April Fool?

CISO-in-a-Box CISO-in-a-Box

It's an established fact that any headline in the form of a yes/no question can safely be answered, "no."  And so it is with today's post, as you will see. One of the things we humans have to watch out for is, who can use data we generate almost unconsciously.  We have to be careful about the data that flows from our fitness devices, smartphones, home gadgets and web browsers.  The web browser is a hotbed of information about you on many levels, but today we are going to focus on one of the most fundamental.  It's something we can think of as the absolute rawest version of your browsing history: your DNS data.

DNS stands for Domain Name System.  Simply defined, DNS is the Internet utility that turns server names into numeric addresses the Internet can use to get your requests to the right place.  So to read this post you entered a request for "safer-computing.com" and it was DNS who knew that means 45.79.69.96.  Therefore your web browser's request for this page was routed to that Internet address, and from there, this content was returned to you.  If you had to manually look up a similar address for every website you wished to visit, I am going to guess you would not use the web very much.  Or at all.  I would surely not.

Now you may have a browser function for "Private" or "Incognito" browsing.  So if you wanted to hide the fact that you read a certain website, you would invoke that function, then read your "taboo" site, then close it out.  You would trust (or maybe you verified) that once you close that session, no record of your forbidden activity is preserved.  And that might indeed be true - but only so far as the computer on which you did this browsing is concerned. 

In order to get the content at all, your computer had to send in a DNS request for the site you wanted to read, which had to be interpreted and executed.  Which means your ISP had access to the request and can build from that a very intricate history of your browsing habit. Not only that, but the ISP may decide to do more than watch.  (They are going to have to have the numeric addresses in any case, so the list of sites is not really the main issue here.)  But ISPs have been seen to use their built-in DNS to hijack some requests and outright deny others.  The so-called "Great Firewall of China" is in large part, a corrupt DNS.  ISPs in "free" countries have been observed injecting ads and altering web pages, especially those of competing services. 

The current FCC, in the USA, is unlikely to provide any relief. So the smart course of action is, in my opinion, to move away from the ISP-provided DNS.  And I have used a bunch.  OpenDNS was lovely until it was bought by Cisco and started shedding features and performance.  For a while, therefore, I have been using Google's 8.8.8.8 service.  Not bad, not great.  Google gets to spy on my web browsing habits -- but they do that anyway, so I'm no worse off.

Then, yesterday, on April Fools' Day (!), Cloudflare announced a new DNS service.  The address of their main server is 1.1.1.1.  Four 1s, they said, so of course they simply had to announce it on 4/1.  They promise not to retain logs or any identifying information, so there is nothing to resell or exploit.  If they breach that promise, it will come out.  For now, the service is touted as "Privacy-First." 

And oh yeah, it's very fast.  15 milliseconds is considered a pretty good response time for DNS.  The North American results I have seen for this have it returning responses in under 5ms. So for now... my DNS setting is number 1! 1! 1! 1!  

And no, it was not an April Fool.  The habit of tech companies to announce fake services they think will get a laugh... all it gets is an eye-roll.

This article was updated on 2023-05-14 06:19:00

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.