Insights For Success

Strategy, Innovation, Leadership and Security

DNS

What is the Domain Naming System

GeneralEdward Kiledjian

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It is an essential component of the functionality of most modern organizations and individuals using the Internet. DNS translates domain names meaningful to humans into the numerical (binary) identifiers associated with networking equipment to locate and address these devices worldwide. An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 93.184.216.119 (IPv4) and 2606:2800:220:6d:26bf:1447:1097 (IPv6).

Domain names are organized in subordinate levels of the DNS root domain, which is nameless. The first-level set of domain names are the top-level domains (TLDs), including the generic top-level domains (gTLDs), such as the prominent domains com, info, net, and org, and the country code top-level domains (ccTLDs). Below these levels, the next domain name component has been used to designate a particular host server. Therefore, www.example.com might resolve to 93.184.216.119, a specific web server, whereas example.com might resolve to any web server in the com domain.

The DNS system is a critical part of the functionality of most Internet-connected organizations and individuals. DNS is used by nearly everyone who uses the Internet today for various essential activities such as emailing, browsing websites, and using cloud-based applications. In addition, the DNS system is also used in many non-Internet applications, such as voice over IP (VoIP) and instant messaging.

The Domain Name System was invented by Paul Mockapetris in the early 1980s and standardized in the late 1980s. It is one of the most critical technologies that make the Internet work. The DNS system is maintained by a decentralized network of servers worldwide that are operated by a variety of organizations and individuals. The root servers, the authoritative DNS servers for the top-level domains, are operated by 12 different organizations.

The DNS system is constantly evolving to meet the changing needs of the Internet. In recent years, the DNS system has been adapted to support new features such as Internationalized Domain Names (IDNs) and DNSSEC. In addition, the DNS system is also being used to enable new applications such as content delivery networks (CDNs) and Internet of Things (IoT) systems.

What are the Internationalized Domain Names (IDNs)

The Internationalized Domain Names (IDNs) are domain names that are in non-ASCII characters. IDNs are encoded in Punycode. For example, the IDN for 社會科學院大學 is xn-- -u9jz54a79Ob. IDNs can be used in any level of the domain name, including the second-level and top-level domains.

What is Punycode?

Punycode is a representation of Unicode with the limited ASCII character set. It is used for encoding internationalized domain names (IDNs). Punycode is implemented in the Domain Name System (DNS) and is standardized in RFC 3492.

What is DNSSEC?

DNSSEC is a set of security extensions for the Domain Name System (DNS). DNSSEC provides authentication and integrity for DNS data. DNSSEC uses digital signatures and public-key cryptography to protect DNS data from tampering and spoofing. DNSSEC is specified in a number of RFCs, including RFC 4033, RFC 4034, and RFC 4035.

DNS for enhanced security

Some companies like Quad9 and Cloudflare provide free-to-use DNS systems are do more than just resolve Domain names. They can be used to protect you from malware or can be used to block certain undesirable sites (e.g. pornography).

They do this by maintaining a constantly-updated list of domains known to be used for malicious purposes or sites containing content that may be unwanted. Companies that offer this type of service include Quad9, Cloudflare, and OpenDNS.

What is the future of DNS?

The future of the DNS system is likely to be shaped by the continuing growth of the Internet. As the Internet continues to expand and evolve, the DNS system will need to adapt to meet the changing needs of users and applications. The DNS system is an essential part of the Internet infrastructure and will continue to play a vital role in the operation of the Internet for years to come.

Did hackers hijack your home network DNS service?

GeneralEdward Kiledjian
book-1659717.jpg

Hackers are crafty and will use any means at their disposal to trick you or steal from you. One such technique is called DNS hijacking. 

DNS is the internet's phonebook. Your browser automatically converts a URL into a numerical address that can then be routed through the internet. 

They can redirect you anywhere they want by changing the server that resolves your DNS queries (aka your phonebook). They can inject advertisements into your browsing or trick you into installing their TLS certificate so that they can intercept traffic you think is secure (think banking, healthcare, e-commerce, etc.).

Rather than provide a technical roadmap on how they could accomplish this, this article aims to provide an easy way for you to check right now.

Checking your DNS

The Internet provides a lot of websites for checking DNS settings and finding out which DNS server is in use. If you do not recognize it, then you probably need to dig in a little more and figure out why.

In most cases, if you haven't changed the default settings, your DNS service will be provided by your ISP. 

Who is my DNS, is a simple service you can use.

Screen Shot 2021-08-08 at 9.44.18 PM.png

F-secure is another simple option you can check out.

Screen Shot 2021-08-08 at 9.45.44 PM.png

You will then get a summarized result./ If you want more details, click on “View results in detail.”

Screen Shot 2021-08-08 at 9.48.26 PM.png

You then get a results page.

