[Dnsmasq-discuss] DNSCrypt - the big picture

Maciej Soltysiak maciej at soltysiak.com
Fri Feb 7 15:44:34 GMT 2014

On Fri, Feb 7, 2014 at 2:55 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com> wrote:
> On Feb 7, 2014, at 7:15 AM, Maciej Soltysiak wrote:
>> On Fri, Feb 7, 2014 at 1:42 PM, Lonnie Abelbeck
>> <lists at lonnie.abelbeck.com> wrote:
>>> I admit is is nice to know that no-one is silently altering DNS queries/responses in transit to a trusted DNS server, but is that being overly paranoid ?
>>> Appreciate any comments...
>> I treat dnscrypt as a way to prevent query snooping by my ISP, not as
>> means to prevent altering.
> Thanks for your thoughts Maciej, but since the ISP routes (and logs stats) the network data anyway, there isn't much "privacy" to be gained by preventing DNS query snooping, is there ?
The ISP A that serves your trusted DNS server will be able to corelate
DNS queries and dnscrypt clients.
The ISP B that serves your dnsmasq + dnscrypt-proxy will just see
encrypted traffic. They would need to collude with ISP A.

Of course ISP A can see DNS traffic and then, say, a subsequent HTTP
query, so you're right. But client computers also leak DNS, e.g. even
when using VPN, some DNS queries might be sent outside it, so e.g.
company intranet, etc.

> I'm thinking DNSCrypt's best feature is preventing man-in-the-middle attacks between the router and the trusted DNS server.

> Lonnie

More information about the Dnsmasq-discuss mailing list