Jump to content
Not connected, Your IP: 18.204.42.98
NoClipMode

ANSWERED DNS over HTTPS - Is it even needed anymore when using AirVPN?

Recommended Posts

I use DNS over HTTPS (DoH) with Firefox, and i also use Simple DNSCrypt on Windows 10 for DoH, so that all DNS traffic is encrypted. I use the Cloudflare 1.1.1.1 DNS for both methods.
So i have a few questions about this because i've no idea if i should be using DoH anymore...

Does using DNS over HTTPS compromise AirVPN's privacy/security in any way? 

If i'm using AirVPN is there even any point in using DoH any more? For example, i'm guessing that AirVPN will no longer use my ISP's DNS and will also use DNS encryption, making DoH pointless? And i noticed that when connected to AirVPN it overrides the DNS settings of Simple DNSCrypt anyway.

Lastly, should i disable DoH in Firefox? Because it seems to still be connecting to 1.1.1.1 even when i'm using AirVPN.

Share this post


Link to post
8 hours ago, NoClipMode said:

Does using DNS over HTTPS compromise AirVPN's privacy/security in any way? 


No, it'll be usual encrypted traffic over OpenVPN.
 
8 hours ago, NoClipMode said:

If i'm using AirVPN is there even any point in using DoH any more?


If you use 1.1.1.1, yes, because the OpenVPN encryption is only active between you and the OpenVPN server, and anything beyond it remains "normal", e.g., DNS will still be unencrypted, HTTPS still encrypted, etc.
If you use AirDNS, DNS over HTTPS might be overkill. :)
 
8 hours ago, NoClipMode said:

Lastly, should i disable DoH in Firefox? Because it seems to still be connecting to 1.1.1.1 even when i'm using AirVPN.


How do you control it in Firefox? I briefly searched about:config for "DNS", "crypt", "secure" and "https" but didn't find anything relevant. 😮

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

Thanks for the help!
So to be clear, will my ISP be able to see what sites i visit if i just use AirVPN? It sounds like they can't if encryption is active between me and the OpenVPN/AirVPN server? I only really care about that part in regards to DoH, because in my country the ISP keeps logs of every site people visit for an entire year.
 
17 minutes ago, giganerd said:
How do you control it in Firefox? I briefly searched about:config for "DNS", "crypt", "secure" and "https" but didn't find anything relevant. 😮

In Firefox go to about:config and:
1. Search for "network.trr.bootstrapaddress" and change the value to 1.1.1.1
2. Search for "network.trr.mode" and change the value to 3 (this will force DoH, and a value of 2 will use regular DNS as a fallback)
3. Search for "network.trr.uri" and set the value to https://mozilla.cloudflare-dns.com/dns-query

Then you can go to https://1.1.1.1/help to see if it's working :)

Share this post


Link to post
14 hours ago, NoClipMode said:

will my ISP be able to see what sites i visit if i just use AirVPN? It sounds like they can't if encryption is active between me and the OpenVPN/AirVPN server?


Encryption is always on, therefore, no, they can't. :) Unless you suffer from a DNS leak, of course.

I've seen these options in a Firefox release but not in Waterfox (what I'm currently using). The latter is supposed to have feature parity with the newest Firefox release but it clearly doesn't. 😠

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
7 hours ago, giganerd said:
I've seen these options in a Firefox release but not in Waterfox (what I'm currently using). The latter is supposed to have feature parity with the newest Firefox release but it clearly doesn't. 😠

Yeah i noticed that too, it's why i stopped using Waterfox because it seems to be a little behind with new features. But ideally it would be best if DoH was supported in the router firmware although literally no routers support it yet. But Android Pie has DNS over TLC (DoT) built in to the OS, which practically does the same thing ,,,But i prefer DoH, because DoT uses it's own dedicated port, which means it can be blocked.

