Sign in Subscribe

DNS: An Often-Overlooked Privacy Consideration

Anne

5 min read
DNS: An Often-Overlooked Privacy Consideration
Photo by rivage / Unsplash

When mass collection of telephone metadata in the U.S. was revealed, there was a public outcry and demands to cease operations of this warrantless data collection. It's pretty easy to understand that knowing who you call, when, how often, length of conversations, and the first known connection between 2 numbers can reveal tons of information, even without having explicit access to the content of the conversation itself. As the previously linked article states:

💡
"What they discovered was that the incident of a communication was perhaps as important as the content of a communication," a former Justice Department official said. ("U.S. secretly tracked billions of calls for decades", USA Today, April 7, 2015)

With only call metadata (data about the numbers involved, timing, duration, etc.), it's possible to quickly get to personal health information, likely political outlook, and much more that you may not prefer to be public. This 2016 article from the Stanford Report shows just how easy that can be and how many people can be caught up in a single inquiry.

💡
“I was somewhat surprised by how successfully we inferred sensitive details about individuals,” said study co-author Patrick Mutchler, a graduate student at Stanford. “It feels intuitive that the businesses you call say something about yourself. But when you look at how effectively we were able to identify that a person likely had a medical condition, which we consider intensely private, that was interesting."[...] By extrapolating participant data, the researchers estimated that the NSA’s current authorities could allow for surveilling roughly 25,000 individuals – and possibly more – starting from just one “seed” phone user.” ("Stanford computer scientists show telephone metadata can reveal surprisingly sensitive personal information", Stanford Report, May 16, 2016)

You'll note the earlier dates of these articles; much communication occurs outside of phone calls and texts these days, so the frontier of privacy has moved from phone metadata to broader internet metadata. Since it can be somewhat harder to understand the mechanisms of internet data collection for the average person, DNS privacy has not received the same attention as phone metadata collection, but has many of the same implications.

I recently watched an excellent presentation by Bert Hubert from NLNOG (Netherlands Network Operator Group) from 2019 discussing the importance of DNS. The full presentation is about 45 minutes and well worth watching in its entirety.

Video: Bert Hubert presenting at NLNOG 2019 on DNS over HTTPS considerations

For those unaware of the function of DNS, it is way computers are able to translate between "friendly" human-readable URLs and the way computers actually connect to websites (IP addresses). If you enter an IP address directly in the address bar of your browser, such as http://142.250.191.78, that will work just as well as typing www.google.com. To allow you to connect to Google by typing in "www.google.com", which is much easier to remember, there must be a system in place to say, "Are you looking for Google? OK, here is the IP address for Google from a source that can be trusted." Significantly, DNS is a plaintext protocol, meaning that the data is not automatically encrypted. There have been various proposed solutions to this that are discussed in the above video.

Historically, your ISP (Internet Service Provider, such as Comcast, Charter, AT&T, etc.) functioned as your DNS resolver, which means that your ISP would have access to all of your metadata about which websites you visited and when. Much of the same concerns apply as to the telephone metadata conversation above: a whole lot of personal information can be concluded from simply knowing the names of the websites you visit, when, how often, etc.

There is also a significantly higher amount of detail that can be obtained from web traffic than from phone calls beyond DNS. Some examples include query string parameters that show which terms you searched for (e.g. after you perform a Google search for Netflix, the URL becomes "https://www.google.com/search?q=netflix" and also includes a number of other obfuscated but identifying parameters specific to you), all of the information contained with HTTP headers which includes your device and browser details, your character set, and other information that can create a fingerprint of your unique activity, and of course data that is collected via analytics platforms about the specific activities you perform on a website. The original goals of this data collection need not be nefarious for the data to ultimately fall into the wrong hands in the vast chain of data brokers and acquisitions that happen in the ad tech space. Even if the data only goes to the intended parties, many areas of the world have little protection about how this data is used (which can contain personal and health information), whereas if it were actual health records, there would be significant protections.

Crucially, one not need to have "something to hide" to be concerned about privacy. In the talk above, Bert Hubert jokes about not wanting to have his website history public, but even if you're proud of yours, this still applies to you! As the San Diego Privacy website states:

We use privacy to protect our private information from being in the possession of parties we don't trust, who may use it in harmful ways (intentionally or unintentionally). 
We use privacy because there is no way for us to know how our private information will spread beyond our control, and whether someone is currently using our private information to harm us without our knowledge. 
We practice privacy now because private information is permanent, and if someone unauthorized uses our private information at some time in the future, it could be just as harmful to us, or even more harmful to us, than using it in the past or present.

("Privacy Myth 2, Nothing To Hide", San Diego Privacy, March 23, 2021)

That brings us back to the issue of DNS resolvers. There are some advances in moving away from plaintext in DNS that have the add-on effect of making it easier to track activity as people move between networks (DNS over TLS) and tie activity to an individual (DNS over HTTPS allows headers and cookies to be correlated). The DNS provider you choose determines where the metadata about your website activity goes.

Firefox automatically enables DNS over HTTPS (in the US, Canada, Russia, and Ukraine) and does a lot of automatic connections that generally speed up your browsing experience, but connect to more than just the sites you enter in the address bar. This behavior may or may not be what you want, and is presented under the privacy-enhancing umbrella. It is hard to imagine that less-technical users truly understand the implication of choosing one setting over another. To their credit, they do expose these settings and make them user-configurable easily, which is not true of all browsers. Firefox defaults to using Cloudflare as the DNS resolver for DNS over HTTPS (DoH) in the US.

There are a number of public DNS resolvers to choose from, including Google's (8.8.8.8), Cloudflare's (1.1.1.1), Quad9 (9.9.9.9), OpenDNS (208.67.222.222), and many others. (IPs listed are the Primary DNS; Secondary DNS servers omitted for brevity.)

It's also possible to specify your own DNS server at the OS level (ensuring you have disabled browser-level options) and to use things like Unbound. A good discussion of some of the pros and cons of different options is located here.

To make intentional decisions about privacy, there are device, OS, browser, ISP, DNS, geographical, home network, and many other considerations that all stack on top of each other and make the decision about what to use more complex. I don't have a one-size-fits-all solution to share here, but it's important to know and understand what DNS is and how it is used to be an informed consumer of internet services.