Windows 11 is out and it’s got a new feature that you’re almost certainly not making use of. Modern operating systems have new privacy features that protect you from the prying eyes of your ISP and others, whether you’re on public Wi-Fi or on your home network. Today, we’ll be taking a look at why you want to be using some of the latest features that come with the latest versions of the major operating systems.
Making highlights in a public phone book
I’ve talked about DNS several times before. In case you don’t know what DNS is, you can take a quick read of my glossary page on DNS Hijacking, which also explains what DNS does. Now if you’re like most people who simply use the default DNS settings of your operating system, you’re using your ISP’s DNS resolver, while also leaving all of your DNS traffic unencrypted for anybody listening on the wire to read.
If you’re cool with handing over all of your DNS queries to your ISP (and therefore letting your ISP know every single website you’re trying to connect to, when you’re trying to connect to them), then leaving DNS traffic unencrypted would be fine so long as your router is working correctly. Because “the wire” between you and your ISP’s DNS resolver is short and direct, there’s little risk of anybody eavesdropping on there, as long as your router hasn’t been hacked and is working fine.
ʕ⚆ᴥ⚆ʔ: Hmmm… I’m not confident of this…
Neither am I. If internet-facing routers were so secure, then hacking wouldn’t be such a big deal. We’ll probably talk more about router security some other time, in another article. But for now, think of it this way: if you aren’t sure that the router giving you Wi-Fi connectivity is secure, it isn’t secure.
So, going back to DNS, if you’re making all of your DNS queries out in plaintext, then there’s a chance somebody other than your ISP can see every website you visit, when you visit it. And even if nobody is listening in, your ISP will still see it, all of it, all the time. If you live in a country with massive government surveillance (China, Russia, Australia), then you should be concerned. Your government can easily track your online activities, even if what you’re doing is as benign as visiting a political dissident’s website, or reading news articles critical of your government.
ʕ·ᴥ·ʔ:
pornhub.com? Hey, I know that website. I tried to visit it once because a pal of mine sent me a link to something, but I couldn’t see it.
Probably because your ISP blocked it for “decency” or somethin’ like that, most likely because they were mandated to by government.
Even if you change your DNS resolver to be one that doesn’t belong to your ISP, maybe belonging to someone trustworthy who’ll respect your privacy, like Quad9; your DNS traffic will still, by default, be unencrypted for your ISP to capture.
Worse yet, “the wire” between you and your third-party DNS resolver will not be short and direct as it is with your ISP’s DNS resolver. So now the risk of someone eavesdropping is even higher than when just using your ISP’s DNS resolver.
Thankfully, all the major modern operating systems now have ways to encrypt DNS traffic (with Windows being the last, which is part of the reason why I’m writing this article now).
Only you and your resolver can see your highlights on this phone book
Note: If you use an always-on VPN, you might want to skip this section and go down to “Don’t mix encrypted DNS (or any custom DNS settings) with VPN’s”.
DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are two new protocols that allow you to encrypt your DNS traffic so that only you and your designated DNS resolver can read it.
They’re still pretty new protocols, so there aren’t that many DNS resolvers that support them. I recommend Quad9, but you can also pick from a couple of lists here and here. There’s also a long list of DoH and DNSCrypt resolvers here. (I won’t be talking about DNSCrypt, as that’s beyond the scope of this article.)
Windows 11, released earlier this month, finally added DoH support. You can check out Quad9’s short how-to here. Android 9 (Pie) and newer versions of Android support DoT, and you can read Quad9’s quick setup guide here. For MacOS 11 (Big Sur) and iOS 14, well, both DoH and DoT were introduced, but setting up either is not straightforward. (Privacy. That’s iPhone – Simple as that.) You could DuckDuckGo some help, but I recommend following this guide from Simple DNS Plus. (Don’t be deceived by the title; it works for both MacOS and iOS.)
Lastly, Linux…
ʕ´•ᴥ•`ʔ
Figure it out for yourselves, guys.
ʕ ಠ ᴥಠ ʔ: Awww!
Here’s the ArchWiki for systemd-resolved, which is almost certainly the DNS resolution software you’re already using.
ฅ^•ᴥ•^ฅ: Yay!
While you’re at it, enable DNSSEC too if your DNS resolver supports it. (DNSSEC is another topic for another time in another article.)
Don’t mix encrypted DNS (or any custom DNS settings) with VPN’s
Now, there is one problem with encrypted DNS, or really, any custom DNS configuration that isn’t the default of an operating system: they don’t play nice with VPN’s.
VPN’s control DNS resolution as part of protecting your device’s network traffic, which includes DNS traffic. In order for them to do that, they have to configure custom DNS settings for your device when you use them. If you configure your own custom DNS settings, whether encrypted or not, your VPN won’t be able to protect your DNS traffic properly, and that might lead to privacy and security vulnerabilities or network connectivity issues when using a VPN.
