Jump to content
Not connected, Your IP: 35.171.164.78

Recommended Posts

Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic. At the same time this help to minimize dns attacks on the VPN users. 

 

Currently i using other free Dns servers with Dnssec enable and no log keeping. 

 

Informative links

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

 

https://www.dnssec-tools.org/wiki/index.php/Main_Page

 

Software required (Dnscrypt)

 

https://www.dnscrypt.org/

 

Verify DNSSec has enabled

http://dnssectest.sidnlabs.nl/

 

https://www.dnssec-tools.org/

 

http://dnssec.vs.uni-due.de/

 

 

 

 

Share this post


Link to post

Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic.

 

Hello!

 

The quoted text in bold is wrong, provided that your system queries VPN DNS, because your query never gets out of the VPN. Each VPN server runs a DNS server. Please see also https://airvpn.org/specs

 

Kind regards

Share this post


Link to post

OP you are probably confusing between DNSSEC and DNSCrypt.

They are 2 different things designed for completely unrelated DNS tasks.

 

DNSSEC should be supported by your ccTLD as well, so it's not something

you can just "enable" on your client.

 

DNSCrypt is useful, but only when you use it with 3d party (not AirVPN's) DNS

servers. Since if you use Air's 10.4.0.1 that connection is already encrypted in

the VPN tunnel. But again, it has to be installed on your client and is not something

Air can deploy for you.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Pardon me ,i may not be good at my writing but you can the link below for the dns attacks( redirect to phishing sites, sniff the web login password, etc) to be carried out,  

 

https://en.wikipedia.org/wiki/DNS_spoofing

 

DNSSEC is to be setup on dns server.

 

DNScrypt is meant to be used on the client side to communicate with the DNSSEC dns server.

 

I thought AIRvpn is run by hacktivists.

 

Currently i using 3rd parties dns with DNSSEC.

 

http://servers.opennicproject.org/

 

https://dns.watch/index

 

Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns.

Share this post


Link to post

Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns.

 

As it was already explained, there are no unencrypted DNS queries. Please write back assertive claims only after you have resolved your confusion.

 

Kind regards

Share this post


Link to post

3 years later and airvpn still does not pass a dnssec test:  https://dnssec.vs.uni-due.de/

 

i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad)

 

i also request that Airvpn setup their DNS servers to pass the test above.  

 

this is my ONLY complaint with Airvpn.  ever

Share this post


Link to post
On 10/28/2018 at 10:14 AM, Air4141841 said:

3 years later and airvpn still does not pass a dnssec test:  https://dnssec.vs.uni-due.de/

 

i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad)

 

i also request that Airvpn setup their DNS servers to pass the test above.  

 

this is my ONLY complaint with Airvpn.  ever


Almost 6 years later, still no support.

Is it possible for the staff to take a look at this issue once again? Thanks!

Share this post


Link to post
13 hours ago, 02B5BC2935 said:

Is it possible for the staff to take a look at this issue once again? Thanks!


I sense I'll be repeating what was written prior, but anyway: What exactly do you personally think is the issue? Let's start this way.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Let me just add the observation that only a few percent of domains you might be looking up in a DNS system are going to be DNSSEC signed anyway.  While it's nice to have DNSSEC functioning as a sort of future proofing and for the rare cases when it matters now, becoming alarmed at its absence in a DNS system at this stage is seriously inappropriate.  Example: in the US the only major financial institution that I can find that signs its DNS entries with DNSSEC is the Internal Revenue Service!  Yes, irs.gov is signed, as are some other US-gov't agency sites.  But the big banks do not use DNSSEC, and neither do the well-known large brokerage houses.  (Every site foo.bank is a DNSSEC-signed bank site, but see https://www.register.bank/dotBANKers/#          to see which banks have bothered.  They're all small.)  In the VPN world, AirVPN.org is signed, mullvad.net is signed, and privateinternetaccess.com is signed.  Every other well-known VPN service that I've tried depends on unsigned DNS entries.  So basically at present, DNSSEC from the consumer point of view is little more than a cute toy.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...