Excuse me sir, where are you headed?
Today I was adding a regex list to my pi-hole. I have been running my pi-hole as both my DHCP and DNS server in my unifi stack for months. I wanted to try out some regex lists and while I was making the edit I realized I never wrote about my DNS over https experience. It’s been a few weeks so it’s the perfect time to comment on it.
So I have seen and heard about DNS over HTTPS for awhile now and just never got around to doing it. Now for people that don’t know and kind of technically apt wikipedia’s first paragraph on the subject explains it well.
For those that don’t understand maybe you have seen something like this while going to a site or searching.
This generally happens when you are using your ISP DNS servers to lookup websites. For the most part this is a lot of world and a large percentage of everyday users using there ISPs default settings and equipment. Now we can see in the picture that WOW! in this case intercepted and redirected us to a different result instead of just showing us an error page.
This goes a bit deeper though. Other DNS providers like Googles 8.8.8.8 log and keep this data. Like many others they sample some and save others. The usage rights generally state they strip some personal information and permanently store the rest for analysis.
However, this data and other data from other providers including your ISP is also often sold. This allows bigger marketing conglomerates to keep analyse and use the data for targeted advertising. Now while it has happened via data breaches etc, I am not going to soap box about cliche terms like “big data” and scare you about your personal data being stolen and used. It already is and you should already know that. You should also already know this all applies to hackers and malware authors, and that if a marketing dept can do it they can too.
Now, DNS over HTTPS to a reputable company however can help. It encrypts the request between your computer and the server that has to answer. Combined with a service that stands by your privacy rights you have a winning combo. Now while a privacy policy focused on privacy is good they can change; but it’s better to lean towards that as opposed to a company that doesn’t. Take it all with a grain of salt.
Anyway, with the pihole I use cloudflared. I used this specific guide because I’m so smart I could do it myself. Now while it is true like I hinted above that someone needs to be able to see your DNS request for them to well….make it. Encrypting the connection and using a provider that is security conscious is just one more layer to the security onion.
I implemented cloudflared a few weeks ago as I was saying. I also make sure to utilize DNSSEC which is supported by cloudflares name servers (the ones that handle the DNS requests). Now the wife and roommate can be demanding if netflix or other random services don’t work.
However, I can say that thus far with a modest blocklist everything has been going great! DNS requests are quick so things load quickly and otherwise it’s been business as usual. Maybe a little less pomp and circumstance that I would have liked but if nothing changed then it means its working correctly.
The cache, clocklists, and actual resolver are all doing there job. It’s a well oiled machine.
At some point I encourage everyone to utilize DNS over HTTPS. Be it cloudflared or not. Its easy to implement and if you chose pihole as your host as well you now have easy DNS curation built in. I personally run mine on a virtual machine and it hums along nicely.
Go give security a chance. Change your passwords, use good rules, uninstall weird stuff. Tweak your AV. Curate your outlook rules.
Take care of yourself out there.