Please forgive the NerdSpeak in this article in advance. Nevertheless, I encourage you to read on, get informed and learn about the Domain Name System (DNS). It is as critical to the Internet as your arteries are in your human body.
DNS as a fundamental building block of the Internet leaves numerous “breadcrumbs” behind as you use Internet services. This has largely been off anyone’s radar. For one thing, Google has earned a tremendous degree of trust in their brand, so when they launched a fast open resolver about five years ago, the world adopted it very quickly.
Let’s take a step back. DNS is basically finding out where www.something.com lives. Since computers can only understand numbers, but we as humans like to use letters and words, it has been likened to the world’s largest dynamically-updated “phone book of the Internet”. It is almost magical that this is even possible!
Typically, your upstream DNS provider is one of these:
- Your ISP-provided DNS server(s). This happens by virtue of setting up your ISP-provided router, or using a router with default settings.
- Google DNS. (220.127.116.11 and 18.104.22.168) If your tech-inclined self or nerdy friend set this up for you, this is a very common choice. Google uses anycast to get as close to you as they can.
- OpenDNS – either FamilyShield, OpenDNS or Umbrella. (208.67.22x.xxx) This is one of our favourite ways to filter because of the great groundwork laid by the cool people at OpenDNS. OpenDNS also uses anycast to be virtually everywhere.
These are not the only options, but the most common ones. In a scenario where you’re using a DNS-based geo-unblock service of some kind, your upstream provider is your subscription DNS proxy.
In each of these cases, 100% of your queries are sent to the DNS provider. This allows them to profile you and know if you are an evernote user, a gmail user, if you browse or buy your travel from expedia, etc. You may not care, but you should at least be aware.
In each of the above cases, you should understand the business motives behind them to better assess where you feel more comfortable given your situation.
Google’s biggest reason for ever providing an open resolver (22.214.171.124 and 126.96.36.199) is that it gave them instantaneous and almost-free access to extensive profiling on a per-IP basis they didn’t have before. For example, if you use Google DNS and you’re an active eBay user and never even use Google for search, they have a tremendous profile on you on the amount of times ebay.com is visited and even the amount of times you access paypal.
Now that we’ve covered how these “breadcrumbs” leave a trail, let’s discuss how you can avoid such profiling, if that is a concern to you.
It is with full disclosure that one of these options is using our DNSthingy services. What else do you expect from a company blog, right? Anyhow, here are our transparent reasons:
- We provide as many on-premise DNS resolutions as possible on a cached basis. This means fewer queries that leave “breadcrumbs”.
- We never centrally log DNS queries, except in cases where you temporarily opt-in for support purposes.
- We distribute DNS queries based on your needs and DNSthingy preferences.
- You choose your resolver of last resort. This is the DNS server that is used if none of the filtering applies to a given query.
There is an alternate method to avoid DNS-based profiling by a single upstream resolver. That is to use a Recursive Resolver yourself that does not use a Forwarder. Bind can achieve this on just about any platform, or the DNS Server that is built into any Windows Server operating system. It is worth mentioning, though, that a man-in-the-middle between you and the Internet could still profile you but it would not be done on a mass basis like an upstream resolver would.
As with any privacy and confidentiality issues, awareness is always the first step to better safety online.