I have cropped the right side to protect my information.

Screen Shot 2021-08-08 at 9.49.07 PM.png

Your smartphone security guide (iphone and android)

GeneralEdward Kiledjian
smartphone-5207836.jpg

There are companies out there that will pay top dollar for working full chain smartphone vulnerabilities that will lead to a complete compromise (check out Zerodium as an example ). A full zero-click compromise for a patched android phone can net you a cool 2.5M$ (Wired).

Considering how we use smartphones and the information they contain (or can leak), these aren’t just simple electronic tools. Smartphones can be considered a bionic extension of your mind—anyone who can access your phone gains unprecedented access to your mind, life and psyche.

You may doubt the validity of the above statement, but think about it. Your smartphone knows where you are and where you have been. It knows who your friends and colleagues are. It knows whom you interact with. It has access to all your emails and other messaging. It has a camera that can be remotely triggered and a microphone to listen in on any of your private conversations (when was the last time you were more than 6 ft from your smartphone?).

Who is this article for?

The more secure you make something, the less usable it becomes. Security professionals have to tailor their security recommendations based on the risk profile of their customers.

For this article, I am assuming you are a “normal” general computing user that is not subject to elevated risks or custom attacks (aka you aren’t in the intelligence field, a journalist in a less favourable geography, a politician, etc.)

Why is this important? An average user will be targeted by unsophisticated actors (ex-partners, lovers, former angry friends, coworkers, or script kiddies) or medium sophisticated actors (scammers, general hackers, etc.)

An average user is not important enough to merit an attack by state-sponsored actors or organized crime. These advanced actors have more developed capabilities that would require a customized security program built by an experienced security professional.

What are we trying to accomplish?

Whether I am building a multimillion-dollar security program for a large cloud service provider or helping you secure your own smartphone, the goal is always the same.

Absolute security does not exist regardless of how careful you are or how much you spend.

The goal of a solid security program is to be "good enough" to tire your attacker and encourage them to move onto their next victim. Even with the most expensive door lock, a thief can use a battering ram to break down your front door, but they probably won't. You buy a lock that is sufficiently strong to resist breaking with kicks. A good security program is the same.


Let’s begin.

Encrypt your device

If you are running an iPhone with IOS 12 or later, it comes automatically encrypted out of the box. IF you are running an older version, check out these instructions. Most modern Android devices from reputable manufacturers come encrypted as well. If you are running a phone from a lesser-known manufacturer, a phone that comes from a market where encryption is illegal or it is older, check out these instructions to encrypt your phone.

Password or Pin

Since IOS 9, Apple has made a six-digit pin mandatory (although you can still force it back to a four-digit pin). Remember that once an attacker finds your pin code, they are in, and no additional tools are protecting you.


The goal is to make your adversary’s life as difficult as possible. A 4 digit pin means your attacker will have to try 10,000 possible combinations. It may seem significant to you, but remember, they have tools to automate this process. Simply moving to a six-digit mixed password means there are 1,000,000 possible combinations.

If you choose to implement a passphrase instead, you make it more difficult for you but you also make it more difficult for an attacker to crack.

Fun fact, approximately 25% of all smartphones can be cracked by using one of these pin codes:

  • 1234

  • 1111

  • 0000

  • 1212

  • 7777

  • 1004

  • 2000

  • 4444

  • 2222

  • 6969

  • 9999

  • 3333

  • 5555

  • 6666

  • 1122

  • 1313

  • 8888

  • 4321

  • 2001

  • 1010

on IOS

on IOS

Most phones also support a feature that wipes all the data from your phone after a certain number of wrong attempts have been made. This eliminates the threat of automated attacks.

Remotely wipe your phone

. If you feel someone else may be in possession of your phone, and it is connected to the internet, you may be able to remotely wipe the data.

On Android it is normally called Find My Device

d8da53b-6f3bacda-97-1739327f058.jpg

On iPhone it is called Find My iPhone.

20200727-220453.jpg

You can log into the manufacturer portal to find your device or wipe it if necessary.

Sample iCloud Find my phone interface with the Erase button

Sample iCloud Find my phone interface with the Erase button

Find my device links

  • Android : https://support.google.com/accounts/answer/6160491?hl=en

  • IOS : https://support.apple.com/explore/find-my

Two Factor Authentication

Remember that your phone is an extension to your online Google or Apple ID. It is very important that you protect these from unauthorized access. You should be using a long, complex, non-dictionary, passphrase to log in. You should also enable two-factor authentication to add another layer of protection to your account in case your password is compromised.

The easiest is to use Time based One Time Authentication codes.

On Apple devices, you will use your smartphone (or any other Apple device connected to your account. The Apple instructions are here.

