Before being taken offline, DNSCrypt.org was an effective protocol for authenticating DNS comms, ensuring the response is always from the DNS resolver and hasn’t been modified.

Why you should secure your DNS

As DNS is a foundation of the internet, it is a global database utilized by every application communicating over a network. However, it’s also a protocol designed without security mechanisms like encryption, authentication, or protection from modification, leaving it vulnerable to attacks. Without securing DNS queries, they are susceptible to interception. The result of this can impact on security and privacy, as not only does it facilitate the interception of online activity, which can include access to personal accounts and information, but, false DNS responses can instigate the spreading of malware, and more. DNS Cache Snooping is the name given to the most common type of DNS attack and involves a rouge IP address being injected into a request to redirect traffic to an alternative website rather than the genuine, intended one.

Is a VPN enough?

Specific operating systems have a tool called “Smart Multi-Homed Name Resolution,” which fetches the IP address queried for from other non-standard servers DNS servers don’t respond quickly enough, resulting in a DNS leak. Therefore, a VPN is only adequate if it has DNS Leak protection and uses its own DNS servers, which, in most cases, are usually Zero-knowledge DNS servers that do not store any user information or activities. ExpressVPN and CyberGhost VPN all provide this level of security and have even adopted IPv2 for future protection.

Is HTTPS enough?

HTTPS is an extension of the Hypertext Transfer Protocol HTTP that uses TLS to encrypt web traffic and other communications from devices. HTTPS is helpful in the authentication of websites, and it also provides privacy and integrity of the data exchanged. However, HTTPS only secures web traffic and other comms, not DNS queries; therefore, HTTPS does not in any way secure your DNS traffic.

Best Alternatives for DNSCrypt

1 A VPN with DNS Leak Protection and DNS servers

A VPN is an online privacy and security tool that encrypts traffic and facilitates internet access via a secure proxy server. By doing this, you assume an alternative public IP address, and third-parties are unable to see the sites you access, files you download, or resources you use. However, many VPNs can’t guarantee DNS security due to DNS Leaks. VPNs like ExpressVPN and CyberGhost VPN have addressed this flaw by implementing DNS leak protection, which ensures that DNS queries are always forced to the secure VPN DNS servers. Although you can manually change your ISP DNS servers to an alternative, like Google’s 8.8.8.8., many of them are utilized for data collection, which can be passed on to advertising networks. Additionally, you will be able to take advantage of the other benefits a VPN can provide, like bypassing geo-restrictions, geo-spoofing for digital purchases, torrenting safely, better net neutrality, etc.

2 DNS-over-TLS

DNS over TLS (DoT) is a security protocol that protects DNS from manipulation, like Man-in-the-middle attacks, via the Transport Layer Security (TLS) protocol. TLS in itself has been in existence for a while, and it is a cryptographic protocol that secures data transfer. As more people realize the importance of securing DNS, DNS-over-TLS has become very popular. Even Frank Denis, the creator of DNSCrypt-proxy, now recommends using DNS-over-TLS instead of any other encrypted DNS. DNS-over-TLS is a protocol some large companies have taken advantage of to provide a secure service, including Cloudflare, Quad9, and Google (Android 9 Pie and above).

3 Other DNS-over-TLS services

Tenta DNSDist from PowerDNS BIND (through stunnel) Unbound

If you want to secure DNS on Android devices, Tenta provides an excellent service, as they have a private and secure Android browser that uses DNS-over-TLS. Though we recommend that you use a secure VPN for your activities, you can use this browser as an alternative. Be advised that there are different versions of TLS available, and 1.0 is currently being phased out as 1.2 is adopted.

How to run a DNS Leak test

For demonstrating purposes, we have used ExpressVPN, but alternative VPNs should operate similarly. ExpressVPN provides a DNS leak test on their website; however, we recommend using a more impartial service if testing various VPNs, and one of the best tools currently available can be found at www.astrill.com/dns-leak-test.

Final thoughts

Without any certainty about how long DNSCrypt will continue operating, users need an alternative way of securing DNS comms. However, it’s not DNS queries alone that should be your concern, as third-parties will still be able to observe traffic unless further precautions are taken. Consider subscribing to a premium VPN in conjunction with a secure DNS service, anti-virus, or any other security tools. Wizcase recommends ExpressVPN and CyberGhost VPN, and three of the most efficient and effective services on the market.