Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Weaver]

I was wondering about securing DNS; securing data in transit against tampering, and checking the identity of servers. TLS would be fine with TCP or SCTP, but you would really want long-term persistent connections for decent performance and their cost in RAM would be a real nuisance.

I read that cloudflare offers TLS / TCP at
    2606:4700:4700::1111
    2606:4700:4700::1001
    1.1.1.1
    1.0.0.1
all on TCP port 853. There is also Quad9
    2620:fe::fe
    2620:fe::9
    9.9.9.9
    149.112.112.112

I would need my Firebrick router to support this protocol though, as all my boxes are set to use it as a caching relay DNS server and it could then act as a protocol converter.

[niemand]

If a person is able to intercept your DNS traffic they can MITM everything else anyway even if your DNS resolution is assured. The application needs cryptographic protection and protecting the DNS transaction is irrelevant.

The encryption is there for confidentiality more than integrity.

[Weaver]

I was thinking about tampering with the lookup results and redirecting DNS traffic to an evil server.

[niemand]

Can redirect traffic to an evil destination once you've done the lookup anyway if in the middle. Only protection against that is everything encrypted and authenticated either at transport layer per application or via a VPN tunnel.