What is DNS blocking and why does your operator use it?
Today we are going to explain what DNS blocking is and why your operator uses it to block access to a web page. Once again, a court ruling has ordered the closure of several download pages, and as always the most advanced users talk about the ineffectiveness of the method with which these pages are usually blocked by the operators.
If you have heard of these locks on more than one occasion but have not fully understood how they work, today we are going to try to explain it in the simplest way possible. We are also going to mention why this type of blocking is not usually effective, and also how some operators try to go a little further without being very successful either.
What is DNS
DNS (Domain Name System) servers are one of the essential technologies for browsing the Internet, and they usually come preconfigured in routers that depend on the operators. When you enter a website, the DNS servers are in charge of translating that web address into an IP address, so that your computer knows exactly which server it has to connect to access the contents of the page.
Since your Internet provider or ISP gives you a router with a pre-configured DNS, it can always know when you connect what your IP is and who exactly you are. In addition, when a government forces them to block access to certain pages, this is done by limiting DNS access.
And it is precisely here where the use of alternative DNS comes into play. Your computer allows you to change the DNS, and by doing so you can improve your privacy, allowing you to bypass these regional blocks that try to impose themselves by limiting access precisely to those used by the operators.
In addition to all this, there are third-party DNS that advertise themselves by promising higher speeds or privacy, so your computer's response time when searching for pages could be improved. They can also be used to add an extra layer of security to prevent, for example, DDoS attacks.
Beyond avoiding censorship and creating extra layers of security against attacks, they are not as effective in preventing your operator from knowing where you are browsing. This is so because the DNS is a protocol without encryption, and both operators and VPNs can read where you move with it. Therefore, think of these services as an extra layer of security that you can complement with others, and not as a definitive solution.
What is a DNS block
DNS blocking is one of the most used by most operators, which is when the operator's DNS servers do not respond when asked for the blocked domain. As we have seen, the DNS is the one that translates the name of the websites into an IP address, which means that they block the fact that you can translate the address of a website that you are looking for.
Keep in mind that when you have your operator's router, its DNS is configured by default, so that when you access the Internet through it, the operator can control where you can access it. In this way, if in your DNS they block the translation of the search, by not being able to receive the IP to connect to, your computer cannot enter the web.
This measure is not the most effective in the world, since it can be circumvented with relative ease simply by changing the DNS of the device with which you connect so as not to use that of your operator.
Why is this lock still being used?
Although it is ineffective with more advanced users or to block specific pages that arouse great interest, in the rest of the cases it is usually quite different. Many users won't stop to look at how to bypass the block when they really don't understand what is being blocked and how, and even if they do, some may be intimidated by a process that is not so simple.
In addition, it must also be taken into account that today there are alternatives to practically any website, so when deciding to block one, many users find it easier to simply look for the best alternative than to look at the settings of their device, understand what the DNS is and how they can change them. Come on, in the end, they are used because, for a large part of users, it is still effective.
And beyond why they opt for this type of blockade is the reason why it is done. When an operator blocks access to a website, it is because the competent authorities have requested it. Come on, if a court ruling orders the blocking of a web page, the operators have to do it.
It is quite another matter to what extent these locks are useful. In most cases, there are always more or less simple ways to skip them, and if not you will always have alternatives. In any case, as we have said, it is still an effective alternative, taking into account that many less experienced users will not directly try to bypass the block unless they really want to use that website.
How to encrypt DNS traffic to avoid being spied on
DNS traffic is what you generate when you enter a URL in your web browser. As a result of this, a DNS server translates the domain name into an IP address, which is where the web page in question is hosted. And this traffic can be intercepted by a 'Man-In-The-Middle' attack, or simply 'heard' by the DNS servers you use. There is a way, however, to encrypt DNS traffic.
The reason why we might want to encrypt DNS traffic is as simple as that if we don't, other servers may be collecting the web pages we visit. In other words, they carry out an association between the IP address of our device and the IP addresses consulted, or simply the domains requested when we are browsing the Internet. In this way, as we mentioned earlier, our operator or the provider of the DNS servers can automatically record all the websites we visit in history.
Prevent them from knowing which websites you visit with Simple DNSCrypt, encrypting DNS traffic
The key to this software is ease of use. There is no need to touch any type of parameter or configuration. There is nothing cumbersome because it is an automatic installer that will do absolutely everything for us. We simply have to install the program, then select the network card of our computer, and then the main and secondary DNS servers will be identified. A proxy will automatically be configured to encrypt DNS traffic, then we will have an 'intermediary' that prevents our traffic from being tracked by DNS requests.
To check which servers are analyzing or managing our DNS traffic, we can use the DNS leak test. In the extended analysis, it will give us the IP address and other interesting information related to the intermediate servers that register our domain name resolution requests. In the case of using Simple DNSCrypt, then there will be an 'intermediary' that prevents our real IP address from being shown to the DNS servers that are in charge of managing these requests.