During last years, starting with HTTPS Everywhere initiative by Google, big internet players have invested in securing the internet browsing experience. Still, even if now it's free to provide encrypted communication to websites, there are unsolved problems in BGP and DNS, as hijacking and sniffing.
The DNS queries
Every time we request a resource from a domain name, e.g. visiting a website, an initial request (query) is made to a DNS server, the server responsible to translate for us the domain name we are visiting into an IP location. It's like asking (make a query) an authorized person from a train station info point (the DNS server) on what line is parked the train that goes to Vienna. And the answer will be e.g. 7 (the IP) or whatever the current line (IP) is.
Now, if our query is made unprotected, then everyone listening on the wire (hear our query) can intercept our queries and do whatever they like with this information, maybe profile us/our habits, or worse, can trick us and redirect to an obscure destination.
Technologies used today to protect our DNS queries are: Secure DNS (DoH - DNS over HTTPS / DoT - DNS over TLS), DNSSEC, TLS 1.3 and Encrypted SNI (Server Name Indication) and in order to protect our privacy, if we care about it, then we must ensure that we are using those technologies.
To test how secured are our DNS queries, using our daily used browsers we can visit https://www.cloudflare.com/ssl/encrypted-sni/ where we can find the answer by hitting the "Check My Browser" orange button.
And if the result is looking like this ..
|Cloudflare Secure DNS, DNSSEC, TLS 1.3 and Encrypted SNI
Then we have done a great job regarding our online privacy.
By default, don't expect much, the full green check line won't be available very soon in any browser, but there are ways on how we can acquire that right now, check my test results.
|Testing Secure DNS, DNSSEC, TLS 1.3 and Encrypted SNI in Firefox, Chromium and Google Chrome
As we can see, from 10 different scenarios, only one protect our DNS queries and privacy, and that's Firefox with a custom config and with the help of the Cloudflare (188.8.131.52) DNS resolver.
Browsers custom config and DNS solution used in above test scenarios
That's all folks, don't be fooled that your online privacy doesn't matter or that we can't do anything about that because it matters and we have instruments to protect it. Until next time.