Since you are coming here to encrypt DNS traffic, you must already know what DNS is. In a nutshell, when you type an URL into the browser – say facebook.com – your computer contacts a DNS server and requests the IP address of the website; once it has that information, it routes your browser to the correct website. This is called DNS or domain name server. Now before we jump into how to encrypt DNS traffic, we need to first understand DNS leaks.
Generally, the internet service providers assign a DNS server to each customer so that they can record your internet activities.
Ideally, when you use a virtual private network (or a VPN), your DNS request should be directed to an anonymous DNS server provided by your VPN, and not through your ISP’s DNS servers. However, in some cases, despite being connected to VPN network, the system will continue using default DNS servers; and this is referred to as DNS leaks.
To check if your VPN has a DNS leak, simply head over to dnsleaktest and run a standard test. If you can see your country and ISP in the result, it means your connection has DNS leak.
The limitations of VPN?
The VPN shields your personal identity, location details and more than often is used to bypass geo restrictions. Point-to-Point connections through the use of dedicated connections and virtual tunnelling protocols are central to the VPN. While VPN does encrypt the network traffic it does so only until it exits from the VPN endpoint, post the network traffic is unprotected. This is one of the prime reasons why I personally recommend the use of encryption despite using a VPN service.
So, if you want to plug a DNS leak, here are best apps to encrypt your DNS traffic.
Best Apps to Encrypt DNS Traffic
1. DNSCrypt Security
The DNSCrypt is arguably one of the most popular cryptography tool used to encrypt network traffic. The best part is that the DNSCrypt authenticates before starting the encryption process and this is always regarded as the preferred order of things.
This is how it pans out, the DNSCrypt session begins with an unencrypted packet and this encodes information about the crypto including the certificates and other related items. In the next step, the server responds with signed certificates and the client verifies the certs by stacking it up against the trusted/known public keys for that particular provider.
The client can not just choose the public key but they can also choose the key corresponding to its capability. Once assigned the protocol executes a key exchange with the DNS server. Requests that are encrypted but not authenticated will be discarded. Since the protocol supports both long term and short term key generation for every request it is difficult to log or track the activities.
How to setup?
Using DNSCrypt is pretty simple. Download the package from the official website and run the package. Once installed, you need to restart your computer for it to make network-level changes. After the restart, open to DNSCrypt application and make sure you check the box that says “Enable DNSCrypt” and “Always use OpenDNS.” And that’s it, from now on, all your DNS request should automatically encrypt.
Open Source & protects from all sorts of DNS attacks
Add an extra layer of security to leaky VPNs.
DNSCrypt doesn’t protect you from forged DNS results up-stream
Open DNS doesn’t support DNSSEC
DNS Crypt is not actively updated
Pricing– Free/Open Source
2. Simple DNSCrypt
Well, the DNSCrypt security solution may be a bit difficult to understand for an average computer user. The Simple DNSCrypt packs in the essentials and blends the same with an intuitive user interface. Despite cutting down on some of the advanced features, the simple DNSCrypt still encrypts the traffic between your computer and the DNS servers. With this in place, it becomes very difficult for attackers to sniff packets and try to log your network. It also helps in mitigating the risks of the man-in-the-middle attack. That apart users will also be able to access a variety of plugins. For instance, the “Block addresses and domain” plugin return a REFUSE response to the blacklisted domains and IP addresses while the Logging plugin helps create a log of the DNS queries and store the same on your local drive.
All said and done, the Simple DNSCrypt lives up to its name and is the best bet for an average joe. Most importantly the interface is pretty straightforward and allows users to view the primary resolver and the secondary resolver separately. Both can be toggled on/off by using the toggle switches at the bottom of the menu.
How to Setup Simple DNS Crypt
Setting up Simple DNS Crypt is easy and straightforward. All you need to do is download the .exe file and install the same. Once installed I was taken aback when the controls appeared in German, however the same can be changed by choosing English as an alternative language. Once installed click on “Primary DNSCrypt Service” in order to enable it. No reboot is needed.
Access to around 70DNS servers located across the world
Easier to use as compared to DNS Crypt
Sometimes you need to manually restart the service in order to get internet access
I faced a variety of network issues after I switched to Simple DNS Crypt
Pricing– Free/Open Source
Simple DNS Plus
Apart from sporting an easy to use interface, the Simple DNS Plus also comes offers automation features. That being said DNS encryption is not the only feature the tool has to offer. Once installed you will find all the settings available in the main menu.
With the Simple DNS Plus you can also host DNS servers for your own domain names (requires static IP address.)The Active Log View supports up to 100 maximum lines by default and deletes the older entries to make way for newer ones. Yet another mention worthy feature is the Buffer Active Log View which will display latest log entries when you open the Active Log View. This is a handy feature while troubleshooting.
How to Setup Simple DNS Plus
Use the setup wizard for common tasks like setting up new zones, importing data, making bulk updates. Thanks to this wizard you don’t need to mess around with the advanced cryptographic or the registry settings. Since the Simple DNS Plus uses a docking system that is pretty much similar to Microsoft’s Visual it is easy to setup tools like Performance Graph, Active Log View and Plug-in Windows.
Runs on all client and server versions of Windows XP/2003 and up
An exhaustive list of available plugins also includes DHCP server
Stops serving DNS requests when out of disk space
Strangely enough, the 14-day trial period ended in just one day
Paid Upgrade to newer versions
Pricing-15 days free trial/Price starts at $69
VPN with DNS Protection Leaks
As I had explained earlier, VPN may be ineffective when it comes to safeguarding your DNS queries. However, a ton of new VPN services has been offering a DNS Leak Protection feature and these VPN’s route your queries through their own DNS servers instead of using the one provided by your ISP. The list of VPN’s offering the DNS Protection Leak feature includes ExpressVPN and NordVPN.
Wrapping it up: Best Apps to Encrypt DNS Traffic
Encrypting your DNS network is no more a stringent security measure. Due to rise in the number of spoofing and man-in-the-middle attacks, it is very important to protect your DNS servers. As far as the list above is concerned, I would personally recommend DNSCrypt for enterprise and advanced users while the Simple DNSCrypt should suffice for general users. If you are looking out to invest in a VPN please make sure that the service offers DNS Leak Protection, this way you will kill two birds with one stone.