Quadrant Information Security now offers “DNS over TLS” and “DNS over HTTPS” to the general public. Why is this important? When using services like Google’s public DNS (8.8.8.8 and 8.8.4.4) or your ISP’s DNS servers, the traffic is sent unencrypted. This means that the requests are subject to DNS hijacking, and eavesdropping. Using a public DNS resolved with TLS & HTTPS support allows your DNS request to be protected and encrypted. This eliminates the possibility of DNS eavesdropping and hijacking from your ISP or hostile third parties. This project is part of the “DNS Privacy” project. All logs to and from Quadrant’s public DNS servers are sent to /dev/null, which means that we do not record or log any user activity; we do this to protect our users and ourselves.
DNS-TLS / DNS-HTTPS Disclaimers:
The operations of these services are part of a research project driven and funded by Quadrant Information Security. They are free for public use and have no restrictions. Quadrant Information Security does NOT perform any type of filtering on the DNS request. Quadrant Information Security does NOT keep, store, or retain any information or logs of any DNS queries. Use at your own risk.
If you have any questions or comments about this service, please e-mail [email protected].
DNS-TLS service information:
Server DNS: dns-tls.qis.io
Server Port: 853
Server IPv4: 12.159.2.159
Server IPv6: 2001:1890:140c::159
DNS-HTTPS service information:
Server URL: https://doh.qis.io/dns-query
Server Port: 443
Server IPv4: 12.159.2.159
Server IPv6: 2001:1890:140c::159
Using DNS-TLS over DNS-HTTPS services.
Android PIE:
Phones running Andriod “PIE” (or later) support a native DNS over TLS resolver. To use it, go to your phone’s “Settings” and then “Network & Internet”. At the bottom, you should see an “Advanced” option. Open up the “Advanced” options and you should see a “Private DNS” option. Select that option and then hit the “Private DNS provider hostname”. Put in “dns-tls.qis.io” and hit save. All your phone’s DNS requests will be encrypted and protected.
Other resources:
https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
https://www.techrepublic.com/article/how-to-enable-dns-over-tls-in-android-pie/
https://tools.ietf.org/html/rfc7858
Stubby:
Stubby is a small program that runs on Linux, FreeBSD,OSX, etc. that acts as a local DNS resolver that translates your DNS request to a DNS-TLS provider. One side of Stubby “listens” for standard UDP/53 DNS requests. When a DNS request is received, it is forwarded upstream via DNS over TLS. The concept is that you can run Stubby with your DNS over TLS provider and set up your local resolver (/etc/resolv.conf) to 127.0.0.1. This way, all DNS requests are sent over a secure channel. Here are our Stubby configurations:
# Quadrant DNS-TLS IPv4 configuration:
– address_data: 12.159.2.159
tls_auth_name: “dns-tls.qis.io”
# Quadrant DNS-TLS IPv6 configuration:
– address_data: 2001:1890:140c::159
tls_auth_name: “dns-tls.qis.io”
If you want to do certificate pining, you’ll need to add the following lines:
tls_pubkey_pinset:
– digest: “sha256”
value: {base64 sha256 value}
We use Letsencrypt certificates which change every vew months. To get the most recent pinning sum, see https://doh.qis.io/dns-tls.qis.io.txt. Certificate pinning adds an extra layer of security to the system but will require more maintenance.
DNS over HTTPS:
In some situations, DNS over TLS may not be an option. For example, it might not be possible to use TCP/853 due to network and firewall restrictions. Or perhaps you would rather use DNS over HTTPS for software compatibility reasons. In any case, the Quadrant Information Security public DNS servers support “DNS over HTTPS”. Rather than using DNS on UDP port 53 or DNS over TLS, requests are made over the standard HTTPS port TCP/443 (TLS). When a DNS request is made, JSON is returned with information about your query. DNS over HTTPS queries should be sent to https://doh.qis.io/dns-query.
More information about DNS over HTTPS can be found at the following links:
Using Firefox with DNS over HTTPS: https://blog.usejournal.com/getting-started-with-dns-over-https-on-firefox-e9b5fc865a43
Listing of software that support DNS over HTTPS: https://github.com/curl/curl/wiki/DNS-over-HTTPS
If you have any questions, please send us an e-mail at [email protected].