Share this post


Link to post

The only real problem with DNS over HTTPS I'm seeing right now is that it can lead to a centralization of the web (to some extent at least). If only a few providers offer it (Google and Cloudflare, to name a few big ones), and therefore everyone is using them, there will be no diversity. We know what Google does with DNS requests while Cloudfront at least has got the benefit of the doubt right now with their "privacy is key", "we don't care what sites we protect with our DDoS protection" attitude. It can change and then we resolve our queries at a malevolent, central location, which contradicts the design of the current internet a bit.


» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post

DNSCrypt is not a standard of IETF. DoH is.
Define your own scope, a standard protocol with internet giants, or a non-standard one with volunteers.
The end case is the same, they are both end-to-end encrypted, so you are safe from your ISP/VPN, just
decide which party you prefer to trust more. Personally I go with a Torified DoH everywhere in Qubes.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

I'm using this topic than opening another one just to keep the topic under the same umbrella.

I'm fully aware that AIRVPN has its own DNS servers and DNS addresses, that any request to them is protected because processed inside the tunnel (except for the leaks of course) and I know that the relationship between a user and his VPN provider is mainly a matter of trust (I'm not complaining about this).

Recently, it has come up that DNS queries are a possible privacy issue because Internet Service Providers can eavesdrop and manipulate them; thus Mozilla and Google have looked out for a way to mitigate the problem and the solution they found is the so-called DNS-over-HTTP (DoH). Cloudflare thought this was not enough so it also proposed to encrypt the Server Name Identification that it is still in an experimental phase.

As written here https://www.eff.org/it/deeplinks/2018/09/esni-privacy-protecting-upgrade-https "Hosting providers and CDNs (like Cloudflare) still know which sites users access when ESNI is in use" so maybe it wouldn't a great deal to implement it on AIR but it is also written that "ESNI can also potentially work over VPNs or Tor, adding another layer of privacy protections."

Now, I know that AIRVPN does not store the DNS queries and does not eavesdrop them, but for the aforementioned reasons I wanted to ask if could it be technologically feasible to fully implement the RFC 8484 (proposed) standard and Encrypted Server Name Identification thus increasing user privacy and security by preventing "possible" eavesdropping and manipulation of DNS data? (I want to repeat it again, just to be crystal clear and not being misunderstood: I am totally happy with AIRVPN and I think the Staff is doing a great job. Period)

I'm neither asking to implement DoH and ESNI now and here nor to implement them in the future but just to talk about the topic, think on it and understand if it could be something reasonable to implement when the Staff will believe it is the right moment, something over-killing or totally useless.

Share this post


Link to post
6 hours ago, jeuia3e9x74uxu6wk0r2u9kdos said:

I'm using this topic than opening another one just to keep the topic under the same umbrella.

I'm fully aware that AIRVPN has its own DNS servers and DNS addresses, that any request to them is protected because processed inside the tunnel (except for the leaks of course) and I know that the relationship between a user and his VPN provider is mainly a matter of trust (I'm not complaining about this).

Recently, it has come up that DNS queries are a possible privacy issue because Internet Service Providers can eavesdrop and manipulate them; thus Mozilla and Google have looked out for a way to mitigate the problem and the solution they found is the so-called DNS-over-HTTP (DoH). Cloudflare thought this was not enough so it also proposed to encrypt the Server Name Identification that it is still in an experimental phase.

As written here https://www.eff.org/it/deeplinks/2018/09/esni-privacy-protecting-upgrade-https "Hosting providers and CDNs (like Cloudflare) still know which sites users access when ESNI is in use" so maybe it wouldn't a great deal to implement it on AIR but it is also written that "ESNI can also potentially work over VPNs or Tor, adding another layer of privacy protections."

Now, I know that AIRVPN does not store the DNS queries and does not eavesdrop them, but for the aforementioned reasons I wanted to ask if could it be technologically feasible to fully implement the RFC 8484 (proposed) standard and Encrypted Server Name Identification thus increasing user privacy and security by preventing "possible" eavesdropping and manipulation of DNS data? (I want to repeat it again, just to be crystal clear and not being misunderstood: I am totally happy with AIRVPN and I think the Staff is doing a great job. Period)

I'm neither asking to implement DoH and ESNI now and here nor to implement them in the future but just to talk about the topic, think on it and understand if it could be something reasonable to implement when the Staff will believe it is the right moment, something over-killing or totally useless.



