Alex_Sung 0 Posted ... Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic. At the same time this help to minimize dns attacks on the VPN users. Currently i using other free Dns servers with Dnssec enable and no log keeping. Informative linkshttps://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions https://www.dnssec-tools.org/wiki/index.php/Main_Page Software required (Dnscrypt) https://www.dnscrypt.org/ Verify DNSSec has enabledhttp://dnssectest.sidnlabs.nl/ https://www.dnssec-tools.org/ http://dnssec.vs.uni-due.de/ Quote Share this post Link to post
Staff 8688 Posted ... Does Airvpn consider having to implement dnssec on the current dns resolver servers which running the vpn? It will be a plus for all VPN users otherwise all our dns queries will still leak and prone to Man In Middle Attack to sniff our traffic. Hello! The quoted text in bold is wrong, provided that your system queries VPN DNS, because your query never gets out of the VPN. Each VPN server runs a DNS server. Please see also https://airvpn.org/specs Kind regards 1 rickjames reacted to this Quote Share this post Link to post
zhang888 1060 Posted ... OP you are probably confusing between DNSSEC and DNSCrypt.They are 2 different things designed for completely unrelated DNS tasks. DNSSEC should be supported by your ccTLD as well, so it's not somethingyou can just "enable" on your client. DNSCrypt is useful, but only when you use it with 3d party (not AirVPN's) DNSservers. Since if you use Air's 10.4.0.1 that connection is already encrypted inthe VPN tunnel. But again, it has to be installed on your client and is not somethingAir can deploy for you. 1 rickjames reacted to this Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Alex_Sung 0 Posted ... Pardon me ,i may not be good at my writing but you can the link below for the dns attacks( redirect to phishing sites, sniff the web login password, etc) to be carried out, https://en.wikipedia.org/wiki/DNS_spoofing DNSSEC is to be setup on dns server. DNScrypt is meant to be used on the client side to communicate with the DNSSEC dns server. I thought AIRvpn is run by hacktivists. Currently i using 3rd parties dns with DNSSEC. http://servers.opennicproject.org/ https://dns.watch/index Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns. Quote Share this post Link to post
Staff 8688 Posted ... Note : Attack on Airvpn does not need to crack the encryption of the openvpn coonection. Through the unencrypted dns queries, cyber attacks on the vpn users through the dns. As it was already explained, there are no unencrypted DNS queries. Please write back assertive claims only after you have resolved your confusion. Kind regards 2 snaggle and rickjames reacted to this Quote Share this post Link to post
Air4141841 12 Posted ... 3 years later and airvpn still does not pass a dnssec test: https://dnssec.vs.uni-due.de/ i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad) i also request that Airvpn setup their DNS servers to pass the test above. this is my ONLY complaint with Airvpn. ever Quote Share this post Link to post
02B5BC2935 0 Posted ... On 10/28/2018 at 10:14 AM, Air4141841 said: 3 years later and airvpn still does not pass a dnssec test: https://dnssec.vs.uni-due.de/ i started a trial for another provider and their public servers DO pass a test running their tunnel and their public dns server (mullvad) i also request that Airvpn setup their DNS servers to pass the test above. this is my ONLY complaint with Airvpn. ever Almost 6 years later, still no support. Is it possible for the staff to take a look at this issue once again? Thanks! Quote Share this post Link to post
OpenSourcerer 968 Posted ... 13 hours ago, 02B5BC2935 said: Is it possible for the staff to take a look at this issue once again? Thanks! I sense I'll be repeating what was written prior, but anyway: What exactly do you personally think is the issue? Let's start this way. Quote Hide OpenSourcerer's signature Hide all signatures » I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such. » The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets. » If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead. » If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon). » The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers. » Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again. Share this post Link to post
SurprisedItWorks 9 Posted ... Let me just add the observation that only a few percent of domains you might be looking up in a DNS system are going to be DNSSEC signed anyway. While it's nice to have DNSSEC functioning as a sort of future proofing and for the rare cases when it matters now, becoming alarmed at its absence in a DNS system at this stage is seriously inappropriate. Example: in the US the only major financial institution that I can find that signs its DNS entries with DNSSEC is the Internal Revenue Service! Yes, irs.gov is signed, as are some other US-gov't agency sites. But the big banks do not use DNSSEC, and neither do the well-known large brokerage houses. (Every site foo.bank is a DNSSEC-signed bank site, but see https://www.register.bank/dotBANKers/# to see which banks have bothered. They're all small.) In the VPN world, AirVPN.org is signed, mullvad.net is signed, and privateinternetaccess.com is signed. Every other well-known VPN service that I've tried depends on unsigned DNS entries. So basically at present, DNSSEC from the consumer point of view is little more than a cute toy. 1 OpenSourcerer reacted to this Quote Share this post Link to post
Not connected, Your IP: 35.171.164.78
Online: 14975 users - 61300 Mbit/s total BW