Saturday, October 27, 2018

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with 0.0.0.0 IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with 0.0.0.0 IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

Don't forget to configure your network adapter's DNS server settings to 127.0.0.1 (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to support@technitium.com.

Saturday, June 23, 2018

Configuring DNS Server For Privacy & Security

Technitium DNS Server is an open source tool that can be used for blocking Internet Ads using DNS Sinkhole, self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

With the release of Technitium DNS Server version 1.3 which adds support for DNS-over-TLS & DNS-over-HTTPS forwarders, it is now a good solution to be used by anyone concerned with privacy & security for domain name resolution on their Internet connection for Windows 10, Linux or macOS.

If you are not clear about what DNS is then read on. Domain Name System (DNS) is a decentralized system that allows you to find out the Internet Protocol (IP) address of any website (like www.technitium.com). So, when you enter a website domain name into your web browser, the web browser uses DNS to find out the IP address of that website. Once the IP address is known, the web browser can then connect to the web server on that IP address using TCP/IP protocols and download webpages and other embedded resources to display on to your screen. DNS servers don't just store IP address records but also store different types of records like mail exchange (MX) records which tell email servers where to deliver email for the recipient user of a given domain.

DNS servers and client use UDP or TCP protocol to exchange requests and responses which are not encrypted. This allows anyone on the network to see those requests and even hijack requests by sending back spoofed responses. There have been many instances reported in media of DNS hijacking done by malware, hacked home wifi routers or even by many Internet Service Providers (ISPs). ISPs in certain places have been found to redirect users to "custom" search pages instead of Google Search or even blatantly injecting Ads on websites that are not using HTTPS security. In some countries, ISPs often use their DNS servers to block websites to enforce government censorship orders.

To mitigate these issues, DNS-over-TLS and DNS-over-HTTPS protocols have been developed and are currently available to be used by a few DNS providers notably Cloudflare, Google and IBM (Quad9). But, currently, no operating system, applications or web browsers have built in support for these protocols.

With Technitium DNS Server installed on your computer (or on your network), you can make all your applications indirectly use these DNS providers with the new secure protocols hiding all your DNS traffic from your ISP. Lets see how to configure the DNS Server to use these services to take control and secure domain name resolution on your computer or private networks.

Technitium DNS Server is not configured out-of-the-box with these settings since you have to make a choice yourself of which DNS provider to use. Below is a list of DNS providers grouped by the protocol they support. You can configure one or more DNS providers as forwarders but they must use the same protocol.

DNS-over-TLS protocol providers:
  • Cloudflare IPv4 (1.1.1.1:853, 1.0.0.1:853) 
  • Cloudflare IPv6 ([2606:4700:4700::1111]:853, [2606:4700:4700::1001]:853)
  • Quad9 Secure IPv4 (9.9.9.9:853)
  • Quad9 Secure IPv6 ([2620:fe::fe]:853)

DNS-over-HTTPS protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query) 
  • Quad9 Secure (https://dns.quad9.net/dns-query)

DNS-over-HTTPS (JSON) protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query)
  • Google (https://dns.google.com/resolve)

To make the configuration quick, easy and error free, there is Quick Select drop down list available which lists all the above options. Just selecting the desired option in the Quick Select list will populate the settings automatically for you.

See these examples below to know how the configuration looks like:

DNS-over-TLS Using Cloudflare
DNS-over-TLS Using Cloudflare

DNS-over-TLS Using Quad9 For IPv6 Internet
DNS-over-TLS Using Quad9 For IPv6 Internet

DNS-over-HTTPS Using Cloudflare
DNS-over-HTTPS Using Cloudflare

DNS-over-HTTPS (JSON) Using Google

As you may have noticed, Cloudflare provides support for all three protocols. Not only that, it is possible to use Cloudflare DNS over Tor hidden service too! Technitium DNS Server v1.3 adds support for configuring proxy server which can of course be made to use Tor running on your computer and use Cloudflare DNS hidden service because WHY NOT?!

You just need to configure dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion hidden service address as forwarder and since all hidden service requests over Tor network are inherently end-to end encrypted, you can use DNS-over-TCP protocol with it. Tor is not included with the software so you will need to install Tor separately and configure it as a SOCKS5 proxy.

This option hides your query from your ISP as well as hides your identity from Cloudflare. But seriously, if you are really that paranoid, just use Tor Browser for all your web browsing.

DNS-over-Tor Config For Cloudflare DNS Hidden Service
DNS-over-Tor Config For Cloudflare DNS Hidden Service

Once you have configured forwarders, make use of the DNS Client on the web console to test the setup by making a test query to "this-server". If everything is configured correctly, you will see the IP address for the test domain you entered inside the "Answers" section of the JSON formatted output.

Finally, to make all your computers and applications to use Technitium DNS Server, you need to configure it on your Ethernet or WiFi network adapter. You just need to setup loopback IP address (127.0.0.1 for IPv4 & ::1 for IPv6) as DNS Server in your network adapter settings as shown below:

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

For more queries, write comments below or send an email to support@technitium.com.

Technitium DNS Server v1.3 Released!

Technitium DNS Server is an open source tool that can be used for self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

Technitium DNS Server v1.3

Version 1.3 adds following awesome new features:

The DNS Server is cross platform and can be deployed on Windows 10, Linux or macOS (using .NET Core or Mono Framework). Read this blog post to learn how to run DNS Server on Ubuntu.

Nobody really bothers about domain name resolution since it works automatically behind the scenes and is complex to understand. Most computer software use the operating system's DNS resolver that usually query the configured ISP's DNS server using UDP protocol. This way works well for most people but, your ISP can see and control what website you can visit even when the website employ HTTPS security. Not only that, some ISPs can redirect, block or inject content into non-HTTPS websites you visit even when you use a different DNS provider like Google DNS or Cloudflare DNS. Having Technitium DNS Server configured to use DNS-over-TLS or DNS-over-HTTPS forwarders, these privacy & security issues can be mitigated very effectively.

Developers regularly use the hosts file for configuring an IP address for a domain under testing. However, using the hosts file is cumbersome at times and can only be used to resolve domain name to an IP address. With a fully configurable DNS server running on your local machine, you can configure not just simple A records (for IP address) but, also configure other types of records like CNAME or MX etc. This allow you to have more control and power when you want to do testing that simulates the exact configuration that you have running on production.

Technitium DNS Server is open source and available under GNU General Public Licence (GPL) v3 on GitHub.

Comments and feedback are things that help push new features and improve usability, and thus are most welcome. Send your feedback to support@technitium.com or write your comments below.