Editing Domain Name System (section)

==Privacy and tracking issues==
Originally designed as a public, hierarchical, distributed and heavily cached database, the DNS protocol has no confidentiality controls. User queries and nameserver responses are sent unencrypted, enabling [[Sniffing attack|network packet sniffing]], [[DNS hijacking]], [[DNS spoofing|DNS cache poisoning]] and [[man-in-the-middle attack]]s. This deficiency is commonly used by cybercriminals and network operators for marketing purposes, user authentication on [[captive portal]]s and [[Internet censorship|censorship]].<ref name="Huston-2019">{{Cite journal|last=Huston|first=Geoff|date=July 2019|title=DNS Privacy and the IETF|url=http://ipj.dreamhosters.com/wp-content/uploads/2019/07/ipj222.pdf |archive-url=https://web.archive.org/web/20190930154208/http://ipj.dreamhosters.com/wp-content/uploads/2019/07/ipj222.pdf |archive-date=2019-09-30 |url-status=live|journal=The Internet Protocol Journal}}</ref>

User privacy is further exposed by proposals for increasing the level of client IP information in DNS queries (RFC 7871) for the benefit of [[content delivery network]]s.

The main approaches that are in use to counter privacy issues with DNS include:
*[[VPN]]s, which move DNS resolution to the VPN operator and hide user traffic from the local ISP.
*[[Tor (network)|Tor]], which replaces traditional DNS resolution with anonymous [[.onion]] domains, hiding both name resolution and user traffic behind [[onion routing]] counter-surveillance.
*[[Proxy server|Proxies]] and public DNS servers, which move the actual DNS resolution to a trusted third-party provider.
**Some public DNS servers may support security extensions such as [[DNS over HTTPS]], [[DNS over TLS]] and [[DNSCrypt]].

Solutions preventing DNS inspection by the local network operator have been criticized for thwarting corporate network security policies and Internet censorship. Public DNS servers are also criticized for contributing to the centralization of the Internet by placing control over DNS resolution in the hands of the few large companies which can afford to run public resolvers.<ref name="Huston-2019" />

{{Blockquote|text=Google is the dominant provider of the platform in [[Android (operating system)|Android]], the browser in Chrome, and the DNS resolver in the 8.8.8.8 service. Would this scenario be a case of a single corporate entity being in a position of overarching control of  the  entire  namespace  of  the  Internet?  [[Netflix]]  already  fielded  an  app that used its own DNS resolution mechanism independent of the platform upon which the app was running. What if the [[Facebook]] app included DoH? What if [[Apple Inc.|Apple]]'s [[iOS]] used a DoH-resolution mechanism to bypass local DNS resolution and steer all DNS queries from Apple's platforms to a set of Apple-operated name resolvers?|sign=|source=DNS Privacy and the IETF}}