Online Security Part 2

Part 1 in the series where we discuss password managers and not sending sensitive things via email.

Hello. Today we're going to talk about DNS, which stand for Domain Name System. A good primer on the topic can be found here, and the Wikipedia article on the topic is here. As the first article helpfully summarizes, DNS is the phonebook of the internet. Every website you visit requires a “DNS lookup” to translate the domain, e.g., into an IP address so that the computer can go ask that other computer for the web thing you're trying to look at. You don't need to care about the semantics of all this, all you need to care about is that this lookup is happening thousands of times a day from that supercomputer in your pocket while the thing is not even powered on.

The truth will shock you

I'm going to resist my urge to explain how DNS works but to say that the lookup step is not (typically, historically) encrypted like your connection to this website. It happens in the background and is a plaintext lookup. This means that it could be snooped upon by somebody else in a coffee shop, but this isn't actually a/the big deal. The big deal is that unless you've already done what I'm about to tell you to do, you're doing these DNS lookups against default DNS servers that your phone company and your ISP have set in your phone and your home router. This means that even if you're safe and only use HTTPS to connect to websites (increasingly the default and only option) your ISP still has this log of all your internet activity on every device everywhere you go.

This still isn't that huge a deal because nobody at the phone company is going to target you, but who will is the data mining/marketing companies that buy all of these logs from the ISPs. Yes, this is very useful info for targeting users with ads. Of course it is, right?

Ok I'm in, what do?

The very easiest thing you can possibly do is to stop using the default DNS servers that are setup in your phone or laptop. Go into System Preferences –> Network and then go into the Advanced settings for the interface (probably wifi) that you're using to get online. Go to the DNS tab and change that to as the first line in your DNS servers. You can safely delete the others. This will set your DNS on your laptop to use Cloudflare, a company that's more trustworthy than your ISP.

network settings

DNS settings

There's a similar thing on your phone if you click the little “info” thingy on the wifi network that you're attached to. Problem is that you'll have to do this everytime you hook up to a new wifi network, so it's a little cumbersome.

NextDNS – do this one

A better option, and the one that I'm using right now, is a relatively new service called NextDNS. NextDNS is very cool because not only are they more trustworthy than your ISP with all that DNS data, they actually will block a whole ton of ads, web tracking scripts, and other shit you don't want snooping on you as well. How does it do this? Thanks for asking!

DNS is the phonebook for the internet. If the phone number for a given domain is unlisted, then the computer won't know which IP address to call. So all NextDNS has to do is keep a list of domains that serve ads, trackers, and several other categories of things that people don't want on their computers (this is configurable by you), and whenever a request is made to one of them they just send back a blank entry. The ads don't get loaded. The tracking scripts don't get loaded. It's brilliant and effective.

The easiest way to get started with NextDNS is just to sign up for an account. Use a burner email address if you want, that's what I did. Once signed up they'll give you a number of different ways to get started, the easiest one being installing their app which acts as a VPN client on your phone and your laptop so that you can hook into your custom phonebook that you can configure to block various categories of stuff you don't want to bother you.

NextDNS panel


Enjoy not being tracked around the internet. NextDNS works outside the house or anywhere you go so you're not leaking personally identifiable information everywhere you go. The whole thing about blocking ads is just a huge bonus!