks. We will be destroying all “raw” DNS data as soon as we have performed statistical analysis on the data flow. We will not be compiling any form of profiles of activity that could be used to identify individuals, and we will ensure that any retained processed data is sufficiently generic that it will not be susceptible to efforts to reconstruct individual profiles. Furthermore, the access to the primary data feed will be strictly limited to the researchers in APNIC Labs, and we will naturally abide by APNIC’s non-disclosure policies.”