Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Secured DNS access  (Read 182 times)

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5854
  • Retd sw dev; A&A; 4 7km ADSL2; IPv6; Firebrick
Secured DNS access
« on: July 15, 2018, 01:37:16 AM »

I was wondering about securing DNS; securing data in transit against tampering, and checking the identity of servers. TLS would be fine with TCP or SCTP, but you would really want long-term persistent connections for decent performance and their cost in RAM would be a real nuisance.

I read that cloudflare offers TLS / TCP at
    2606:4700:4700::1111
    2606:4700:4700::1001
    1.1.1.1
    1.0.0.1
all on TCP port 853. There is also Quad9
    2620:fe::fe
    2620:fe::9
    9.9.9.9
    149.112.112.112

I would need my Firebrick router to support this protocol though, as all my boxes are set to use it as a caching relay DNS server and it could then act as a protocol converter.
Logged

CarlT

  • Reg Member
  • ***
  • Posts: 835
Re: Secured DNS access
« Reply #1 on: July 15, 2018, 03:05:51 PM »

If a person is able to intercept your DNS traffic they can MITM everything else anyway even if your DNS resolution is assured. The application needs cryptographic protection and protecting the DNS transaction is irrelevant.

The encryption is there for confidentiality more than integrity.
Logged

Weaver

  • Addicted Kitizen
  • *****
  • Posts: 5854
  • Retd sw dev; A&A; 4 7km ADSL2; IPv6; Firebrick
Re: Secured DNS access
« Reply #2 on: July 15, 2018, 07:54:58 PM »

I was thinking about tampering with the lookup results and redirecting DNS traffic to an evil server.
Logged

CarlT

  • Reg Member
  • ***
  • Posts: 835
Re: Secured DNS access
« Reply #3 on: July 15, 2018, 09:22:36 PM »

Can redirect traffic to an evil destination once you've done the lookup anyway if in the middle. Only protection against that is everything encrypted and authenticated either at transport layer per application or via a VPN tunnel.
Logged