Is there any reason to encrypt DNS traffic?

[jnelsoninjax]

So I stumbled across this article: https://www.ghacks.net/2018/02/19/encrypt-your-dns-traffic-with-simplednscrypt-for-windows/ this is the first time I have heard of this, is there any reason to do it?

[firey]

Guessing it's to bypass DNS blocks? Other than that seems like just another layer of something you don't need.

[Mando]

2 hours ago, firey said:

Guessing it's to bypass DNS blocks? Other than that seems like just another layer of something you don't need.

Pretty much that is it in a nutshell, perhaps if DNS lookups were too fast.......?? Or dns lookups you dont want to be going through your ISP.....but again im struggling to see a valid reason.

[jnelsoninjax]

19 minutes ago, Mando said:

Pretty much that is it in a nutshell, perhaps if DNS lookups were too fast.......?? Or dns lookups you dont want to be going through your ISP.....but again im struggling to see a valid reason.

The article mentioned the man in the middle attack, but I haven't heard of those happening for some time now, so is this just an extra step of paranoia?

[Mando]

3 minutes ago, jnelsoninjax said:

The article mentioned the man in the middle attack, but I haven't heard of those happening for some time now, so is this just an extra step of paranoia?

real world usage, yep tinfoil hat scenario tbh buddy.

 

if someones already engaged in a MTM situation, they have already won  if they are that "smart" they could just sniff the actual packets of data, bypassing DNS calls.

[goretsky Supervisor]

Hello,

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting.  For example, instead of returning an NXDOMAIN they send you to a paid search portal.  This is one way to make that more difficult.

Regards,

Aryeh Goretsky

[Joe User]

Greedy ISPs is one of the best reasons to use this. They have your physical information, DNS logging gives them a list of websites to go along with it, which they'll sell to advertisers in some form.

[jnelsoninjax]

1 hour ago, goretsky said:

Hello,

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting.  For example, instead of returning an NXDOMAIN they send you to a paid search portal.  This is one way to make that more difficult.

Regards,

Aryeh Goretsky

OK, I think I understand somewhat better, but I'm not worried enough to go to the trouble of encrypting DNS traffic now.

[Brandon H Supervisor]

3 hours ago, goretsky said:

Hello,

Aside from the above-mentioned issues, some ISPs monetize your DNS queries, selling it to advertisers who then use it for advertising targeting.  For example, instead of returning an NXDOMAIN they send you to a paid search portal.  This is one way to make that more difficult.

Regards,

Aryeh Goretsky

couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another?

If so that'd be a much easier solution to that particular thing

[goretsky Supervisor]

Hello,

 

The ISP could redirect the IP addresses of competitive DNS servers to its own servers  Or monitor request from those servers... unless, of course, they couldn't see the DNS requests because they were encrypted.  After all, revenue is at stake here, and they modified their terms of service to require use of their DNS servers, there probably would not be too many customers willing to jump ship.

 

Regards,

 

Aryeh Goretsky

 

 

4 hours ago, Brandon H said:

couldn't you also get around this by switching DNS addresses to either GoogleDNS, OpenDNS, or another?

If so that'd be a much easier solution to that particular thing

 

[+BudMan MVC]

While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn?

 

If your worried about validation of records that your getting - this is where dnssec comes into play.  But its only good for domains that use it.  You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec.  Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him.  Doesn't mean its answer are not wrong, or have been messed with..

 

If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic?

[Joe User]

8 hours ago, BudMan said:

While there are reasons you might want to do this.. If your going to the lengths of encrypting your dns traffic from your ISP why would you not just encrypt all traffic via a vpn?

 

If your worried about validation of records that your getting - this is where dnssec comes into play.  But its only good for domains that use it.  You can never be sure the data your getting back from a dns query is legit or what the authoritative server wants to hand out without dnssec.  Just because you encrypt data to some dns server, just means your pretty sure your talking to him and getting answers from him.  Doesn't mean its answer are not wrong, or have been messed with..

 

If your tinfoil hat has you worried about your dns being monitored or messed with by your isp, why would you not just go full blown vpn for all your traffic?

 

Why VPN already encrypted traffic though? Most websites use HTTPS now. Streaming services are all encrypted, email and games as well. So, at that point the only thing not regularly encrypted is DNS.

 

Might as well plug the last big security hole, especially since DNS is the Achilles' heel of the Internet. 

 

Personally, I run my own resolvers, mostly because I have a lot of devices and my ISP's DNS servers are not great.

[+BudMan MVC]

I run my own resolver as well with dnssec..

 

While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all.  And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you

[Tantawi]

Some real world reasons:
- ISP greediness/intervention
- Government monitoring/blocking/censorship

- Government or ISPs blocking a VPN service entry point

I find it funny that every time a talk about VPNs or (tinfoil'y) stuff comes up, it is always put into the context of the "sane" countries... there is a lot of crazy places out there in the world, read/watch world news, or you can take a trip to such crazy countries yourself (which I will not recommend ) and lets see how many tinfoil hats you will put!

[+BudMan MVC]

Says your in Sweden.. Prob the least crazy country on the whole planet

 

Comes down to this - if your traffic flows over a hostile network, then yes its good to encrypt it - be it all traffic via vpn or just your dns.. Be it that hostile network is some strange wifi network your on at some airport or pub or starbucks, or even your buddies house, etc.  If you feel your isp is a hostile network then sure you would want to encrypt your traffic across that network.

 

Then again most people are not doing anything that would make it matter.  I am not in a country that I am worried about Gov spying on me - I don't give two ###### if they know I am going to neowin 50 times a day, etc.  Or shopping on amazon.. Or reading BBC news, even if they were.

 

Lets be clear though - per the rules this site is not about discussing circumvention.  So while you might be in a country that blocks XYZ, no matter how the rest of the world feels about it - its circumvention and this place would not be the place to talk about how to get around such polices.  If the site changes the wording on their policies - than be happy to discuss all the different ways to get around such blocks... My tinfoil hat is normally cocked to the side of my head really loose and about ready to just fall off.  But if needed I can put it on so tight it cuts of blood to my brain

 

Keep in mind if gov agency wants to spy on you - they sure not going to need isp to help them..  And more than likely something on your devices directly, so doesn't matter how many vpn's you use or how encrypted you make your dns queries... For all you know what they need to log everything you do is hardcoded in the chips that make up your device or the actual OS its running (windows telemetry wink wink).. If you want to put your tinfoil hat on that tight

 

 

 

 

[Tantawi]

21 minutes ago, BudMan said:

Says your in Sweden.. Prob the least crazy country on the whole planet

Yes I am, but I am an Egyptian (the other extreme side on the crazy country meter)

The thing is not really about spying, spying is fine, but it is what comes after spying from the crazy country... like some jail time if you are lucky, or your flying head rolling on the floor if you are not so lucky.

 

I agree with most of what you said though.

[Joe User]

3 hours ago, BudMan said:

I run my own resolver as well with dnssec..

 

While I agree much traffic is https anyway, if your tinfoil hat says oh F them they can not see my dns traffic.. Why let them see where your going via where your https traffic goes - might well just hide it all.  And now you can resolve vs using a forwarder and its still hidden from your big bad isp wanting to spy on you

It's more of an adblocking thing for me, personally. I pay enough for access, if they want to mine my DNS queries or advertise on NXDOMAIN they can charge me less.

 

Also, the occasional redirect or popup message injected into my browser is really creepy. I get those about once a month.