Encrypted DNS Guide

Why DNS Encryption Exists

The Domain Name System (DNS) translates user-friendly domain names (like acreto.io) into IP addresses that computers use to communicate. Traditionally, DNS queries and responses have been transmitted without encryption, making them vulnerable to interception, manipulation, or surveillance. DNS encryption methods, such as DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt, have emerged to address these vulnerabilities by enhancing privacy and data security during DNS resolution.

The Security Dilemma: Privacy vs. Security

While DNS encryption enhances user privacy by protecting DNS queries from eavesdropping, it also introduces certain security challenges. Encrypted DNS can make it difficult for organizations to monitor DNS traffic, potentially hindering efforts to prevent malware infections, restrict access to harmful websites, or enforce network policies. This privacy versus security dilemma often forces network administrators to strike a balance maintaining user anonymity and ensuring proper control of network activity.

Acreto Ecosystem DNS Encryption Issue

In some cases, end-users utilizing platforms or browsers that implement encrypted DNS may experience issues reaching resources defined in internal DNS servers (available when connected to the Ecosystem) when the administrator has redirected default DNS using DNAT rules.

This challenge arises due to the aforementioned Privacy vs. Security Dilemma. The Ecosystem cannot decrypt the DNS request, meaning it cannot be properly redirected using a DNAT rule. As a result, encrypted DNS requests are dropped, and users receive an error message.

How to Solve Encrypted DNS Issues

Since there is no universal standard for encryption, and no feature allowing decryption of encrypted requests (which would defeat the purpose of encryption), the only reliable solution is to turn off all DNS encryption methods on the device. Remember that privacy is not the same as security. If traffic is encrypted, it may be harder to protect the user and their devices.

How to Disable Encrypted DNS

Below, you will find a brief guide on how to disable the most popular DNS encryption methods.

  1. DNS over HTTPS (DoH)

    • Products/Systems: Firefox, Google Chrome, Microsoft Edge, Windows 10/11.
    • Disabling DoH:
      • Firefox: Navigate to about:config, search for network.trr.mode, and set it to 5 (disable DoH).
      • Google Chrome: Access chrome://flags/, search for “Secure DNS”, and disable it.
      • Windows 10/11: Go to Settings > Network & Internet > Change Adapter Options, then disable Secure DNS in the advanced settings.

  2. DNS over TLS (DoT)

    • Products/Systems: Android (versions 9 and above), Linux distributions.
    • Disabling DoT:
      • Android: Go to Settings > Network & Internet > Advanced > Private DNS, and set it to “Off”.
      • Linux: Modify /etc/systemd/resolved.conf and set DNSOverTLS=no.

  3. DNSCrypt

    • Products/Systems: Third-party DNS clients, custom router firmware like OpenWRT.
    • Disabling DNSCrypt:
      • DNS Clients: If using a client like Simple DNSCrypt, disable it from the application’s user interface.
      • Routers: Access the router’s configuration page, locate the DNS settings, and disable DNSCrypt.

Summary

DNS encryption methods like DoH, DoT, and DNSCrypt are potent tools for enhancing privacy in an increasingly surveillance-prone online world. However, they also come with trade-offs impacting network security and administrative control. While encryption can provide privacy, turning it off when the Acreto Ecosystem is protecting the whole network ensures effective security measures can be applied.