[Dnsmasq-discuss] DNSCrypt - the big picture
Maciej Soltysiak
maciej at soltysiak.com
Fri Feb 7 15:44:34 GMT 2014
On Fri, Feb 7, 2014 at 2:55 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com> wrote:
>
> On Feb 7, 2014, at 7:15 AM, Maciej Soltysiak wrote:
>
>> On Fri, Feb 7, 2014 at 1:42 PM, Lonnie Abelbeck
>> <lists at lonnie.abelbeck.com> wrote:
>>> I admit is is nice to know that no-one is silently altering DNS queries/responses in transit to a trusted DNS server, but is that being overly paranoid ?
>>>
>>> Appreciate any comments...
>> I treat dnscrypt as a way to prevent query snooping by my ISP, not as
>> means to prevent altering.
>
> Thanks for your thoughts Maciej, but since the ISP routes (and logs stats) the network data anyway, there isn't much "privacy" to be gained by preventing DNS query snooping, is there ?
Partly.
The ISP A that serves your trusted DNS server will be able to corelate
DNS queries and dnscrypt clients.
The ISP B that serves your dnsmasq + dnscrypt-proxy will just see
encrypted traffic. They would need to collude with ISP A.
Of course ISP A can see DNS traffic and then, say, a subsequent HTTP
query, so you're right. But client computers also leak DNS, e.g. even
when using VPN, some DNS queries might be sent outside it, so e.g.
company intranet, etc.
> I'm thinking DNSCrypt's best feature is preventing man-in-the-middle attacks between the router and the trusted DNS server.
Agreed!
> Lonnie
Maciej
More information about the Dnsmasq-discuss
mailing list