Domain Name System (DNS) Options in Island

Advanced Features
Written By Christopher Todd

DNS is the method by which hostnames such as www.google.com or wikipedia.org are translated into the IP addresses needed for the Internet Protocol to establish a connection to the desired host.

Island has several options for handling DNS requests on your network. These options can be configured by enabling Geek Mode and selecting Network from the main menu (☰). Clicking on the DNS section near the bottom of the page will bring up the following screen:

 
 

 The first section on that screen controls how DNS lookups are done by Island, either “recursive” or “DNS over HTTPS”. Recursive DNS is the traditional method of handling DNS requests. While it has worked well for many years, it suffers from a few shortcomings, one of them being that the requests and responses are not encrypted. This potentially allows your ISP (or other parties that are able to monitor your communications) to track which Internet sites you visit, or even modify the DNS responses to redirect you to a different site. 

To address the latter issue, the DNS protocol was enhanced several years ago to support digital signing of the response, preventing it from being modified in flight. This enhancement is called DNSSEC and can be enabled on Island by checking the DNSSEC box when using recursive DNS.

To address the latter issue, the DNS protocol was enhanced several years ago to support digital signing of the response, preventing it from being modified in flight. This enhancement is called DNSSEC and can be enabled on Island by checking the DNSSEC box when using recursive DNS.

While DNSSEC addresses the problem of DNS responses being modified by a third party, it does not solve the privacy issues inherent in the unencrypted DNS protocol. To address these concerns, new protocols were created which encrypt all DNS requests to and responses from a DNS server. The most common implementation is called DNS over HTTPS, or DoH.

By default, Island uses DNS over HTTPS to resolve all DNS requests, using Cloudflare as the provider. The user may choose Google as the DoH provider by selecting it from the DoH drop-down list. Other providers may be added in the future, and a custom provider can be configured using the Command Line Interface (CLI).

Another issue is controlling which DNS server that individual hosts on the local network use. Most hosts will use Island as their DNS server because Island advertises its DNS services to hosts when assigning IP addresses using the DHCP protocol. However, some hosts may have their DNS servers manually configured, bypassing Island’s DNS server and consequently Island’s ability to block known malicious sites from the DNS responses. To address this issue, Island by default will intercept DNS requests sent to other DNS servers instead and handle them locally. This feature, enforced by the "Always use Island” switch, enhances security. If necessary, it can be disabled by turning off the “Always use Island” switch on the DNS screen.

Note that “Always use Island” cannot intercept DNS traffic from a host that is itself using DoH. DoH, by its nature, cannot be monitored or modified in flight. If needed, access to selected DoH servers by hosts can be blocked using Island’s custom filters (described elsewhere), forcing the hosts to revert to using Island’s DNS services instead.

Christopher Todd
Next

Customize Notifications