ʕ·ᴥ·ʔ: What if I just don’t use a VPN? Will I still be protected from my ISP and others snooping on me with just encrypted DNS?
You’ll have some protection. Your ISP will still know exactly which IP addresses you connect to, and when you connect to them. That isn’t always enough to tell which website you’re connecting to, but sometimes it is.
For example, if I’m using encrypted DNS with a third-party DNS resolver, and I connect to 142.250.207.78 in order to reach google.com, my ISP will know that I’m connected to a Google IP address, but they won’t know whether I’m connecting to google.com, or developer.google.com, or gmail.com, or youtube.com, or even fan-fan.business.site (no joke, that website has the same IP address as google.com as of this writing, along with at least 15 other Google and non-Google websites).
But if I connect to 81.3.6.166 in order to reach tutanota.com, then it’s a pretty good guess that I’m connecting to tutanota.com, or at least some Tutanota server, because nobody else other than Tutanota uses that IP address. If I connect to 185.70.42.12, they might get confused for a bit and wonder what skyhawk.ml is, but simply navigating to skyhawk.ml leads to protonmail.com, and a simple look at who owns 185.70.42.12 will reveal that it’s owned by ProtonMail.
ʕ·ᴥ·ʔ: Hmmm… Protection incomplete…
Incomplete, alright. On the bright side, you have the speed of a direct internet connection without the slow-down of a VPN, while still foiling your ISP’s ability to easily and reliably surveil which websites you visit. If you don’t use an always-on VPN, then you’ll definitely want encrypted DNS.
ʕ·ᴥ·ʔ: Yeah, it is cool. But, what if I need extra protection? What if I need complete protection from prying eyes being able to see which websites I’m on, or protection from letting the websites I connect to see my IP address? I can’t use a VPN anymore.
You can’t with encrypted DNS on. So, what you do is… you turn it off.
With custom DNS settings like DoH or DoT, make sure to disable them when you want to connect to a VPN, and re-enable them when you disconnect from the VPN. Doing this, even repeatedly, is easy enough on Windows and Android that I’ll let you figure it out.
For MacOS and iOS, it’s difficult and unintuitive. You have to install a configuration profile in the form of a .mobileconfig file to turn either DoH or DoT on, and then uninstall it to turn it off. Here are Quad9’s installation guides and .mobileconfig files for MacOS and iOS. It’s neither simple nor intuitive but, you know: “Privacy. That’s iPhone – Simple as thaaat.”
On Linux…
ʕ⚆ᴥ⚆ʔ
Fine.
sudo mv /etc/systemd/resolved.conf.d $HOME/Desktop sudo systemctl restart systemd-resolved.service # Connect to VPN # Do your stuff # Disconnect from VPN sudo mv $HOME/Desktop/resolved.conf.d /etc/systemd/ sudo systemctl restart systemd-resolved.service
ʕ º ᴥ ºʔ
OPSEC that warrants the complete protection of a VPN, warrants spelling it outright.
A real device ‘fingerprint’
ʕ·ᴥ·ʔ: Great! So now I’ve got my encrypted DNS set up. And if I need extreme privacy and security, I’ve got my VPN. My ISP can’t spy on me no more!
No. Wait. Hold up. Your ISP still can.
ʕ·ᴥ·ʔ: What?
They still can.
ʕ·ᴥ·ʔ: But how?
With your Media Access Control (MAC) address.
The MAC address is a hardware identifier, kind of like a serial number or a fingerprint, that comes with your networking hardware. It’s a long number that uniquely identifies a piece of networking hardware, differentiating between your phone’s Wi-Fi adapter and its Bluetooth adapter, or even between your computer’s Wi-Fi adapter and its Ethernet port. It can be used to uniquely identify the networking hardware on your device, identifying your device, and therefore identifying you.
So with encrypted DNS, your ISP might not know which websites you’re visiting. With a VPN, they won’t know which IP addresses you’re connecting to other than your VPN. But they can still know what local network (like a Wi-Fi network) you’re connected to. That means they can find out whether you’re at home, at the office, or at the Starbucks downtown. They can figure out that you’re connected to the school library’s Wi-Fi network, or to your friend’s house’s Wi-Fi network. If AT&T is the ISP for all of the local networks that you connect to, then AT&T can record exactly where you’ve been whenever you’ve been connected to a local AT&T network.
ʕ·ᴥ·ʔ: Hold on. I thought MAC addresses never leave the local network. I do my own research too, y’know, and I was told by multiple people on the internet, like this Lion guy–
Leo.
ʕ·ᴥ·ʔ: This Leo guy, that MAC addresses are only used in the local network and never go outside of it. It reaches the AT&T router at the downtown Starbucks, but never makes it past that to AT&T themselves.
