SAD DNS - temporary script workaround.
-
@Steffie Oh silly me. Wrt my last question... i forgot about my old bookmark:
-
@Steffie ...aaaaaaand so now having just run that test, for my Cloudflare & Quad9 DNS' extant since my 19/5/20 deployment of
Dnscrypt-proxy
for DoH, & seeing my results =Anti-Spoofing Safety: Excellent
External Query: ignored (This means the nameserver is more spoof resistant.)
DNSSEC Security: supported (This server supports improved security standards.)... i have now officially decided to ignore this whole issue [including eschewing this workaround i posted].
Sorry for the thread, everyone.
-
@Steffie . same, using 9.9.9.9 and 1.1.1.1 with DNScrypt
-
Hmm, interesting link nonetheless. Does it apply to DoT and DoH?
-
@npro I might be misunderstanding your question, but fwiw [hoping this is what you mean]: though as we know Nix chromium still has no native DoH nor DoT, but via my deployment of
Dnscrypt-proxy
i effectively do have DoH... & it was in that mode i ran the dns spoof tests above. -
@Steffie I meant does it affect users (as he spoke of desktop) using DoH and DoT as well, or it is indifferent to that? (also both can be enabled system-wide, dnscrypt is extra)
-
@npro This post is not sarcastic, it's genuine. Also, i have had my first coffee for the day, so i can't now blame that. My only excuse therefore is this:
https://www.youtube.com/watch?v=E-La91wr8xw...i am sorry, but genuinely i still do not understand what you're asking me, given that my best-guess previously seems to be wrong.
I saw your earlier post arrive last night, & couldn't understand it then [other than my attempted reply]. I'd hoped that after sleep i would get it, but unfortunately still i don't... including your new follow-up question. Maybe someone else can better advise you here than i?
-
@Steffie Yeah just don't bother . It's an "average Joe" question from me, meaning I have no clue what this is about, nor have I heard about that poisoning drama before plus I didn't ever bother diving into more advanced "DNS matters" as well, my knowledge stops at trivial stuff of what it is+DoT+DoH. These days there are so many things that need to be studied thoroughly by someone in order to understand and be protected from whatever threat, script, configuration, etc, for which I don't have the time (and more importantly the mental "capacity" ) to do so, so for selected ones I have to rely on more advanced users' approval sigil of "am I safe as I am now?"
-
I asked the author of DNSCrypt if this is a possible issue because the SAD DNS test on the project site failed each of the resolvers I tested.
Due to the way it works it has always been protected against this type of attack.
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1508So one more reason you should all swap to a better DNS dervice in your computers.
Also a loud and clear signal that we need DANE validation in our browsers, and every day we need it more.
I am sick of hearing people say "oh but it is only used for email servers and nobody uses it anyway"
That is not a reason to not implement robust authentication and validation. -
Fyi.
https://blog.cloudflare.com/sad-dns-explained/As part of a coordinated disclosure effort earlier this year, the researchers contacted Cloudflare and other major DNS providers and we are happy to announce that 1.1.1.1 Public Resolver is no longer vulnerable to this attack.
-
@Steffie I was reading yesterday lots of poisonous pages at that place, but I've missed that. Exactly what I needed, thanks
-
Certain pages are more dangerous to mental health than to the PC
-