Google users can use a software TOTP system with any one of the free TOPT clients available. The cleints I recommend are :

or some password managers (e.g. 1Password) also offer this as a function. The most secure option is to use a hardware token (e.g. Yubikey) but this is slightly more demanding and I won’t be covering it here.

Update and uninstall

Most attacks are against old vulnerabilities that remain unpatched. If you have a phone from a manufacturer that does not regularly deliver (monthly) security updates or the updates for your phone have stopped then it is time to buy something else.

You must update your phone operating system and all the apps on it regularly. Doing this will reduce your attack surface (ake make an attackers life more difficult).

Remember that applications may have undiscovered or unpublished vulnerabilities. In addition to updating them using the Apple AppStore or Google Play, you should uninstall any applications you do not regularly use. Many of these apps are stying on your anyway but they could be the weak gateway an attacker gains access to your phone.

Where possible, use the web version of services. As an example, instead of using a Twitter app (on most of my devices), I use the PWA website at mobile.twitter.com. This gives me full functionality without needing an app (that can track me or compromise by device).

Only install apps from official apps stores (Apple AppStore or Google Play). Apps in these stores are cryptographically signed to prevent impersonation by attackers. If you are a little more adventurous (on Android), you can also check out the F-Droid alternative app store.

Reboot often

We have seen many attacks in the last 3 years that are not persistent. This means they go away after you reboot your device. This is why it is a good idea to regularly reboot your device. I typically try to reboot it every 8 hours or so (while I am awake).

Turn off your phone

A phone that is off can’t be attacked.

An unsophisticated attacker will not be able to compromise your phone’s baseband chip and turn on your phone.

It is a good idea to turn off your phone when you can (at night or when you will be away from it from a while). Plus turning it off while charging will often allow your phone to charge a bit faster.

Install a firewall

You may not know it but if you use a Windows or macOS device, there is a manufacturer-provided firewall on your device. Unfortunately, smartphones do not come bundled with them but they are extremely useful.

It seems every week we read about another couple hundred apps (on IOS and Android) that made it to the app store but that were malicious. A firewall will define what apps will be permitted to use WIFI and/or LTE.

The best firewall for Android is Netguard and the best one for IOS is called Lockdown.

These apps can work in 2 modes:

  • blacklists mode, is where you choose what apps should not be allowed to communicate

  • whitelist mode, is where no apps can communicate unless you specifically allow them to

Obviously whitelist mode is the most secure but may require a little bit of tweaking when an app just doesn’t work right.

Due to recent societal changes, expect the authors of these apps to change the above terms shortly. Blacklist will be changed to blocklist and whitelist will be changed to allow list.

Disable WIFI and Bluetooth

Anytime you are out of a trusted location (home or work), turn off WIFI and Bluetooth. Also make sure that any feature that would automatically turn them back on is disabled (e.g. Automatically connect to public networks).

Attackers can set up a malicious network and easily trick your device into connecting to it. This is trivial but not part of this discussion so I won’t explain how to do it here.

Many public venues (e.g. malls use your phones Bluetooth beaconing to track you as you walk around. This works without any intervention from you. When you don’t need Bluetooth, turn it off.

Remember that public WIFI is evil. Any WIFI that you don’t control can be used to steal your information. If you have to connect to untrusted WIFI, use a VPN. Please use a good VPN and know that good VPNs are never free or extremely cheap. You get what you pay for.

Many will recommend TOR but it is slow and most users would find the experience painful. So I stopped recommending TOR for most users.

Browsers

Browsers are dangerous. Dangerous. Dangerous. They run code delivered to your device from another computer which means it could be a wonderful way for someone to compromise your device remotely.

If you don’t believe me, read this article China hacked iPhones and Android devices to target Uyghur Muslims.

For iPhone users, I recommend sticking with the built-in Safari. Apple has done a relatively good job with it and it should be secure enough.

On Android, my browser of choice is Bromite . Bromite has native support for the uBlockOrigin adblock engine( the best in my opinion). It supports DNS over HTTPS, to encrypt your DNS queries. It is always in incognito mode and it offers many more wonderful security-friendly features. Remember to turn on HTTPS everywhere in it and disable Javascript.

Is IOS more secure than Android?

To close out this article, I will quickly touch on the question I receive the most often.

For this discussion, we have to separate privacy and security. This article was written to improve your security not your privacy. They do not usually go hand in hand.

For a general user looking for a no worry relatively secure platform then IOS is probably the way to go.

For a general user that doesn’t mind a little work and that wants good security, Android is the way to go. IT offers more customization options to make your device more secure.

For a more security-conscious geek, then I recommend going to GrapheneOS. GrapheneOS will require some work (you have to install it) and will make you uncomfortable (does not come with any Google services or the Google Play store) but it is the most secure consumer option right now.

Improve your internet security right now, easily and for free

GeneralEdward Kiledjian

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?


I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?


They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.