Encrypted DNS traffic explained

What is encrypted DNS traffic?

Encrypted DNS traffic protects DNS queries by using encryption protocols during DNS resolution, in which domain names (like nordvpn.com) are translated into IP addresses (like 192.0.2.1). Usually, DNS traffic is not encrypted, and anyone who has access to the network (your internet service provider or hackers) can see the DNS requests. Encrypting the DNS traffic protects DNS queries and responses from third parties attempting to snoop on your online activity.

How does encrypted DNS traffic work?

DNS requests can be encrypted using encryption protocols. If DNS traffic is not encrypted, an unsecured connection could expose this data to outside eyes.

By configuring encryption protocols on your network, you can scramble your data and make it incomprehensible to anyone but the intended recipient (the resolver). If your internet service provider (ISP) or a malicious actor is able to view or intercept DNS queries, all they will receive are strings of encrypted, unreadable characters.

For encrypted DNS traffic to work, the resolver must be compatible with the encryption protocols used on your network. These protocols are essential for secure DNS transfer.

Different methods of DNS encryption

The three main types of DNS protection are DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt. Here’s a detailed explanation of what each one does.

DNS over HTTPS (DoH)

DNS over HTTPS (DoH) involves DNS data being sent through an HTTPS connection using port 443 and user datagram protocol to handle quick and lightweight queries. HTTPS is the standard protocol used on most websites. If your encrypted DNS traffic is secured with HTTPS, anyone who intercepts it will only have the encrypted version, not the plaintext DNS request itself. Plus, it uses user datagram protocol to handle.

DNS over TLS (DoT)

DNS over TLS (DoT) is another encryption method for DNS traffic. In this case, data is encrypted and moved via the Transport Layer Security protocol using port 853. As with DoH, the DNS traffic benefits from end-to-end encryption while in transit. However, while DoH sends encrypted DNS traffic to and from the same port as all HTTPS traffic, DoT data moves through a separate port. As a result, it is easier to troubleshoot DoT and isolate potential problems with the protocol.

DNSCrypt

DNSCrypt is a protocol that will allow you to benefit from encrypted DNS traffic. It uses end-to-end encryption, like DoH and DoT, but its distinguishing feature is its capacity to prevent DNS spoofing attacks. The protocol authenticates traffic to make sure that it hasn’t been tampered with and that it comes from the correct DNS resolver.

Pros and cons of DNS encryption

Encrypting DNS data is a useful security measure, but it does have some downsides. Let’s explore the pros and cons of encrypting DNS requests and responses.

Pros

• 

  Improved privacy. If DNS traffic is encrypted, it cannot be viewed by outside parties while in transit. Using any of the protocols discussed earlier in this article — DoH, DoT, or DNSCrypt — will boost your privacy, though much of your browsing traffic will still be visible unless you use an encryption service like a VPN.
• 

  Security. DNS protection lowers the risks posed by man-in-the-middle attacks and prevents DNS data from being tampered with by malicious actors during transit. As a result of the encryption, users are less likely to become the victims of DNS hijacking and spoofing.

Cons

• 

  Performance and speed reduction. Encrypting and decrypting DNS traffic adds additional steps to the DNS resolution process, causing users to experience marginally slower connection speeds and poorer performance while DNS queries are being resolved by the DNS server.
• 

  Compatibility issues. Some hardware, DNS resolvers, and Wi-Fi networks may not support DNS encryption protocols, leading to compatibility issues. In some cases, these problems might be intentional. An internet service provider (ISP) can prevent you from using encryption protocols, resulting in a “This network is blocking encrypted DNS traffic” warning message.
• 

  Protocols and providers. Some protocols won’t be supported by certain DNS service providers. This means that, depending on the DNS server settings, you may have to switch between DNS providers to keep your network processes running smoothly. This adds to the complexity of setting up and maintaining a DNS protection system.

Overall, encrypted DNS traffic is a useful tool, but it won’t solve all of your security and privacy issues. A simpler way to make your network safer is by using a VPN.

With services like NordVPN, you can provide encrypted connections to individual devices on your network as well as to your routers and internet gateways. NordVPN encrypts all browsing traffic in transit between a device and a VPN server, making it harder for internet service providers or a malicious actor to spy on your data.

FAQ

Does 1.1.1.1 encrypt DNS?

A free public DNS resolver 1.1.1.1 doesn’t encrypt DNS queries itself. However, it supports DNS queries encrypted through protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT). Configuring 1.1.1.1 with these protocols prevents ISPs and hackers from intercepting your browsing activity.

Is unencrypted DNS bad?

Unencrypted DNS leaves your online traffic accessible to hackers and prying eyes. DNS over TLS (DoT), DNS over HTTPS (DoH), and DNSCrypt technologies encrypt your DNS queries and prevent third parties from peeking at your online activity.

Should I enable encrypted DNS?

Yes, use DNS over HTTPS, DNS over TLS, or DNSCrypt to encrypt your DNS queries, especially if you’re concerned about your privacy and security online. These protocols will protect your DNS requests from third-party snoopers, such as your ISP or potential attackers.