Videos
Can DNS be encrypted?
What does encrypted DNS traffic mean?
Why does my iPhone say this network is blocking encrypted DNS traffic?
my ISP still knows which websites I visit, maybe can't pinpoint the exact webpage but that's not important, all those security features just to hide the exact web page you are visiting!
Many sites share IP's. E.g. knowing that a user visits a Cloudflare IP won't tell you very much about what website it actually is. You can rule out everything not served by CF, but not much more.
Same goes for other large cloud providers and CDN's: the IP won't reveal a lot in many scenarios.
Encrypted DNS is more about someone not being able to perform MITM for the DNS request itself (which protects against the rogue party replacing the IP address which many ISPs do routinely in order to "protect" you from websites or because the government mandates that), rather than anonymizing your DNS requests.
My computer tech knowledge ends at "Have you tried turning it off and on again?" and "Is it plugged in?", so for one second pretend that I'm an idiot.
I noticed when looking at my Wi-Fi settings that below the IPv4 address is "IPv4 DNS servers" which has the same numbers except for the ending, and after the numbers it says "(unencrypted)."
I didn't really understand what those even are, but the unencrypted part caught my eye. Is it supposed to be like that?
I've read that, when browsers send website requests, the DNS lookup part of the request is not encrypted, and is therefore a security vulnerability.
It’s not the lookup part that is unencrypted; a typical DNS client to resolver connection is completely unencrypted. As for the security risk, it’s mostly a privacy concern as every entity between the client and resolver can sniff out the traffic to see what/where you’re visiting. However, there is the possibility of DNS Hijacking though this is a relatively small risk.
In DNS Hijacking, a nefarious actor can redirect you to a site they control to gather authentication data, it also means they have to build that site convincingly enough that you’ll believe its the site you intended to visit. This means they’d have foreknowledge of where you were going
Also, I'm aware that routers have DNS settings, over which WiFi users have no control.
This is incorrect. Yes, your router has DNS settings, likely populated by your ISP, but you ultimately have control over the DNS servers you make the request to.
Can and should ordinary Safari users, accessing shared WiFi in various locations, implement end-to-end protection of the DNS requests originating from their Apple mobile devices? If yes, then how?
No. You’ll likely break things. Network admins use port 53 for DNS traffic so, that traffic is permitted through the firewall. This is how they can inject ads, do content filtering and logging. Encrypted traffic will go through a different port (853) which is likely blocked meaning you’ll break your client’s ability to resolve IPs to domains.
You will also need to to get a DNS client that supports encryption for this to work. For example, one of the diagnostic tools we use with DNS is dig however to make encrypted queries, you’ll need kdig from Knot DNS. As for your mobile devices, you’ll need a client like 1.1.1.1 App from Cloudflare
Would it help security if users switch to Firefox or another browser?
It will help your privacy and at some minuscule level, it will help security, but all of that is moot if the shared WiFi networks you’re connecting to doesn’t allow that traffic. There’s one caveat to this, however. If your browser uses DoH (DNS over HTTPS), then it would look like normal HTTPS encrypted traffic. The challenge here would be to find a client and a resolver service that offered this.
TL;DR
Should users switch to encrypted DNS. (IMO) It would be nice to see, but it’s unlikely to happen in the near future because network admins/ISPs aren’t willing to give up the visibility and control unencrypted DNS traffic affords them.
Fine distinction, but unencrypted DNS requests are not a security vulnerability, rather a privacy issue. That said, privacy is a good reason to want to hide DNS traffic.
You should also be aware that https encrypts the data sent in a request and its reply, but does not hide the envelope or the IP address of the destination. This at least as important as DNS from the privacy point of view.
So for mobile users sharing Wi-Fi in various untrusted locations, there are multiple privacy issues.
And, of course, attacks on your privacy can apply to more than your web browsing. For example, email.
A solution to all these issues is to use a Virtual Private Network (VPN) which encrypts and routes all network traffic via a trusted third party.
For the "ordinary consumer" there are multiple providers of consumer level VPN services. Personally, I use Private Internet Access, but there are many more to select from. Trust is the big question with such providers as all your internet traffic (DNS, browsing, email, etc.) passes through their servers. The only recommendation I would make is to avoid free VPN services.
When used for work purposes the employer may provide their own VPN service to access to the work network as well as provide safe internet usage. Discuss this the IT department.
Note, this is by no means a comprehensive discussion of ways to secure Internet access.