Privacy is very important, but most modern technologies don't really respect it well enough. One of the most common network services is DNS, but it is sadly not private by default. It's a service that translates FQDNs (example: piskot.si) to IPs (example: 126.96.36.199) for your computer to connect to when you visit a site such as this one.
Most of the people just use ISP-provided DNS servers, but those can be easily monitored and data can be easily collected from them. The best solution to this is to use a DNS server that respects your privacy by supporting encryption - I set up my own using AdGuard Home.
There are two main protocols used to achieve DNS encryption:
- DoH (DNS over HTTPS)
- DoT (DNS over TLS)
They both have their pros and cons, but I chose to use DoT due to it's wider adoption in mobile devices such as any Android-powered device that's running on Android 10 or newer. For a while, this was a "just works" type of a thing until it wasn't any more - DNS server would just stop responding and I'd get this message on my phone:
At first I thought the server might have just gone down, but that wasn't the case. Maybe my IP address changed and it wasn't on a whitelist? Wrong. The issue was an improper SSL certificate, issued by Let's Encrypt - a free SSL certificate organization. While they are awesome for providing such a service free of charge, it can sometimes have it's own drawbacks, just like this one. The issue here is that their "root certificate" just recently expired, making essentially every site using that certificate unreachable from some devices. I'm not going to dig too much into details, because there's a post with a better explanation here.
The simplest fix was to simply renew the certificate and set up AdGuard Home to use it and since I use certbot to manage my certificates, this was a pretty painless process:
- Renew the certificate using this command:
certbot certonly -d <domain> --preferred-chain="ISRG Root X1"
- Copy the certificate chain and key from the path, given by certbot.
- Navigate to Encryption settings on your AdGuard Home instance.
- Paste in your freshly generated certificate and key and save the changes.
If you've done everything correctly, you should get a green message as such: