DNS Security
-
Q: Do I need to change my DNS to a secure option ?
A: Yes, and now more than ever it has become dangerous not to.
http://www.theregister.co.uk/2016/12/20/new_dnschanger_exploit_kit_goes_after_166_types_of_router/
https://DNSCrypt.org"DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.
It is an open specification, with free and opensource reference implementations, and it is not affiliated with any company nor organization."
DNSCrypt make it easy to protect yourself from DNS spoofing and "Man-In-The-Middle" attacks.
Normal DNS have no validated authentication even if they are DNSSEC (DNS with security extensions).
Easy to install clients are available for Windows, MacOS, Linux and Routers.
Android and iOS devices require ROOT access, so will need nerd-power to install.Daily updates of the current DNS and their capabilities can be downloaded from
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csvThe Windows client "Simple DNSCrypt" is the easiest way to install and configure with your preferred DNS.
https://simplednscrypt.orgOlder Windows users will have to manually install the current proxy files with the Winclient from Noxwizard
https://github.com/Noxwizard/dnscrypt-winclientLinux users can pull it from the repositories just as normal, so should be swift and painless.
(I cannot comment on the MacOS client, as I have not used it.)
Choosing your DNS
The criteria you need to fill;- Geographic location will affect speed of IP lookups (but not transfer speeds),
- DNSSEC. Not all DNSCrypt DNS use standard DNSSEC extensions, so you may want to choose based on security over location.
- Logging, Many DNS keep logs of the user activity. To maintain your privacy you should opt for a DNS that does not keep logs.
- Filtering/Blocking, Some DNS use IP blocking of "bad" sites. You can choose a DNS that protects against malware and/or adult material.
Use the Github page to look at the advertised DNS capabilities and limitations
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csvIf you find this extra free security is useful (or important), and want to see it added to Vivaldi browser so you know your portable USB browsing is also protected, please up-vote my suggestion
https://forum.vivaldi.net/topic/13217/feature-requests-for-1-7/34 -
@Dr.Flay -- interesting, thanks. I first discovered DNSCrypt maybe one or a couple of years ago, around the time i was deciding whether or not to begin permanently using a VPN in protest against the national & global privacy-thieving aspirations of companies & governments. I now cannot recall why i opted not to go for DNSCrypt, but i suspect i might have decided that my subsequent decision that i would [& did] begin VPN'ing rendered DNSCrypt redundant for me. What do you think?
PS - Ta for pointing out it's in the repos; i just checked & can see you're indeed right. Nice.
..............................................................................................................................................
Tower's SSD = Linux Mint 17.3 x64 KDE 4.14.2 [< 26/9/16]; now Maui 2.1 "Blue Tang" x64 Plasma 5.8.4.
Lappy's SSD = Linux Mint 18 x64 Xfce+Compiz [< 25/12/16]; now Maui 2.1 "Blue Tang" x64 Plasma 5.8.4. -
Good questions,
Quite possibly it may have been because a few years ago the DNSCrypt list was smaller and OpenDNS (Cisco) log traffic, as many others in the list do.
This is why I pointed out the DNSCrypt resolvers are not all equal.
(I should perhaps add the current short-list to the original post)Unless your VPN provide the DNS lookups instead of your ISP, your DNS requests will exit the VPN and then continue to the DNS of choice, then return the IP info.
If Your DNS uses DNSSEC, it should send back encrypted data, but if not it will be "in the clear".
DNSCrypt does not provide encryption.You still have the risk of a MiTM attack beyond the VPN, so a site or DNS could still be spoofed.
Because DNSCrypt use a public key you already have, you can guarantee your lookups are always from where you expected.
Authentication is as important as DNSSEC, but if your VPN is doing its job your privacy should already be taken care of. -
Not all DNS providers were affected by the issue. I do remember reading about dnschanger about 6 years ago. "DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver" HTTPS is similar for fetching web content (DNS is like a "phone book of the internet")
That The Register post is a follow up to this one http://www.theregister.co.uk/2013/02/04/dns_changer_guilty_plea/ and they are talking about it starting with a cyber gang bust by the FBI & others https://www.fbi.gov/news/stories/international-cyber-ring-that-infected-millions-of-computers-dismantledAlso there are 2 different kinds of DNS servers, IPv4 servers & IPv6 servers.
-