3 Ways to Secure DNS While Working from Home

Why is DNS so important?

DNS is the phone book of the internet, every website that is accessed, either legitimate or malicious will get resolved by DNS. While in the office or via VPN, a corporate network usually has various security solutions to prevent users from accessing malicious websites and getting infected, but working from home is a different story. I personally think this is a great opportunity to improve cyber security on your home network as well.

  • Use Cloudflare DNS to protect against malicious websites
  • Manually blacklist websites and domains through the local hosts file
  • Set up piHole as your DNS server

Using Cloudflare DNS

Cloudflare took a strong stance on privacy and cyber security and has improved on their public DNS service 1.1.1.1 with two new services:

  • 1.1.1.2: block malicious content
  • 1.1.1.3: block malicious and adult content
More info can be found on this blogpost: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

The good part is that you can configure the DNS server for the entire network via your home router (if it has this feature), or individually for each device.

To test this out you can also use the command-line utility nslookup.

> nslookup phishing.testcategory.com 1.1.1.1
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	phishing.testcategory.com
Address: 104.18.4.35
Expected response using nslookup from Cloudflare DNS

To test the malware blocking capabilities wihout the risk of actually visiting malicious websites and risk getting infected, Cloudflare has a test website available https://phishing.testcategory.com.

> nslookup phishing.testcategory.com 1.1.1.2
Server:		1.1.1.2
Address:	1.1.1.2#53

Non-authoritative answer:
Name:	phishing.testcategory.com
Address: 0.0.0.0
using Cloudflare DNS to block malicious websites

One interesting thing that I noticed, this does not work when using it over VPN, granted that I've used TunnelBear VPN which is hosted on DigitalOcean.

Manually updating the hosts file

While this is quite powerfull, the downside is that if you have multiple computers you have to make the changes on each and one of them. Another downside is that this is not available for mobile devices (or at least in a easy way).

To make these changes all you need is a text editor, the location for the hosts file:

  • Windows: C:\Windows\System32\drivers\etc\hosts
  • OSX and Linux: /etc/hosts

There are a couple of great resources on where to get blacklisted domains.

One other important aspect to be aware of, is that these will require constant updates with new malicious domains.

Dealing with tracking websites

Apart from malicious websites, legitimate websites embed a lot of tracking services. DuckDuckGo actively scans for tracking services on popular websites.

DuckDuckGo Tracker Radar Exposes Hidden Tracking
DuckDuckGo Tracker Radar is a best-in-class, automatically-generated data set about trackers that we’ve made available for research and generating block lists.

While writing this article, I've started using the DuckDuckGo Privacy Essentials Safari extension, meant at blocking trackers on website.

Deploying Pi-hole

The ultimate DIY home network security project for tech entuziasts is piHole, or at least in my opinion. Originally it was designed for the RaspberryPi, but with Docker getting more popular, piHole can also be deployed as a container.

When I was younger I always wanted to set up and manage bind, but it was quite hard. Well, with piHole everything is quite easy, and it also provides a very nice web interface to monitor the websites that are being blocked.

Wrapping things up

There are a lot of free opportunities available to enhance the security of your home network.