Is this necessary if there are no logs kept anyway?

Share this post


Link to post
9 hours ago, jeuia3e9x74uxu6wk0r2u9kdos said:

it is also written that "ESNI can also potentially work over VPNs or Tor, adding another layer of privacy protections."

2 hours ago, go558a83nk said:

Is this necessary if there are no logs kept anyway?


Addon: Is this necessary if that layer of encryption will stop at the AirVPN server as the already encrypted tunnel will? Also, who will you be hiding your DNS queries from?

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post


Link to post
Posted ... (edited)

If the VPN providers infrastructure is compromised isn’t there’s a risk of having your dns queries read by unwanted parties? Using secure dns would remove that risk. I think it’s best to put even less trust in vpn providers than your own isp. I think it’s safe to say don’t put all your eggs(data) in one basket?

Edited ... by Fihnns

Share this post


Link to post
2 hours ago, Fihnns said:

If the VPN providers infrastructure is compromised isn’t there’s a risk of having your dns queries read by unwanted parties? Using secure dns would remove that risk. I think it’s best to put even less trust in vpn providers than your own isp. I think it’s safe to say don’t put all your eggs(data) in one basket?


Hello!

Unfortunately not, because under the scenario you describe the attacking adversary would not need to catch your DNS queries to see your traffic destinations and origin. You can defeat the adversary anyway with "partition of trust", for example by connecting to Tor after you have connected to the VPN.

Kind regards
 

Share this post


Link to post
On 11/25/2019 at 10:16 AM, Staff said:

Hello!

Unfortunately not, because under the scenario you describe the attacking adversary would not need to catch your DNS queries to see your traffic destinations and origin. You can defeat the adversary anyway with "partition of trust", for example by connecting to Tor after you have connected to the VPN.

Kind regards
 
 Even if the attacking adversary would not need to catch your DNS queries they still can catch your dns traffic if they could, employees/insiders who work for the company could maliciously collect if they wanted to. That’s why having a secure dns that goes though the vpn infrastructure is an added security. Partition of trust still has a flaw that could be improved, the final vpn tunnel will still send your dns queries unencrypted. Just because a vpn company states they don’t log users data it doesn’t mean someone on the inside covertly could.

Share this post


Link to post
8 hours ago, Fihnns said:
On 11/25/2019 at 11:16 AM, Staff said:

 
 Even if the attacking adversary would not need to catch your DNS queries they still can catch your dns traffic if they could, employees/insiders who work for the company could maliciously collect if they wanted to. That’s why having a secure dns that goes though the vpn infrastructure is an added security. Partition of trust still has a flaw that could be improved, the final vpn tunnel will still send your dns queries unencrypted. Just because a vpn company states they don’t log users data it doesn’t mean someone on the inside covertly could.

Hello!

Let's fix some very bad misconceptions.

1. That's false, the attacking adversary can not catch your DNS queries when tunneled into the VPN, unless he/she is inside your machine with administrator privileges, in which case of course neither DNSCrypt nor VPN nor Tor can defend you.

2. Incorrect. When you connect Tor over OpenVPN:
  • the final VPN server sends everything encrypted to Tor entry-node
  • VPN server can not even discern the type of traffic, because the whole payload is still encrypted by Tor, DNS queries included
  • your ISP or network administrators will not see that you're using Tor because its traffic is still wrapped into OpenVPN TCP or UDP tunnel. DNS queries are inside Tor tunnel which is inside OpenVPN tunnel
  • Tor can not see your real IP address
  • Tor circuit is renewed at each new TCP stream
  • a malicious datacenter or a rogue VPN company will see nothing of your traffic content, as it's encrypted traffic unreadable to them (that's why some rogue VPNs blocked Tor traffic, they can't mine your data)

Kind regards
 

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...