Ditch Your ISPs DNS Resolver
Virtually everything on the web starts with a DNS request.
Depending on your local network or device's settings, DNS requests are sent to a select DNS Resolver (The Internet's Phone Book
). Every time you visit a website, send an email, access an app, upload a file, your device communicates with a DNS Resolver in order to translate the address of the website https://one.one.one.one into a machine readable IP address 1.1.1.1 (generally these are cached on your browser/device).
ISPs are often the de facto standard DNS Resolvers for most devices on most networks. These, in turn, are under regulatory and governmental control of the countries they provide service in.
Should you trust your government with your internet traffic?
It is not about what you are doing being legal or not. It is about the invasion of Privacy and the open door for mass surveillance, and in turn, mass control. Even if the content is encrypted, ISPs and anyone listening to your internet usage can tune into every site you visit and every app you use. Many DNS providers sell your internet's activity to companies interested in targetting you with ads. Many log IP addresses alongside traffic. Are you ok with that?
Ever wondered how your country can simply reroute the website you're trying to visit to their own scary-looking page to keep you from accessing it?
The most common website censorship technique used by ISPs is DNS tampering. You see, Internet Service Providers have the power to override The Phone Book
's entries. They can do that by resolving DNS requests to a said website.com into false or empty DNS responses (NXDOMAIN).
Many countries attempt going a step further by blocking IPv4 addresses, but that can often result in massive unintended consequences. That is because most websites today share IP addresses, and not on a small scale 10,000 IPs are enough to reach 80%, or about 204 million, domains
. So if a government orders an ISP to block an IP address for a said website, it might end-up blocking thousands of others and stop millions of people from accessing regular websites that have nothing to do with the intended block.
A reliable way to bypass an IP Address block is by using a VPN. But if your country is not that strict about internet censorship, you might be able to bypass DNS shenanigans by simply updating your default DNS Server on your network/device.
Updating DNS Servers on Your Device/Network
Lookup where your DNS Server settings are on your OS.
Then simply update the listings with IPv4, IPv6 (if supported) HTTPS and TLS addresses of a DNS Provider you trust. Here are a few of them:
---------- Google DNS ---------- 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844// or without :: abrev 2001:4860:4860:0:0:0:0:8888 2001:4860:4860:0:0:0:0:8844 -------------- Cloudflare DNS -------------- 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001// or without :: abrev 2606:4700:4700:0:0:0:0:1001 2606:4700:4700:0:0:0:0:1111 --------- Quad9 DNS ------------------------- SECURED: MALWARE + DNSSEC ------------------------- 9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9 https://dns.quad9.net/dns-query tls://dns.quad9.net --------- Quad9 DNS --------------------------------------------------- Unsecure: No malware Blocking: No DNSSEC Validation --------------------------------------------------- 9.9.9.10 149.112.112.10 2620:fe::10 2620:fe::fe:10 https://dns10.quad9.net/dns-query tls://dns10.quad9.net
To validate your changes, you can list all the DNS resolvers by running:
scutil --dns
^_-