37

Looking at a Unblock-US Features (a DNS provider) on their website it states the following:

Stay out of the radar of prying eyes.

With Unblock-us, you’ll have peace of mind knowing that your ISP or government is unable to view your online activity. We only send a small percentage of data to the websites we support through our secure servers, and we never log or analyze any data passing through.

The solution to this invasion of privacy? When you sign up for Unblock-Us, you’ll receive a new set of DNS codes to add within your device’s settings. Your true IP address will then be masked and you’ll be able to bypass any restrictions or spying implemented by your ISP or government, all with this simple switch.

enter image description here

So my question is:

How can changing your DNS prevent your ISP or government from seeing your online activity?

If my understanding of how a DNS works is correct I don't see how these claims are possible

User1
  • 3,041
  • 5
  • 23
  • 30
  • 27
    This is a **lie**. The diagram is wrong. Between *You* and *Unblock-US* there is the path (without or with cable) within your ISP infrastructure. Moreover, within many countries, within this ISP infrastructure are the wiretaps of IA(s legal or illegal ones). – dan Jan 26 '16 at 12:52
  • 4
    The only way this could work is if they have a http proxy as well as a dns server -- and even then it wouldn't stop your ISP from seeing what you're doing. This is almost certainly a con. – Shadur Jan 26 '16 at 14:07
  • 6
    It seems Unblock Us does have a [VPN service](https://www.unblock-us.com/vpn-setup), too. Perhaps whoever made this graphic just didn't understand what they were supposed to draw, and "DNS" should be "VPN". As it is though, the graphic is very misleading. – Chris Down Jan 26 '16 at 14:19
  • @ChrisDown I thought this may have been the case as the graphic closer represents a VPN than a DNS. But reading the quotes it doesn't mention their VPN service at all. Just that you put the "DNS Codes" in and you're fully protected – User1 Jan 26 '16 at 14:22
  • A more accurate title would be "... changing your upstream DNS resolver ..." or something, although that sounds clunky. I came here expecting something about the DNS records for your domain. Or maybe whois information. Or maybe something about reverse-DNS. This is a sensible question, but the title is ambiguous. – Peter Cordes Jan 27 '16 at 09:00
  • Has anyone checked whether they don’t rewrite the DNS so that everything goes through proxy servers of theirs? I mean, that would break a helllotofthings, but would probably work just fine for HTTP(S), given SNI. – Jonas Schäfer Jan 27 '16 at 09:48
  • 2
    @JonasWielicki After clicking through their site I came to the conclusion that they are probably offering a [smart DNS proxy server](https://en.wikipedia.org/wiki/Smart_DNS_proxy_server), which makes sense because they are often used to work around region-restrictions (-> `unblock us`). However, this does not prevent spying as already explained in the answers. – Nobody moving away from SE Jan 27 '16 at 10:13

4 Answers4

51

Essentially, it doesn't.

DNS servers let your computer look up where websites and other services are based on friendly names, by converting those to IP addresses. Your ISP provides this as a service, but knows precisely who you are, and what IP your computer has, so can easily look up to see that @user1 has made a request to look at google.com.

A third party provider knows what IP address your computer is on (else it couldn't reply to queries), and what sites you are looking for. If they are a free, registration free provider, such as OpenDNS, that's all they know. They can take a pretty good guess at your ISP, and probably your geographical location (since most ISPs assign IPs based on location), but they don't have direct access to your name, or to any other data you send to websites.

However, even when using a third party DNS provider, the actual traffic between you and websites goes over your ISPs network. In this case, they can see that @user1 visited 173.194.113.80 and made some requests. If the site is running over HTTP, they can even see that you requested pages from a specific host, thanks to header data such as Host: google.com in each request, and the specific pages thanks to the HTTP verb used (e.g. GET /search?q=dodgy+things). If the site is running over HTTPS, they just get the IP address, but that's probably enough for them to work out what site you were on, just not the specific pages you looked at.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • this was my understanding of how a DNS works. But now I am slightly more confused because of the conflicting answers. The request for `173.194.113.80 aka google.com` still goes via ISP hence they can see your online activity – User1 Jan 26 '16 at 09:38
  • Essentially, yes. If it goes through your ISP in clear text, they can see it. A VPN service will protect your privacy, since all the ISP can see is "the IP address used by @user1 is connecting to an IP address owned by VPN company¬ – Matthew Jan 26 '16 at 09:46
  • 1
    wait a sec. usually ever more or less modern browser has SNI enabled which means that the fact that Google.com was accessed still remains visible to the gateways, also your ISP, also DNS is Plaintext so even without SNI it would still be visible (also the ISP can just modify the request). DNSSec is not much better in that context because it is still plaintext, but it is signed, meaning that nobody can just change it. – My1 Jan 26 '16 at 11:22
  • 4
    Note that even https can allow the host name to be revealed if the server is using [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) – Dezza Jan 26 '16 at 14:18
  • 3
    @dezza In cases where you don't have SNI, 1 IP maps to 1 hostname anyway, so it's arguably even *more* revealing without SNI. – Chris Down Jan 26 '16 at 15:59
6