I’m impressed, Kuma. You have been doing your research.
ʕ·ᴥ·ʔ: Thank you, thank you.
And you’re absolutely right.
ᕦʕ •ᴥ•ʔᕤ: Yes, praise me more!
Assuming that the AT&T router is doing only the job of a router.
ʕ·ᴥ·ʔ: What?
The MAC address reaches the router so that it can do its job of communicating with you, and then it forwards all of your internet-bound traffic to AT&T without your MAC address so that it can do its job of giving you internet connectivity. But what makes you think the router can’t also send your MAC address to AT&T, separately from your internet-bound traffic?
ʕ·ᴥ·ʔ: Oh. Uhhh, nothing?
Nothing.
ʕ·ᴥ·ʔ: Nothing…
Nothing is stopping the router from sending your MAC address to AT&T, along with any other information the router knows, like its location (meaning your location).
ʕ·ᴥ·ʔ: Snap. But, hmm, routers don’t do this, do they?
They’re not supposed to, but we’ve already established that they can. Hackers aren’t supposed to hack routers either, but we’re not confident of that, now, are we?
ʕ·ᴥ·ʔ: Nooo…
No, we’re not. So unless you’re sure that the router you’re connected to isn’t sending your MAC address to your ISP (or someone else), it’s possible. If the router was supplied by your ISP, as most consumer-grade routers are, then it’s highly likely that your ISP is getting a list of every MAC address that connects to the router you’re connected to, when you connected to it, and where this happened. If somebody else configured the router, then they might be getting all that info. If a hacker hacked the router, like maybe at a downtown Starbucks, then the hacker might be getting that info too.
ʕ ´• ᴥ •`,ʔ: So my ISP knows I was at a buddy’s place when his picnic basket disappeared?
Yep.
ʕ • ᴥ • ,’ʔ: I sure hope Park Ranger Smith doesn’t ask AT&T any questions…
Fake fingerprints all over the place
ʕ·ᴥ·ʔ: So how do we deal with this? I don’t want my ISP knowing wherever I am whenever I connect to Wi-Fi.
Well, this is where it goes back to what operating system you’re using. There’s this new feature called MAC Address Randomization, and it allows you to fake your MAC address for every network you connect to. That way, no network’s router will know that you’re connecting to it, because you’re giving it a fake MAC address.
Both of the major mobile OS’es, starting with Android 10 and iOS 14, support MAC Address Randomization by default. It just works out-of-the-box. So, Android and iOS will give every single network you connect to a fake MAC address. And every network will be given its own unique, random, fake address that won’t be used on any other network, so that the ISP’s can’t track you by any one fake MAC address either.
So your phone’s Wi-Fi’s real MAC address might be 38:EC:8A:EA:34:C4, but Android/iOS will tell your home router that it’s 67:D3:BB:7E:C7:62. And then, when you connect to the Starbucks Wi-Fi network downtown, their router will see 4B:A7:87:AE:54:2A. All completely different!
ʕ·ᴥ·ʔ: Hey, that’s cool. And it’s on by default. Easy-peasy-I-do-nothing-squeezy. But what about Windows and MacOS?
And that was what disappointed me about Windows 11 this month: they did not introduce MAC Address Randomization. And neither has MacOS so far.
ʕ·ᴥ·ʔ: Awww. And Linux?
Linux is Linux! Of course they have MAC Address Randomization. They had it years before anybody else did!
ʕ·ᴥ·ʔ: Hell yeah!
You just have to turn it on yourself.
ʕ ಠ ᴥಠ ʔ: Awww!
Keep it simple and forget about it
ʕ·ᴥ·ʔ: Hey, aren’t we forgetting something?
Yep!
ʕ·ᴥ·ʔ: What about randomizing my Bluetooth MAC address?
Forget about it.
ʕ·ᴥ·ʔ: Forget about it?
Yep! I told you: we’re forgetting something, on purpose!
First of all, this article is about your ISP spying on you, and they almost certainly won’t spy on you via your Bluetooth MAC address. Secondly, because of the way the Bluetooth protocol currently works, randomizing your Bluetooth MAC address just ain’t practical. It can still be done, but it’s not going to be easy, for any operating system; and it’ll be a pain when you’re pairing your Bluetooth gadgets together. Instead, I recommend a much simpler solution for that: turn your Bluetooth off when you’re not using it. Simple as that.
Speaking of simple, I started sanesecurityguy.com with the intention of keeping security and privacy simple. If you value that kind of guidance, consider subscribing. You’ll be notified of new articles – and only new articles – once a month. Just drop your email address down below or subscribe to my RSS feed linked to in the site menu. I won’t spy on you, sell your data, or make money off of you in any way. Neither will Kuma, though he might steal imaginary picnic baskets.