So, when you use your computer to go to a place on the internet, it first sends a message (URL) to a DNS server and asks for the IP address of the place you want to go. The DNS server looks up the URL in its list and finds the IP address of the device that is hosting that place. Then, it sends the IP address back to your computer. Your computer can then use that IP address to contact the device and request the information it needs to show you the place you want to go on the internet.
Just like a GPS helps you find your way to a specific address in a city by using street names and numbers, DNS enables your computer to locate the IP address of websites on the internet by using the website’s name.
As an example, if you want to visit the website of your favorite coffee shop, DNS can help your computer by translating the name of the site (for instance, starbucks.com) into the IP address it needs to connect (eg. 23.37.62.10).
Let’s imagine you’re at home, asking your mom to grab a latte from Starbucks. After using GPS to get directions, she heads to Starbucks, takes your order, and returns home.
When you type “www.starbucks.com” into your browser, it’s like saying, “hey, mom, get me a coffee from Starbucks.” The browser asks the DNS Server (GPS) for the IP address of Starbucks’ main server before reaching it. The server then sends back the requested data (your coffee).
But a DNS server can lie!
Imagine your mom asked GPS for directions, and it gave her the wrong information, so she ended up going in circles. Every DNS request is monitored, filtered, and rewritten by censors as the first level of censorship.
This means they can show you warning pages instead of the requested data. It’s like getting lost in a city and ending up nowhere or being taken to a place where the cops can at least get your license plate number. This is similar to what criminals do with DNS spoofing.
So always be careful when using DNS servers, and trust them sparingly!
In 2011, Iran’s government hackers used DNS cache poisoning (along with SSL certificates from DigiNotar) to spy on the opposition’s Gmail accounts. With DigiNotar certificates, they set up a fake server with a valid *.google.com certificate and, by poisoning the DNS server, redirect victims to it.
This allowed them to secretly monitor the opposition’s email activities without their knowledge. It was a sneaky and underhanded tactic, showing the lengths some governments will go to control and censor the internet.
The importance of unfiltered DNS for your safety is now clear to you.
I want coffee!
But you still want your coffee. Your mom takes the car, but this time she asks people on the street for Starbucks’ IP address.
In the past, using public DNS servers was enough to bypass censorship. However, these days it’s more complex.
No matter who your mom asks, she always gets the wrong address. It’s like the Matrix, where Agent Smith can be in anyone’s body.
Censors can manipulate and redirect your internet requests to their own censored DNS server without you being aware, which can prevent you from accessing the information you desire.
Using a public DNS server may also be ineffective in these situations. The DNS protocol, which uses UDP port 53, is vulnerable to censorship because it is relatively easy to block.
This is where virtual private networks (VPNs) can be useful, as they can secure and protect your internet connection and allow you to access restricted information.