DNS/Internet service providers may collect information about the traffic that you request, for internal auditing or to sell. One example from 2015 is that AT&T offered data privacy for a price

By using private DNS servers the request for traffic will go through a trusted channel, still use the ISP infrastructure but not their resolution service.

Purefan
  • 3,560
  • 19
  • 26
  • 1
    If you still use the ISP's infrastructure surely this means the ISP can see your online activity? – User1 Jan 26 '16 at 09:41
  • Im reluctant to say anything absolute, wouldn't surprise me if they have they have logging at other points but I haven't read anything that jumps to mind right now. Private DNS + encrypted traffic go a long way – Purefan Jan 26 '16 at 09:51
  • 2
    Hogwash. DNS requests are plaintext and UDP. If your ISP is acting in bad faith they can intercept DNS requests going to a different resolver just as easily as requests going to their own. – Shadur Jan 27 '16 at 05:47
3

specific answer: Unblock-Us' website (incl the image you included) is quite misleading, as their DNS servers themselves don't offer any additional protection. What they actually mean is that instead of giving you the real IP addresses for some websites (e.g. Netflix.com), it'll resolve them to an IP for one of their proxies, which will then proxy the website you're trying to visit. This doesn't really add any more protection than when accessing websites directly, but it allows you to "hide your real IP address" and bypass region blocks (like any proxy would)

general answer: DNS itself isn't encrypted, so everyone who can monitor your traffic (incl. law enforcement, etc) can also read your DNS requests and the responses in plain text. Technologies like DNSCrypt add an encryption layer to DNS, however Unblock-US does not use DNSCrypt, so their DNS does not add any protection. One might argue that governments might force/ask ISPs to release information about users of their DNS services, but Unblock-Us does not state that it wouldn't comply to requests by law-enforcement itself.

JTBrinkmann
  • 31
  • 1
  • Could you elaborate what kinda of protection DNScrypt does add? Does it encrypt DNS queries? – unknownprotocol Jan 27 '16 at 18:05
  • 1
    exactly, DNScrypt and DNSSEC use encrypted DNS queries. Without encrypted DNS queries, you are more vulnerable to man-in-the-middle attacks, as an attacker can forge the response of a DNS query to give you a wrong IP address of servers you want to connect to. (though they might as well just intercept the [HTTP] traffic) See https://security.stackexchange.com/questions/155180/dns-mitm-attack – JTBrinkmann Jan 07 '19 at 10:48
2

It does not stop them from seeing your activity, it really does not. private DNS or not you will still be visible, you would need extra layers to ensure your privacy, but it does allow you to skip government rules. if anyone wanted to they could easily see who you are, you still use your public IP dont think doing this hides who you are.

TheHidden
  • 4,265
  • 3
  • 21
  • 40
  • This doesn't make sense to me in the current context: "by essentially lying about your location". – HamZa Jan 26 '16 at 09:29
  • @HamZa yea sorry im trying to explain the best way I can but the DNS allows you to bypass rules implaced by an ISP and also allows you to access content based in the country of the DNS (its a common trick to get around netflix etcetc) – TheHidden Jan 26 '16 at 09:33
  • 1
    I think you're confusing "DNS" with "proxy". – HamZa Jan 26 '16 at 09:37
  • @HamZa no im not, its quite common over here in england we have alot of blocked websites... change my dns to 8.8.8.8 and boom access to blocked websites – TheHidden Jan 26 '16 at 09:55
  • 2
    Changing DNS doesn't change your location. Yes, changing it could bypass restrictions made by your ISP. – HamZa Jan 26 '16 at 09:56
  • @HamZa I was simply trying to explain it in simple terms by giving an analogy I was not trying to cause confusion to this level. – TheHidden Jan 26 '16 at 09:58
  • 1
    @HamZa changed it to save others the confusion of what i mean. – TheHidden Jan 26 '16 at 09:59