FPyro 2 Posted ... Hi! I've read about some interesting new technology on here: https://www.opendns.com/technology/dnscrypt/ It's supposed to encrypt your dns queries and prevent all sorts of attacks. You seem to know a lot about privacy and internet security, so I'd like to konw what are your thoughts on this. OpenDNS seems to think everybody needs it. And does it make a difference when connected to a vpn, which encrypts everything anyway, DNS included (right?). Thank you Quote Share this post Link to post
skxBMrYsxlli 9 Posted ... Hi! I've read about some interesting new technology on here: https://www.opendns.com/technology/dnscrypt/ It's supposed to encrypt your dns queries and prevent all sorts of attacks. You seem to know a lot about privacy and internet security, so I'd like to konw what are your thoughts on this. OpenDNS seems to think everybody needs it. And does it make a difference when connected to a vpn, which encrypts everything anyway, DNS included (right?). Thank you It does indeed prevent evildoers from examining your traffic while communicating with your DNS provider of choice, but it doesn't do anything I'm aware of to make certain your DNS server is sending you authoritative, unaltered data. That's what DNSSEC is for. For serious security and privacy, you'd need to use both. Google DNS has mostly(?) implemented DNSSEC now, although a lot of TLDs still aren't signed, so it won't do much good for quite a lot of sites. Hardly anyone uses or supports DNSCurve (the technology you're referring to), so it's not a lot of good, either. Notice that OpenDNS' implementation is largely stagnant. As for your DNS traffic traveling over AirVPN, yes, it's encrypted from you to AirVPN, so long as your configuration isn't "leaking" DNS (running queries outside the firewall). (Some badly-coded; extremely well-coded; or potentially malicious code may have its own IP stack that's not constrained by configuring Windows' / Linux' / OSX' / whatever's resolver. That's an entire other topic.) The caveats are: *Nothing is encrypting the DNS traffic between AirVPN, so people can see what AirVPN users are doing, at least in aggregate; * Without a complete DNSSEC path from your DNS resolver to AirVPN's DNS forwarders to Google DNS, it's impossible to be certain when someone is attempting to return tainted DNS results (You have DNSSEC enabled in your resolver, right? No? Well, join the club.) Quote Share this post Link to post
FPyro 2 Posted ... I'm not quite sure you're right there in the last part. Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right? So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason. Please correct me if I'm mistaken. Thanks Quote Share this post Link to post
skxBMrYsxlli 9 Posted ... I'm not quite sure you're right there in the last part. Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right? So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason. Please correct me if I'm mistaken. Thanks Unfortunately, DNS was originally designed with a great deal of implicit trust, so encrypting the traffic between you and AirVPN doesn't necessarily cure everything. https://en.wikipedia.org/wiki/DNS_spoofing Also, things like this happen: http://www.theregister.co.uk/2010/04/09/china_bgp_interweb_snafu/ -- more details and more (known) incidents at https://en.wikipedia.org/wiki/IP_hijacking Finally, this kind of thing can happen: http://www.dcwg.org/ Quote Share this post Link to post
Staff 9772 Posted ... I'm not quite sure you're right there in the last part. Isn't it true that the whole traffic, including the dns requests, will be encrypted as soon as they leave your virtual network card (the tun/tap adapter)? So nobody can interfere with your dns as soon as you're connected to Air. Only when leaving the Air server will it become unencrypted, but then nobdy can know that the request came from you, since you share the ip with lots of other people, right? So encrypting the dns only makes sense when NOT connected to air, right? OR if you don't think the openVPN encryption is save for whatever reason. Please correct me if I'm mistaken. Thanks Unfortunately, DNS was originally designed with a great deal of implicit trust, so encrypting the traffic between you and AirVPN doesn't necessarily cure everything.https://en.wikipedia.org/wiki/DNS_spoofingHello!It must be said that connection to Air makes your system immune to DNS spoofing as long as you use the VPN DNS (and you don't have malware or hosts interfering software rewriting your hosts file, but in this trivial case neither DNSSEC can save you, obviously).Also, things like this happen:http://www.theregister.co.uk/2010/04/09/china_bgp_interweb_snafu/ -- more details and more (known) incidents at https://en.wikipedia.org/wiki/IP_hijackingAnd it must also be noted that things like that can't happen AFTER the connection to an Air VPN server (of course China has still the power to perform IP hi-jacking against our servers IP addresses and prevent connections or cause disconnections to our Chinese users).Kind regards Quote Share this post Link to post
Not connected, Your IP: 3.133.160.14
Online: 23635 users - 274303 Mbit/s total BW