How to set up Secure DNS and Private DNS | Kaspersky official blog
Credit to Author: Stan Kaminsky| Date: Fri, 17 Feb 2023 17:46:46 +0000
Setting up an internet connection on a computer or smartphone is normally automated and you don’t need to delve into doing it manually. But there is one detail worth noting, and that is the choice of DNS and its mode. If you spend a little time on this, you can protect yourself from cyberattacks, ISP spying, unwanted content for children, and even ads. What, for example, is Private DNS in Android settings, and how do you use it?
DNS and its disadvantages
DNS stands for Domain Name Service. It translates human readable web addresses (domain names, for example kaspersky.ru) into digital IP addresses used by computers on the net (185.85.15.34). Almost every internet query starts with a computer contacting a DNS server to translate a site name entered into its IP address. And almost always it’s be done by the DNS server of your internet provider, while the request to it is neither encrypted nor signed. This insecurity brings many side effects.
- Your provider always knows which sites you visit and can use this to show you targeted ads.
- It’s easy for the provider to spoof the IP address in its response, showing a completely different site to the one you wanted to see. You’ve probably encountered this when connecting to free Wi-Fi in a hotel, cafe, or airport, where the first thing that pops up instead of the site you want is a page requesting authorization or showing ads.
- The same technology can be used by attackers to control the Wi-Fi network that you’re connected to. They can insert fake sites that spread malware or steal bank card information.
However, address substitution in DNS responses can have positive practical uses, for example, for parental control services – loading a stub page if there’s an attempt to visit “undesirable” sites. However, this technology isn’t very precise, and blocks sites in their entirety – for example, the whole of youtube.com rather than specific “bad” pages. Therefore, it’s not used in Kaspersky Safe Kids.
But you don’t have to use your ISP’s DNS server. There are public DNS servers with good reputations, such as those from Cloudflare (1.1.1.1) or Google (8.8.8.8), which you can specify in your internet settings and get rid of some of the problems described above.
There are also DNS servers with additional functions – such as blocking access to ad servers. They remove ads in both the browser and other applications. To do this, simply specify the address of the appropriate “filtering” DNS server in the Wi-Fi settings of your computer or smartphone.
Unfortunately, simply changing the DNS address to 1.1.1.1 or 8.8.8.8 doesn’t solve privacy issues. An ISP or an intruder controlling the network can snoop on DNS queries, interfere with them, or block access to a third-party DNS.
Private DNS and Secure DNS
Large corporations and enthusiasts may run their own DNS server and apply any query rules they want to it. In a strict sense, Private DNS is not a high-privacy server – just a private, non-public server. In practice, Private DNS is often run on secure DNS protocols. The Private DNS setting in Android 9 and higher, for example, should be called Secure DNS to convey its essence more accurately.
Secure DNS is several competing protocols that differ from ordinary DNS by having encryption. These are DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. They differ in communication protocols and ports through which DNS requests are passed. There are still debates about which is better and which is worse. However, sometimes ISPs block access to a third-party DNS, in which case the DoH protocol has the best chance since it’s more difficult to filter. But it’s not necessary to go into the finer points of Secure DNS. The main thing is that your smartphone, computer or browser supports at least one of these protocols, and has a DNS server that can be used with it.
There’s no shortage of free secure servers – major ISPs (Cloudflare, Google, etc.) support public DNS (1.1.1.1, 8.8.8.8), which you can connect to via both unsecured DNS and DoH/DoT. So your job comes down to enabling this secure access.
Already got a VPN?
Secure DNS and VPN are complementary technologies. Even if you’ve enabled a VPN, site name requests may go through an unencrypted DNS channel, and then all of the above risks remain. Some commercial VPN services include their encrypted DNS in the default connection profile, or offer to enable their VPN and third-party secure DNS simultaneously through an app. But this isn’t common practice so it’s worth rereading the information from your VPN provider, or asking technical support. If secure DNS is not offered, it can be enabled in addition to the VPN (see the instructions below).
Enable secure DNS
Here’s the easiest way to enable secure DNS on Android (9 and above): go to Settings, select More connections or Advanced, and find the Private DNS subsection there. Specify the server desired, and the configuration is complete. A slightly mysterious nuance is that Android doesn’t accept numeric addresses in this section, so you’ll need to check the domain name of the desired DNS server with the provider (for example, 1dot1dot1dot1.cloudflare-dns.com).
Apple devices have had DoH/DoT support since iOS 14 and macOS 11. However, there’s no built-in setting to enable these protocols, so you need one of the many third-party tools from the App Store that can activate your preferred secure server. You can find them by searching for “Secure DNS”. Experienced users can install required configuration profiles manually or create them themselves.
Windows 10 has had DoH support since version 19628 (from 2020), and you can enable it through these instructions on the Microsoft website.
Chrome and Firefox browsers can make DNS queries over an encrypted channel, irrespective of OS-level support.
In some countries, this option is enabled by default, but it’s better to check it in the browser settings.
An important nuance for Kaspersky users: to ensure that your protection is properly configured, first activate protected DNS on the router, OS or in browser settings. Then check that you have the right Kaspersky setting enabled: Settings → Network Setting → Traffic Processing.
Here, you can also specify the specific DoH servers that you plan to use.