DNS encrypt /DNS over HTTPs
- Thread starter fus10n
- Start date
Depends on the header information, I think, if there is some sort of packet inspection. If you are sending an encrypted DNS request you already have some sort of encrypted tunnel so may as well do the rest, at a bit of a speed penalty.
Also, when using a VPN, or tunnel to a SSH proxy at home (as I do for phone and browsing from work etc.), make sure to enable "far end DNS" in browser options otherwise your DNS requests will be dealt with locally
.
Also, when using a VPN, or tunnel to a SSH proxy at home (as I do for phone and browsing from work etc.), make sure to enable "far end DNS" in browser options otherwise your DNS requests will be dealt with locally
.
DPI would still be able to read the packet header. Also you'd need your own DNS with everything in it. You're likely using your ISP DNS or google DNS or something, as a DNS can be huge. What are you actually trying to access without a vpn?
- Joined
- Dec 3, 2012
- Messages
- 1,729
- Reaction score
- 1,155
Depends on the header information, I think, if there is some sort of packet inspection. If you are sending an encrypted DNS request you already have some sort of encrypted tunnel so may as well do the rest, at a bit of a speed penalty.
Also, when using a VPN, or tunnel to a SSH proxy at home (as I do for phone and browsing from work etc.), make sure to enable "far end DNS" in browser options otherwise your DNS requests will be dealt with locally
You can send encrypted DNS as a standard now. I don't believe too many DNS servers support it though. Set your own DNS up of you want It.
fYI it is just as easy to sniff the paylod of the packet as the header. Nearly all IDSs do it by default
I was trying to think of how I do it but without encrypted data, just DNS. I think it's possible but due to the above-mentioned packet inspection, it may not work.
If I use my phone, I tunnel using SSH to a proxy at home (a story involving O2 DNS snooping, but I don't use O2 now) and use my home router DNS. Everything is encrypted, all that is visible is far-end IP.
- Joined
- Dec 3, 2012
- Messages
- 1,729
- Reaction score
- 1,155
Packet inspection can only inspect the header and can not inspect the payload unless the encrypted payload is known. So it will not be possible to know the packets are DNS requests unless they are for known domains that's IDS are aware of the packets
EDIT...
When I say known, i mean IDS can not know what is known in the paylod unless the encrypted and decrypted version of the payload is known.
The only IDSs that know what is in the payload are big companies that use proxy servers that migate the end to end encryption
EDIT...
When I say known, i mean IDS can not know what is known in the paylod unless the encrypted and decrypted version of the payload is known.
The only IDSs that know what is in the payload are big companies that use proxy servers that migate the end to end encryption
Unless you set far-end DNS in your browser you could be leaking data.
- Joined
- Dec 3, 2012
- Messages
- 1,729
- Reaction score
- 1,155
If the DNS server you are using is communicating via encryption then there is no need for a far-end DNS.
Thre only advantage of a far-end DNS is that it may not be restricted by the local laws of your areas. E.g prevent the resolution of illegal IPTV streams.
I probably should mention that if your local DNS is prevented from resolving illegal IPTV domains. They will not allow this even if the DNS request is encrypted
Thre only advantage of a far-end DNS is that it may not be restricted by the local laws of your areas. E.g prevent the resolution of illegal IPTV streams.
I probably should mention that if your local DNS is prevented from resolving illegal IPTV domains. They will not allow this even if the DNS request is encrypted
