DNS encryption and you! Why this isn’t an evil thing and why you need it in your life.
before you read know this got me banned from Medium.
So, let us start with getting your whole home behind an easy-to-use setup to control your devices DNS lookups. Personally I use Pi-hole as this is an easy to use utility that serves a greater purpose than DNS lookups, it also blocks websites you don’t want to connect to. Most people use Pi-hole as a way to block ads, but with an easy to use interface and the fact it can run on a cheap Raspberry Pi makes this an amazing first step in securing your homes DNS queries.
Okay, you have an old laptop, Raspberry Pi, desktop, or even server with Linux to install Pi-hole on. Just run their install script, go through the prompts, write down that the static IP the installer shows and keep that close.
Pihole install guide: https://github.com/pi-hole/pi-hole/#one-step-automated-install
Now you’ve installed Pi-hole and have the static IP. Login to your router and go through the settings until you find DNS (some routers do not let you change this, but fear not if you go into the advanced settings on your devices you can tell each one of them to use Pi-hole for its DNS) in this box or in some cases these four boxes enter the IP of your Pi-hole and do not enter a secondary, this will defeat the purpose, now save these changes. Great, your homes DNS is now being filtered through Pi-hole before going to the outside web and if you left the default settings the way they were you are blocking ads.
Now for encryption, the scary word, the boogeyman. Most people think encryption is for criminals and most governments agree, this isn’t the case. A common attack vector for hackers is forging IP returns when you do a DNS lookup, and you do this every time you visit a website, or open an app. Anything online requires a DNS lookup, there is no google.com there is only the IP address that connects you to Google as far as your browser is concerned. Anybody trying to sniff your data can see you went to Google and can send a fake return, now imagine you are going to check your bank account online, and this fake return is to a website that looks like your banks, now these people have your login and you are none the wiser.
So, how do we prevent this? Encrypt your DNS! This handy guide here
DNSCrypt install guide: https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
(if you want to skip editing the .toml file here is a link to mine you can copy and paste: https://raw.githubusercontent.com/ChefTyler/dnscryptpersonaltoml/master/dnscrypt-proxy.toml )
This walks you through how to install DNSCrypt and how to tell Pi-hole to use it. Takes roughly a few minutes and is worth the effort. While editing the .toml file for DNSCrypt I suggest this setup. dnscryptservers = true dohservers = true requirednssec = true requirenolog = true requirenofilter = true Now that you have that done scroll down until you see “forcetcp = ” and set that to true. Scroll a bit more and you’ll find “http_proxy = “ and a local-domain after, remove the # before this line and it’ll work, now save this.
Following the guide tell Pi-hole to use DNSCrypt for DNS and DNSCrypt only for DNS and tada, you’ve encrypted your whole home DNS and you are now preventing these bad actors from seeing and tampering with your DNS queries. Plus you’ve given yourself a little more peace of mind.