Who remembers phone books made of paper? They are mostly obsolete now but you used it to find a phone number of a name. DNS or Domain Name System does basically the same thing. The heavy lifting is one by the so-called DNS servers.

How does DNS work?

Why IP addresses are important and why you want to hide them I already explained in this post. Many websites and services use a static IP address so that they are always accessible. For example, the site here has the IP address 80.241.216.24. It looks impressive, doesn’t it? But it’s also hard to remember. It is much easier to keep vpn-expert.info (which is called a domain, by the way) in mind.

As soon as your computer, smartphone or tablet connects to the network, it not only gets an IP address, but also the address of a DNS server. This is the responsible component for your session, which resolves IP addresses into domains or names that are easy for people to read.

If you enter a domain or URL in the browser of your smartphone, the following happens:

  • Your device asks the Domain Name System server: Can you tell me the IP address of vpn-expert.info?
  • The DNS server (also called resolver) answers: It is 80.241.216.24.
  • Your device now knows the IP address of vpn-expert.info. The website can be opened on your device and you get access to the content.

By the way, some servers are faster than others. If the resolver of your provider is a snail, step two may look like this:

  • … replies: Hmmmm, yes, well, I’ll have to think about that. One moment please *queue music* … I’ve got it… Are you still there? *Phew, lucky you. No timeout. Well! Now! The answer is 80,241,216,24.

Of course, all of this happens in a few milliseconds and once the domain is resolved, your device will remember this for your session or even a bit longer. But it sums up if each request takes 200 ms instead of 20 ms.

A typical DNS reqeust
A typical DNS reqeust

Accelerate the queries!

Tip: If you use an internal caching system for DNS that stores DNS queries for a while you can speed up the process. If there is another request for the same domain, it will come from the internal network and that is of course much faster. This way, DNS queries can be accelerated and the performance of the network is higher. That’s not much, but as we all know, thing can sum up.

Pi-hole would be an option for example. That runs really well on a Raspberry Pi. There are so many things you can do with these little devices. Like build your own VPN router in no time.

What happens if the DNS server does not know the address?

That’s an excellent question. But first we will reveal the secret of the servers in the Domain Name System itself. Actually, anyone can run a DNS server. The shorter the way to the next resolver, the faster the queries and answers are. Most providers operate their own DNS servers, and as soon as your router connects to the Internet, it obtains the address of the Internet provider’s resolver.

If the DNS server of the Internet provider cannot resolve the IP address, it will ask another known DNS server. This can lead to the root of the Domain Name System, or to one of the so-called root servers.

There are 13 root servers, which are titled A to M. They can be reached with IPv4 and IPv6 addresses. The 13 servers, or rather addresses, actually consist of a cluster (several hundred servers) which are scattered around the globe for load balancing reasons.

Simply put: as soon as a new domain is registered, the system informs the root servers and after it is known the domain is accessible globally via Internet.

Cache poisoning or DNS spoofing explained briefly

Of course, DNS can also be used for a cyberattack and malicious hackers abuse the system whenever they can. For example, they could hack your router and feed an address from a malicious DNS server run by the cybercriminals. If they have control over DNS resolution, they can of course direct you wherever they want. In other words, the mapping between IP address and domain is faked. This is also called spoofing or cache poisoning because it poisons the DNS source.

But not only hackers use DNS for their purposes!

DNS servers can be used for censorship

The so-called DNS spoofing is also used by governments or organizations to censor the Internet. When queries are made, fake answers come back, which is also known as DNS hijacking. This method is also used in Europe to block access to torrent websites and so on. Censorship via DNS is real.

Internet Service Providers (ISP) can also censor. They compare the domains against a blacklist and if the URL you tried to open is included, it is redirected, i.e. censored. If the Internet Service Provider examines the DNS requests with so-called Deep Packet Inspection (DPI), they can also censor if you do not use the DNS servers of the provider.

Very well known for censorship is the Great Firewall of China. Among other things DNS censorship is used here.

What is DoH?

DoH is a protocol and the abbreviation for DNS over HTTPS. This means that the request is made using the encrypted HTTPS protocol. This method strengthens privacy and is better for data protection.

So-called MitM (Man-in-the-Middle) attacks are no longer possible. Censorship via DNS is some kind of MitM attack and would be a thing of the past.

Both Google and Mozilla have been testing DoH since 2018. Governments, ISPs and other prying eyes dislike this. Of course, they do. Now they can’t spy nor censor via DNS.

More about DoH can be found in RFC 8484.

VPN helps against Deep Packet Inspection!

As I’ve already explained, when using a VPN like NordVPN (big discounts NOW)* you communicate via a secure and encrypted tunnel. If you use a secure protocol and the encryption is strong, the Internet Service Provider or a government cannot spy.

Deep packet inspection is also not possible because the network provider cannot read the data packets. Let us assume you are in a country with strong censorship (like Egypt) and a certain website is blocked, but accessible in the UK.

In this case you could connect to a server in the UK via a VPN and still have access to the website or service you like to use. You have beaten the censorship!

Beat censorship with NordVPN!

VPN provider with own DNS servers prevents leaks

It’s also great if your VPN provider operates its own servers for the Domain Name System. You trust your VPN provider for a certain reason and can assume that the DNS servers are clean and not manipulated.

Furthermore, you can prevent a leak. If you are using a VPN, but the DNS servers of your Internet service provider, the plan with anonymity or censorship has not worked out quite as well. But if all requests, including those for the Domain Name System, are routed through the VPN provider … that’s clear, isn’t?

If you’re not sure which server you’re using, you can use the leak test from ipleak.net and check it out.

What is dynamic DNS or DDNS?

Most home routers get an IP address from the Internet provider. When you restart the router or connect again, you might get a different IP address. For security reasons alone, telecommunications providers quite often assign the consumer a new IP address once a day or every few days.

If you have a device in your living room or there is a private Cloud like a Nextcloud running that you always want to reach, you always need to know the IP address, right? This is no problem because the router knows it. But if you are on the road, you have a problem.

In this case dynamic DNS, also called DDNS or DynDNS, helps. An internal device reads the external IP address assigned by the provider and communicates it to a service on the Internet. This service assigns the dynamic IP address to a name that you can choose yourself. Usually the DDNS provider gives you several domains to choose from and you can choose the name of the subdomain yourself.

The Duck — superb DDNS provider

In my opinion, one of the best DDNS providers is Duck DNS. The service is really great and you can set it up quickly on a Raspberry Pi. As you can see in the following screenshot Duck DNS runs on all major operating systems and even on certain routers.

Duck DNS runs on basically every operating system
Duck DNS runs on basically every operating system

For example, Synology offers a DDNS service with its NAS systems. If you run your own Synology as an OpenVPN server, you will always need access to it. That’s why you may need DDNS technology.

Normally it doesn’t take long to set up DDNS. Several routers have integrated DDNS clients. But be aware that you are also opening a door! If you don’t know what you’re doing, don’t play with DDNS. A wrong configuration and your network opens the door to malicious hackers!

I just wanted to mention this for completeness.