Not using DNS forwarding for greater privacy and security

March 2, 2017

DNS is a key part of the Internet as we know it. We rely on DNS information everyday. Every time you enter URL into your browser or send an e-mail, you rely on some DNS resolver. Typically, those DNS resolvers are provided to you by your ISP. But do you realise how much power he has over you that way? He can log every server you are visiting regardless of whether you use encrypted connection. But he can do even more - he can forge the entries and send you to a different server than you were asking for. In some countries he is even obliged to do so by law for some specific servers.

Luckily for our users, Turris routers come equipped with their own resolver, so you don't have to trust and depend on your ISP. Turris routers use your ISPs DNS servers by default if they work good enough - there is a check for it in first run wizard. Reasoning behind that is that we found out that some ISPs are doing sometimes quite crazy stuff. Some are blocking DNS traffic that doesn't go to their resolvers. Some of them are injecting entries to redirect you to their local mirrors. Some of them are using some weird tricks to propagate IP TV with broken DNS. So when deciding what should be the default mode, we were cautious and used forwarding if it worked to avoid various problems people could encounter.

With Turris, you can easily disable forwarding - that means all the DNS resolution is done on your own router, DNSSEC signatures are verified there as well, so you can trust those records more than what your ISP provides. He can still track you - dumping all DNS traffic is not that hard, but it is a bit harder then watching resolver logs. For signed domains, he can't inject any malicious forwarding and he is probably not going to block just some selected servers just in case you run your own resolver. So you can avoid some censorship.

Now how to disable forwarding and gain some more privacy and security? With Turris routers, it is really easy. You just go to Foris web interface, to the DNS tab, uncheck 'Use forwarding' and hit 'Save' button. Done. But as mentioned earlier, you might encounter some issues depending on what your ISP does with DNS traffic. If you hit some issues, we would be happy to hear about what issues did you encounter and who is your ISP. If there would be some common pattern to what is not working, we might figure out some workaround and make it available or we can try to help you press your ISP to fix their network. 

DNS forwarding