ad

DNS Privacy: Google is pushing DNS over TLS

The encryption of DNS traffic is one of the upheavals of Internet technology that has triggered the NSA scandal. Now she is supporting a major player in the industry.

Google's public DNS servers have recently been receiving encrypted DNS requests using TLS. Traditional DNS queries are unencrypted, and security authorities, snoopers, and advertisers can easily evaluate them to set up surfing profiles of users on the Internet. Google operates with its public DNS servers (Public DNS) the world's largest such infrastructure. Some providers, but especially many private users worldwide use Google's DNS server, not all knowingly.

DNS communication is essential to most Internet services; whether surfing, emailing, chatting - all associated servers are addressed by their IP address. Because it is inconvenient to remember the addresses and change the addresses occasionally, there is the Domain Name System, which translates domain names into IP addresses. Thus, almost every Internet application starts with a request from the client (DNS query) to the configured DNS server (resolver) for the IP address of a domain. Only when the resolver has supplied the IP address (DNS reply), the client can address the server associated with the domain. For example, web browsers reach the web server of ct.de via the IP address 193.99.144.80 (for IPv6 connections use 2a02: 2e0: 3fe: 1001: 302: :).

Packages with unencrypted DNS queries and replicas are easily readable. Google now wants to help its customers "maintain their privacy and integrity," said Google product manager Marshal Vale . Google's DNS servers can optionally build tunnels according to TLS 1.3 and bring some options that speed DNS queries, including TCP fast open, multiple requests in a TCP session (pipelining) and out of order responses (out-of-order responses ). However, this only meant the prerequisites on the server side.

Client applications
In order for clients to be able to communicate with such servers, almost everyone has to be retrofitted with corresponding DNS clients. At least they are available for free for Linux, macOS and Windows. What is currently in use and how to set it up, the c't article describes information sealed - How to protect DNS communication your privacy .

A notable exception is Google's mobile operating system Android. Since Version 9 (Pie) it builds TLS tunnels for DNS requests on its own. To use the feature, it is sufficient to enter a suitable server in the IP configuration of the Android device. For the device Google has a configuration guide ready.

Under the name of Stubby, the first and only DNS-over-TLS client that can be operated via a graphical interface has been released for macOS users. Although Stubby is also available for Linux and Windows , graphical user interfaces are still in the works. The software was programmed by employees of the DNS-Privacy project.

For iOS, the very versatile DNSCloak app was available for several months. She is currently suspended in the app store because the release violates Apple's policies. As a result, individuals can not offer apps in the store that access the iOS VPN API (which is required on iOS for the TLS connection). Now the programmer is examining ways to publish the app under the roof of a company .

Many alternatives
The move is likely to boost DNS encryption. However, Google does not mention that the company as any other resolver operator, the requests of its users can log and read. Thus, while excluding Google readers from DNS with DNS over TLS foreign readers, but delivers its surf profile to the largest advertisers worldwide.

Useful, of course, is the protection against manipulation of DNA responses on the way back. But you also get that from other providers of resolvers that build encrypted tunnels with the clients. In fact, DNS over TLS is just one of several ways to encrypt DNS traffic. For example, DNSCrypt and DNS over HTTPS have the same destination.


Unlike DNS over TLS, DNS over HTTPS basically uses the same IP port as HTTPS Web Services, port 443. It's open in most firewalls in the world. DNS-over-TLS, however, uses its own port 853, which lock some firewalls. These can be firewalls from public WLANs. Although you can use a different port with DNS-over-TLS, most will actually use port 853. For an overview of servers offering DNS-over-TLS and DNS-over-HTTPS, see this page of the DNS project -Privacy .