Internet domain lookups are typically unencrypted, meaning hackers and governments can manipulate them to block certain sites or serve up malware.
Before you can access most websites, your computer needs to turn their written domain names—something like www.example.com—into a numerical IP address.
Computers and smartphones use a network of servers called the Domain Name System to make these translations, but traditionally they’ve talked to DNS servers over unsecured connections. That means no encryption to prevent online snoops from monitoring what addresses they’re looking up, and the possibility that governments, hackers, or internet service providers (ISPs) can intercept requests. In some cases, ISPs, hackers and governments interfere with DNS requests to block access to certain sites or direct people to the wrong addresses.
“DNS manipulation is a powerful cyberweapon that can be used to block websites and apps, redirect people to phishing sites, or even force people to download malware,” says Justin Henck, a product manager at Jigsaw, an Alphabet unit focused on safety and security.
Jigsaw on Wednesday released a new Android app called Intra that lets users connect through encrypted connections to DNS servers that support it. Google’s own free, public DNS servers have support for encryption and are selected by default, and users can easily switch to compatible servers from Cloudflare if they prefer. The app essentially sends domain name lookup information using the same security used to load secure websites.
“It takes the security guarantees created by HTTPS and extends them to cover DNS, which is the first step in every connection,” says Jigsaw software engineer Ben Schwartz.
People using the latest Android operating system, called Android Pie, can also take advantage of support for the secure DNS protocol that’s built in to the system. But people around the world whose phones run older versions of Android will also be able to install Intra to enable secure DNS. When people run the app, they’ll be invited to enable secure DNS queries with the touch of a button and will receive a reminder as long as the app is enabled.
[Photo: courtesy of Jigsaw Operations LLC]
Manipulation of the decades-old DNS protocol isn’t just a theoretical risk. The Open Observatory of Network Interference, affiliated with the secure routing Tor Project, reported in August that DNS tampering has been used in Venezuela to prevent access to independent news sources. China has also reportedly used the tactic to censor the internet, and hackers have used it to distribute malware and steal login credentials as part of phishing attacks.
“DNS manipulation can be used in a wide variety of different ways to accomplish a wide variety of bad actions and attacks,” warns Schwartz.
Since computers and phones need to look up the addresses of sites they connect to, anyone able to monitor DNS traffic, including ISPs, can also get a sense of what websites people are browsing. Many devices automatically send DNS queries to servers run by their internet service providers, but companies including Google, Cloudflare, Verisign, and IBM have launched their own free, public DNS servers that they generally say can offer greater speed, privacy, and security than ISP-provided DNS.
But if devices connect to those servers using unsecured connections, the messages they send back and forth are still subject to manipulation. Jigsaw doesn’t have any public plans to release Intra for platforms beyond Android, but Heck says he’s hopeful other operating systems will also soon support encrypted DNS.
“It’s interesting because ultimately our goal here is we want Intra to help make DNS manipulation obsolete,” he says. “At some level, Intra might put itself out of business as an application.”