jnelsoninjax Posted February 20, 2018 Share Posted February 20, 2018 So I stumbled across this article: https://www.ghacks.net/2018/02/19/encrypt-your-dns-traffic-with-simplednscrypt-for-windows/ this is the first time I have heard of this, is there any reason to do it? Link to comment Share on other sites More sharing options...
firey Posted February 20, 2018 Share Posted February 20, 2018 Guessing it's to bypass DNS blocks? Other than that seems like just another layer of something you don't need. Brandon H and Mando 2 Share Link to comment Share on other sites More sharing options...
Mando Posted February 20, 2018 Share Posted February 20, 2018 2 hours ago, firey said: Guessing it's to bypass DNS blocks? Other than that seems like just another layer of something you don't need. Pretty much that is it in a nutshell, perhaps if DNS lookups were too fast.......?? Or dns lookups you dont want to be going through your ISP.....but again im struggling to see a valid reason. Link to comment Share on other sites More sharing options...
jnelsoninjax Posted February 20, 2018 Author Share Posted February 20, 2018 19 minutes ago, Mando said: Pretty much that is it in a nutshell, perhaps if DNS lookups were too fast.......?? Or dns lookups you dont want to be going through your ISP.....but again im struggling to see a valid reason. The article mentioned the man in the middle attack, but I haven't heard of those happening for some time now, so is this just an extra step of paranoia? Link to comment Share on other sites More sharing options...
Mando Posted February 20, 2018 Share Posted February 20, 2018 3 minutes ago, jnelsoninjax said: The article mentioned the man in the middle attack, but I haven't heard of those happening for some time now, so is this just an extra step of paranoia? real world usage, yep tinfoil hat scenario tbh buddy. if someones already engaged in a MTM situation, they have already won if they are that "smart" they could just sniff the actual packets of data, bypassing DNS calls. Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted February 20, 2018 Supervisor Share Posted February 20, 2018 Hello, Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult. Regards, Aryeh Goretsky jnelsoninjax, Mando and Joe User 3 Share Link to comment Share on other sites More sharing options...
Joe User Posted February 21, 2018 Share Posted February 21, 2018 Greedy ISPs is one of the best reasons to use this. They have your physical information, DNS logging gives them a list of websites to go along with it, which they'll sell to advertisers in some form. goretsky 1 Share Link to comment Share on other sites More sharing options...
jnelsoninjax Posted February 21, 2018 Author Share Posted February 21, 2018 1 hour ago, goretsky said: Hello, Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult. Regards, Aryeh Goretsky OK, I think I understand somewhat better, but I'm not worried enough to go to the trouble of encrypting DNS traffic now. goretsky 1 Share Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted February 21, 2018 Supervisor Share Posted February 21, 2018 3 hours ago, goretsky said: Hello, Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting. For example, instead of returning an NXDOMAIN they send you to a paid search portal. This is one way to make that more difficult. Regards, Aryeh Goretsky couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another? If so that'd be a much easier solution to that particular thing goretsky and Mando 2 Share Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted February 21, 2018 Supervisor Share Posted February 21, 2018 Hello, The ISP could redirect the IP addresses of competitive DNS servers to its own servers Or monitor request from those servers... unless, of course, they couldn't see the DNS requests because they were encrypted. After all, revenue is at stake here, and they modified their terms of service to require use of their DNS servers, there probably would not be too many customers willing to jump ship. Regards, Aryeh Goretsky 4 hours ago, Brandon H said: couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another? If so that'd be a much easier solution to that particular thing Brandon H 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 21, 2018 MVC Share Posted February 21, 2018 While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn? If your worried about validation of records that your getting - this is where dnssec comes into play. But its only good for domains that use it. You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec. Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him. Doesn't mean its answer are not wrong, or have been messed with.. If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic? Tantawi and Brandon H 2 Share Link to comment Share on other sites More sharing options...
