The 5 minutes guide to stop selling out your DNS queries to BigTech

Install Dnsmasq and stop the madness

DNS

Know it or not, every DNS query you do can be logged by your ISP or, if you follow a lot of bad advice online, directly into the mouth of the beasts: 8.8.8.8, 1.1.1.1...

Since it can be logged, it probably will, and you might wonder how they knew about you shopping for X in Y... that is probably one way.

Also there is a certain incentive to log this data, since it can be worth money to the ones collecting it and potentially trading it to third parties.

It does not have to be like this.

Dnsmasq

If you are on Linux, it won't take you more than 2 minutes to install DNSmasq, a simple caching DNS server.

sudo apt install dnsmasq

You can, and probably should read the manual, but a good starter could be to clean the file

#/etc/dnsmasq.conf

And replacing the content with the following:

#/etc/dnsmasq.conf
domain-needed
bogus-priv

domain=mydomain.local
expand-hosts
local=/mydomain.local/ 

listen-address=127.0.0.1 
bind-interfaces


server=94.16.114.254
server=94.247.43.254
server=185.181.61.24
server=195.10.195.195

As per the server= lines, those are the upstream DNS server that you will be interrogating when you need to find out the IP addresses of a domain not in the cache.

You can get creative here, what I'd rather not do is use Google or bigtech free DNS ips, for example you can try and use the server addresses that are provided by OpenNIC or by anyone else but a global information leviathan.

The expand-hosts directive will allow you to also serve as DNS the hosts that you have in your /etc/hosts file. By adding multiple listen-address lines, you can bind the DNS server on a network interface, in case you want to share the service over your lan. Leaving as it is with only the loopback (127.0.0.1) will only serve your local machine.

Conclusion

There's a lot of reading and alot of services that might try to go and make DNS queries on your machine. In particular, also try to avoid Chrome, since it could still try and look for external 'secure' DNS servers of its own.

Firefox should be mostly fine.

Exaustive guides will tell you the full story, but if we can afford being a bit naive, just putting the following into /etc/resolv.conf the following:

# /etc/resolv.conf
nameserver 127.0.0.1

should be enough to force local names resolution to use the local DNS server.

And, to ensure none is going to update that setting:

chattr +i /etc/resolv.conf

Make sure the Dnsmasq service is restarted after the changes, and you are good to go:

sudo /etc/init.d/dnsmasq restart


[linux]