Protect your DNS privacy and more by using dnsmasq

Posted on August 28, 2017

Concerns over protecting our privacy while online are nothing new. Watch what you post online, we are told. Use a VPN, some say. TOR is unbreakable, say others. However, not many people tend to pay so much attention to DNS, a potentially massive and gaping great hole in your network that could easily be used against you.

Now, with the proper age of geo-blocking and streaming media well and truly upon us, more and more plucky punters are signing up for so-called smart DNS  solutions. These services provide a great, hassle-free way to access content restricted to specific global regions by means of a complex web of transparent proxies. Some even provide VPN over DNS solutions for the really stubborn geo-blocked services.

What is not made particularly clear to those not familiar with the technology is that by amending your default DNS IP addresses provided to you by your ISP and adding in those from a smart DNS service, you are essentially directing all of your home network traffic over a bunch of proxy servers at a vast array of locations worldwide. These are servers you have no access to, so you cannot see how they are configured and more importantly if anything is being logged, or worse, intercepted due to the potential for so-called man in the middle attacks.

Now, there is absolutely no proof whatsoever that any smart DNS service has been compromised. Or if any of these services log user data and/or sell that data on to any third party. Let me make that absolutely clear, right now.

There is though, an element of the unknown, purely on the basis that you do not know where your traffic is being redirected to, through and exiting from at the other side. That whole time your DNS requests are out there, somewhere, floating around that mix and you’ve no real way to control that.

Well, there is a way to get at least some control of your DNS requests and I’ll show you an example taken from my very own home network. With a little knowledge this is something you could implement quite easily, though a certain amount of technological know how will pay dividends.

I Like The Way You Route

If you are using the modem/router provided to you by your ISP then don’tInstead, if your ISP allows it, put your modem/router in to modem mode and connect it to a suitable home router you can flash a custom firmware on to. Sure, it’s added expense, and I won’t detail here what will work best, that would take up a whole other article, so some research is needed. However by allowing your ISP equipment to run solely as a modem, you can then take a greater control of the configuration and allow your network to perform more or less exactly how you want it to. Besides, it’s unlikely you’d be flashing your ISP equipment as they wouldn’t allow it.

Don’t be a cheapskate and buy the best bargain bin router you see. A good chunk of change spent here will save you a lifetime of bellyache. Buy the best you can afford, but don’t be cheap. Personally, I purchased an ASUS RT-AC5300 and flashed it with the very latest custom Merlin firmware. Total overkill for what you may need, but I have other requirements so it is a device that does what I need it to do.

With your new router installed and configured the area we are concerned with is dnsmasq and it’s supplicant configuration file known as dnsmasq.conf.add. This *.add file works in tandem with the main dnsmasq.conf file, allowing you to make supplemental entries that are slipped in to the main configuration file without upsetting the main file itself. Ergo, if you make a change you want to reverse, just edit the *.add file to get things back to normal quickly and easily.

Conditional (DNS) Love

The purpose of this article is to show you an example of conditional DNS forwarding. Hence I’m skipping bunches of background and setup here, there are stacks of resources available to get you to this point. I just want to show you how I implement dnsmasq on my network for both flexibility and privacy control purposes.

In the most basic of terms, think of the script working as follows. My router is configured with DNS IP addresses that handle the bulk of DNS requests on my network. For you, these may be the DNS IP’s of your ISP. Or perhaps Google public DNS. Or (now taken over by Cisco) Open DNS. To name but a few.

With the addition of the dnsmasq.conf.add file to my router, any time any device on my network requests a geo-blocked web site that is unblocked by my smart DNS provider, the router will force that device to request DNS from a smart DNS provider. Additionally there is no need to add a static IP to your networked device(s) in order to add custom DNS IP’s. Doing all of this at router-level means a device can join your home network, obtain a DHCP lease (an IP address) and off it goes. Job done.

The beauty of dnsmasq is that it allows you to get far more granular than just presenting your network with a one-size-fits-all configuration, which is what I have done with my script below. You can add specific MAC addresses (unique device identifiers) and tag them to enforce strict DNS lookup rules. Not only that, but if your device has more than one interface, like my PlayStation 4 Pro does, and thus has more than one MAC address (e.g. one for LAN and one for WLAN) you can add each MAC address to the configuration file and specify whatever DNS resolver IP address(es) you wish! It really is that cool.

Here’s One I Made Earlier

If you are still with me after all that nerdy talk, well done and thank you! Below I’ve pasted a very basic configuration file that you could use yourself on your router with some amendments. Your smart DNS provider should be able to give you a list of domains to add, or just search their knowledgebase, they should be listed. Smart DNS aside, you could also create tags and server entries to direct any domains you wish over specific resolvers.

The goal I accomplished with the below is to separate smart DNS traffic from all my other traffic. Hence hopefully limiting potential for any MITM attack on my data and only allowing data I don’t care so much about to be thrown out over those transparent proxies and in to the unknown. Another top tip is to see if you can enable and make use of DNSSEC on your router (the ASUS RT-AC5300 allows for this), though that is something more befitting an entire other article.

I realise the information I’m giving you is somewhat brief, however I feel there are enough pointers here that, with a little research on your part, should give you the tools you need to implement dnsmasq conditional DNS forwarding properly and at least try to protect an often overlooked privacy gap on your network.

# Default Dnsmasq options
domain-needed
log-dhcp

# Set custom DNS servers for specific hosts
## Android Phone
dhcp-host=aa:bb:cc:11:22:33,set:dns1

## Amazon Fire TV
dhcp-host=aa:bb:cc:11:22:33,set:dns1


## PlayStation 4 Pro
dhcp-host=aa:bb:cc:11:22:33,set:dns1
dhcp-host=11:22:33:aa:bb:cc,set:dns2


## NVIDIA Shield
dhcp-host=aa:bb:cc:11:22:33,set:dns1


# Set DNS IP addresses and tags
dhcp-option=tag:dns1,option:dns-server,44.33.22.11
dhcp-option=tag:dns2,option:dns-server,11.22.33.44

# Use DNS 1 for these domains
server=/domain.com/domain2.com/domain3.com/domain4.com/xx.xx.xx.xx #xx.xx.xx.xx = IP address for DNS 1


# Use DNS 2 for these domains
server=/domain.com/domain2.com/domain3.com/domain4.com/xx.xx.xx.xx #xx.xx.xx.xx = IP address for DNS 2