Jump to content
Not connected, Your IP: 3.133.152.26
Sign in to follow this  
FPyro

DNS security

Recommended Posts

Hi!

I've read about some interesting new technology on here: https://www.opendns.com/technology/dnscrypt/

It's supposed to encrypt your dns queries and prevent all sorts of attacks.

You seem to know a lot about privacy and internet security, so I'd like to konw what are your thoughts on this.

OpenDNS seems to think everybody needs it.

And does it make a difference when connected to a vpn, which encrypts everything anyway, DNS included (right?).

Thank you

Share this post


Link to post

Hi!

I've read about some interesting new technology on here: https://www.opendns.com/technology/dnscrypt/

It's supposed to encrypt your dns queries and prevent all sorts of attacks.

You seem to know a lot about privacy and internet security, so I'd like to konw what are your thoughts on this.

OpenDNS seems to think everybody needs it.

And does it make a difference when connected to a vpn, which encrypts everything anyway, DNS included (right?).

Thank you

It does indeed prevent evildoers from examining your traffic while communicating with your DNS provider of choice, but it doesn't do anything I'm aware of to make certain your DNS server is sending you authoritative, unaltered data. That's what DNSSEC is for. For serious security and privacy, you'd need to use both.

Google DNS has mostly(?) implemented DNSSEC now, although a lot of TLDs still aren't signed, so it won't do much good for quite a lot of sites. Hardly anyone uses or supports DNSCurve (the technology you're referring to), so it's not a lot of good, either. Notice that OpenDNS' implementation is largely stagnant.

As for your DNS traffic traveling over AirVPN, yes, it's encrypted from you to AirVPN, so long as your configuration isn't "leaking" DNS (running queries outside the firewall). (Some badly-coded; extremely well-coded; or potentially malicious code may have its own IP stack that's not constrained by configuring Windows' / Linux' / OSX' / whatever's resolver. That's an entire other topic.)

The caveats are:

*Nothing is encrypting the DNS traffic between AirVPN, so people can see what AirVPN users are doing, at least in aggregate;

* Without a complete DNSSEC path from your DNS resolver to AirVPN's DNS forwarders to Google DNS, it's impossible to be certain when someone is attempting to return tainted DNS results

(You have DNSSEC enabled in your resolver, right? No? Well, join the club.)

Share this post


Link to post

I'm not quite sure you're right there in the last part.

Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right?

So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason.

Please correct me if I'm mistaken.

Thanks

Share this post


Link to post

I'm not quite sure you're right there in the last part.

Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right?

So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason.

Please correct me if I'm mistaken.

Thanks

Unfortunately, DNS was originally designed with a great deal of implicit trust, so encrypting the traffic between you and AirVPN doesn't necessarily cure everything.

https://en.wikipedia.org/wiki/DNS_spoofing

Also, things like this happen:

http://www.theregister.co.uk/2010/04/09/china_bgp_interweb_snafu/ -- more details and more (known) incidents at https://en.wikipedia.org/wiki/IP_hijacking

Finally, this kind of thing can happen:

http://www.dcwg.org/

Share this post


Link to post

I'm not quite sure you're right there in the last part.

Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right?

So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason.

Please correct me if I'm mistaken.

Thanks ;)

Unfortunately, DNS was originally designed with a great deal of implicit trust, so encrypting the traffic between you and AirVPN doesn't necessarily cure everything.

https://en.wikipedia.org/wiki/DNS_spoofing

Hello!

It must be said that connection to Air makes your system immune to DNS spoofing as long as you use the VPN DNS (and you don't have malware or hosts interfering software rewriting your hosts file, but in this trivial case neither DNSSEC can save you, obviously).

Also, things like this happen:

http://www.theregister.co.uk/2010/04/09/china_bgp_interweb_snafu/ -- more details and more (known) incidents at https://en.wikipedia.org/wiki/IP_hijacking

And it must also be noted that things like that can't happen AFTER the connection to an Air VPN server (of course China has still the power to perform IP hi-jacking against our servers IP addresses and prevent connections or cause disconnections to our Chinese users).

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...