Joe User Posted February 22, 2018 Share Posted February 22, 2018 8 hours ago, BudMan said: While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn? If your worried about validation of records that your getting - this is where dnssec comes into play. But its only good for domains that use it. You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec. Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him. Doesn't mean its answer are not wrong, or have been messed with.. If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic? Why VPN already encrypted traffic though? Most websites use HTTPS now. Streaming services are all encrypted, email and games as well. So, at that point the only thing not regularly encrypted is DNS. Might as well plug the last big security hole, especially since DNS is the Achilles' heel of the Internet. Personally, I run my own resolvers, mostly because I have a lot of devices and my ISP's DNS servers are not great. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 22, 2018 MVC Share Posted February 22, 2018 I run my own resolver as well with dnssec.. While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all. And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you Link to comment Share on other sites More sharing options...
Tantawi Posted February 22, 2018 Share Posted February 22, 2018 (edited) Some real world reasons: - ISP greediness/intervention - Government monitoring/blocking/censorship - Government or ISPs blocking a VPN service entry point I find it funny that every time a talk about VPNs or (tinfoil'y) stuff comes up, it is always put into the context of the "sane" countries... there is a lot of crazy places out there in the world, read/watch world news, or you can take a trip to such crazy countries yourself (which I will not recommend ) and lets see how many tinfoil hats you will put! goretsky 1 Share Link to comment Share on other sites More sharing options...
+BudMan MVC Posted February 22, 2018 MVC Share Posted February 22, 2018 Says your in Sweden.. Prob the least crazy country on the whole planet Comes down to this - if your traffic flows over a hostile network, then yes its good to encrypt it - be it all traffic via vpn or just your dns.. Be it that hostile network is some strange wifi network your on at some airport or pub or starbucks, or even your buddies house, etc. If you feel your isp is a hostile network then sure you would want to encrypt your traffic across that network. Then again most people are not doing anything that would make it matter. I am not in a country that I am worried about Gov spying on me - I don't give two ###### if they know I am going to neowin 50 times a day, etc. Or shopping on amazon.. Or reading BBC news, even if they were. Lets be clear though - per the rules this site is not about discussing circumvention. So while you might be in a country that blocks XYZ, no matter how the rest of the world feels about it - its circumvention and this place would not be the place to talk about how to get around such polices. If the site changes the wording on their policies - than be happy to discuss all the different ways to get around such blocks... My tinfoil hat is normally cocked to the side of my head really loose and about ready to just fall off. But if needed I can put it on so tight it cuts of blood to my brain Keep in mind if gov agency wants to spy on you - they sure not going to need isp to help them.. And more than likely something on your devices directly, so doesn't matter how many vpn's you use or how encrypted you make your dns queries... For all you know what they need to log everything you do is hardcoded in the chips that make up your device or the actual OS its running (windows telemetry wink wink).. If you want to put your tinfoil hat on that tight Tantawi 1 Share Link to comment Share on other sites More sharing options...
Tantawi Posted February 22, 2018 Share Posted February 22, 2018 21 minutes ago, BudMan said: Says your in Sweden.. Prob the least crazy country on the whole planet Yes I am, but I am an Egyptian (the other extreme side on the crazy country meter) The thing is not really about spying, spying is fine, but it is what comes after spying from the crazy country... like some jail time if you are lucky, or your flying head rolling on the floor if you are not so lucky. I agree with most of what you said though. Link to comment Share on other sites More sharing options...
Joe User Posted February 22, 2018 Share Posted February 22, 2018 (edited) 3 hours ago, BudMan said: I run my own resolver as well with dnssec.. While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all. And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you It's more of an adblocking thing for me, personally. I pay enough for access, if they want to mine my DNS queries or advertise on NXDOMAIN they can charge me less. Also, the occasional redirect or popup message injected into my browser is really creepy. I get those about once a month. goretsky 1 Share Link to comment Share on other sites More sharing options...
Recommended Posts