Guest Posted ... Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic. At the same time this help to minimize dns attacks on the VPN users. Currently i using other free Dns servers with Dnssec enable and no log keeping. Informative linkshttps://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions https://www.dnssec-tools.org/wiki/index.php/Main_Page Software required (Dnscrypt) https://www.dnscrypt.org/ Verify DNSSec has enabledhttp://dnssectest.sidnlabs.nl/ https://www.dnssec-tools.org/ http://dnssec.vs.uni-due.de/ Quote Share this post Link to post
Staff 9972 Posted ... Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic. Hello! The quoted text in bold is wrong, provided that your system queries VPN DNS, because your query never gets out of the VPN. Each VPN server runs a DNS server. Please see also https://airvpn.org/specs Kind regards 1 rickjames reacted to this Quote Share this post Link to post
zhang888 1066 Posted ... OP you are probably confusing between DNSSEC and DNSCrypt.They are 2 different things designed for completely unrelated DNS tasks. DNSSEC should be supported by your ccTLD as well, so it's not somethingyou can just "enable" on your client. DNSCrypt is useful, but only when you use it with 3d party (not AirVPN's) DNSservers. Since if you use Air's 10.4.0.1 that connection is already encrypted inthe VPN tunnel. But again, it has to be installed on your client and is not somethingAir can deploy for you. 1 rickjames reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Guest Posted ... Pardon me ,i may not be good at my writing but you can the link below for the dns attacks( redirect to phishing sites, sniff the web login password, etc) to be carried out, https://en.wikipedia.org/wiki/DNS_spoofing DNSSEC is to be setup on dns server. DNScrypt is meant to be used on the client side to communicate with the DNSSEC dns server. I thought AIRvpn is run by hacktivists. Currently i using 3rd parties dns with DNSSEC. http://servers.opennicproject.org/ https://dns.watch/index Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns. Quote Share this post Link to post
Staff 9972 Posted ... Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns. As it was already explained, there are no unencrypted DNS queries. Please write back assertive claims only after you have resolved your confusion. Kind regards 2 snaggle and rickjames reacted to this Quote Share this post Link to post
Air4141841 24 Posted ... 3 years later and airvpn still does not pass a dnssec test: https://dnssec.vs.uni-due.de/ i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad) i also request that Airvpn setup their DNS servers to pass the test above. this is my ONLY complaint with Airvpn. ever Quote Share this post Link to post
Guest Posted ... On 10/28/2018 at 10:14 AM, Air4141841 said: 3 years later and airvpn still does not pass a dnssec test: https://dnssec.vs.uni-due.de/ i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad) i also request that Airvpn setup their DNS servers to pass the test above. this is my ONLY complaint with Airvpn. ever Almost 6 years later, still no support. Is it possible for the staff to take a look at this issue once again? Thanks! Quote Share this post Link to post
OpenSourcerer 1435 Posted ... 13 hours ago, 02B5BC2935 said: Is it possible for the staff to take a look at this issue once again? Thanks! I sense I'll be repeating what was written prior, but anyway: What exactly do you personally think is the issue? Let's start this way. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
SurprisedItWorks 49 Posted ... Let me just add the observation that only a few percent of domains you might be looking up in a DNS system are going to be DNSSEC signed anyway. While it's nice to have DNSSEC functioning as a sort of future proofing and for the rare cases when it matters now, becoming alarmed at its absence in a DNS system at this stage is seriously inappropriate. Example: in the US the only major financial institution that I can find that signs its DNS entries with DNSSEC is the Internal Revenue Service! Yes, irs.gov is signed, as are some other US-gov't agency sites. But the big banks do not use DNSSEC, and neither do the well-known large brokerage houses. (Every site foo.bank is a DNSSEC-signed bank site, but see https://www.register.bank/dotBANKers/# to see which banks have bothered. They're all small.) In the VPN world, AirVPN.org is signed, mullvad.net is signed, and privateinternetaccess.com is signed. Every other well-known VPN service that I've tried depends on unsigned DNS entries. So basically at present, DNSSEC from the consumer point of view is little more than a cute toy. 1 OpenSourcerer reacted to this Quote Share this post Link to post