Kitz Forum

Internet => General Internet => Topic started by: Weaver on July 15, 2018, 01:37:16 AM

Title: Secured DNS access
Post by: Weaver on July 15, 2018, 01:37:16 AM
I was wondering about securing DNS; securing data in transit against tampering, and checking the identity of servers. TLS would be fine with TCP or SCTP, but you would really want long-term persistent connections for decent performance and their cost in RAM would be a real nuisance.

I read that cloudflare offers TLS / TCP at
    2606:4700:4700::1111
    2606:4700:4700::1001
    1.1.1.1
    1.0.0.1
all on TCP port 853. There is also Quad9
    2620:fe::fe
    2620:fe::9
    9.9.9.9
    149.112.112.112

I would need my Firebrick router to support this protocol though, as all my boxes are set to use it as a caching relay DNS server and it could then act as a protocol converter.
Title: Re: Secured DNS access
Post by: CarlT on July 15, 2018, 03:05:51 PM
If a person is able to intercept your DNS traffic they can MITM everything else anyway even if your DNS resolution is assured. The application needs cryptographic protection and protecting the DNS transaction is irrelevant.

The encryption is there for confidentiality more than integrity.
Title: Re: Secured DNS access
Post by: Weaver on July 15, 2018, 07:54:58 PM
I was thinking about tampering with the lookup results and redirecting DNS traffic to an evil server.
Title: Re: Secured DNS access
Post by: CarlT on July 15, 2018, 09:22:36 PM
Can redirect traffic to an evil destination once you've done the lookup anyway if in the middle. Only protection against that is everything encrypted and authenticated either at transport layer per application or via a VPN tunnel.