DNS and Privacy: Who Controls Your Browsing

While most discussions about Internet privacy focus on cookies and fingerprinting, there is a fundamental layer that often goes unnoticed, the Domain Name System (DNS). Created in the 1980s to translate friendly domain names (like example.com) into IP addresses, DNS has become a potential tool for surveillance and censorship. Each DNS query typically travels unencrypted, exposing our browsing habits to those who control this critical infrastructure.

In this blog, we’ll explore how DNS works, the ways it can be manipulated, and what implications this has for online privacy and freedom. We’ll also present some tools that help mitigate these risks, keeping in mind that all technical protection involves, to a greater or lesser extent, a trust relationship with third parties. It’s not about completely eliminating this dependency, which is rarely possible, but about clearly understanding who we trust and what alternatives exist.

The DNS process begins when we type a web address, the system first looks in its local cache and, if it doesn’t find the information, sends a query through a hierarchy of servers (root, top level domains, and authoritative servers) to obtain the corresponding IP address. This process, although efficient and fast, presents significant vulnerabilities. Queries travel unencrypted over UDP port 53, allowing any intermediary on the network to observe or modify the responses. Additionally, the concentration of operational control in few organizations facilitates the implementation of systematic censorship and surveillance mechanisms.

The original DNS design did not include authentication or encryption mechanisms. This, combined with its fundamental role in web browsing, makes it an attractive control point for various actors. In practice, DNS has not only been a technical tool but also a mechanism used to monitor, censor, or redirect user traffic without their explicit consent.

It can be manipulated in various ways that directly affect users. A common practice is DNS hijacking, where queries are intercepted to return false responses. From displaying unwanted advertising to redirecting to malicious sites that impersonate the originals. This type of manipulation can occur at any intermediate point in the network.

The system can also be used as a censorship tool through DNS blocking, modifying responses to prevent access to certain domains. A notable case was the blocking of Twitter and YouTube in Turkey (2014), although these restrictions can be evaded using alternative DNS servers. Furthermore, DNS resolvers can silently log and analyze queries, creating detailed browsing profiles. While some companies promise not to store these logs, transparency about these practices remains limited.

In response to these risks, various technical solutions have emerged aimed at reducing the exposure of DNS queries. One of them is the use of protocols that allow encrypting these requests, so that third parties cannot easily observe what is being queried. Another line of defense seeks to decentralize control over resolvers to limit who can monitor or intervene in our browsing.

To protect DNS queries, modern browsers have integrated DNS over HTTPS (DoH), which encapsulates queries in HTTPS traffic (port 443), making inspection difficult. Similarly, DNS over TLS (DoT) offers encryption through a dedicated channel (port 853), being particularly useful in corporate configurations and specific devices. Although these encryption solutions are effective, they involve transferring trust to external operators like Cloudflare (1.1.1.1), Quad9, or NextDNS. Therefore, it’s crucial to carefully evaluate the privacy policies, log retention, and jurisdiction of these services before choosing them.

Despite these improvements, encrypting DNS queries or changing providers doesn’t solve all risks associated with tracking or surveillance. For example, even if the DNS query is encrypted, the destination server still sees the user’s IP address, access time, and other metadata. Additionally, if the rest of the traffic isn’t protected by HTTPS or other mechanisms, much of the information will remain exposed.

Technical and legal limitations may restrict the use of DoH or DoT, especially in corporate networks or countries with restrictive policies. In these cases, there are more robust alternatives:

1. VPNs: Encrypt all traffic, including DNS, through an intermediary server. However, they require trusting the VPN operator and carefully evaluating their privacy policies, especially in free services.

2. Tor: Offers greater anonymity by routing connections through multiple nodes and resolving DNS internally. Although it can be slower and incompatible with some services, it provides superior protection against surveillance.

The choice of these tools should be based on a realistic assessment of specific threats and needs. Sometimes, a simple change to an encrypted DNS resolver is enough, in other cases, a combination of solutions may be necessary.

Final Thoughts

Like many Internet technologies, DNS was born with the intention of solving a specific technical problem, making the network more accessible to people. However, over time, its operation has been shaped by economic, political, and commercial interests that escape individual control. Therefore, beyond technical solutions, it’s important to reflect on the digital infrastructure we use daily. Who manages it? What interests intersect with it? And above all, how can we, through our daily decisions, contribute to a safer, more open, and fair online experience?