- Jul 1, 2017
- 1,396
So the question is... how many HTTP domains support tcpcrypt? I would argue domains that can't even bother to support HTTPS, probably won't support tcpcrypt either.
DNSCrypt or SimpleDNSCrypt ?
- Thread starter Myriad
- Start date
Does a VPN encrypts DNS queries too? I believe if the VPN provider has secure DNS servers then DNS queries protection will be there otherwise it would not protect DNS queries, right? And encryption of DNS queries will also depend on the VPN provdier, right?I used BIND to do DNSSEC. It just validates that your DNS requests are real. It's fun until Windows 10 apps complain that there is no Internet.
For full encryption, use a VPN. It encrypts everything. DNSCrypt only encrypts the DNS query and everything else is still in plain sight to see.
Some info for you here
5 Best VPNs with Private & Encrypted DNS (for next-level privacy)
Last edited:
- Apr 1, 2017
- 1,760
thank you for the info but dude how to install it? I can't understand that installation guide
I'm not using it. It's better you ask @DeepWeb since he has done itthank you for the info but dude how to install it? I can't understand that installation guide
Last edited:
- Apr 1, 2017
- 1,760
@ DeepWeb can you open a topic and learn how to install this tool? maybe others want to use it like me
- Jul 1, 2017
- 1,396
A good VPN should route all traffic through its encrypted servers. For example Windscribe won't let you connect to another DNS except their own. They handle all of your traffic through all ports that point to the Internet.
Almost all VPNs will handle your DNS queries. If you want to make sure that they do, you can double check using a site like: DNS leak test
- Jul 1, 2017
- 1,396
I only took a look at it and read up on its potential and what it does. tcpcrypt/INSTALL-Windows.markdown at master · scslab/tcpcrypt · GitHub
You have to compile it in Linux..... to make a Windows version..... Who does that? Not to mention there are no uninstall instructions. Stay away. In my opinion, HTTPS is superior. Just make sure you use HTTPS Everywhere extension to force HTTPS wherever it is working.
I would not be worried too much about man-in-the-middle attacks when you are on your home network. It never happens unless there is someone in a van outside your house. In that case you have other problems (see NSA/FBI). Just make sure whatever DNS server you pick cannot be spoofed itself.
GRC | DNS Nameserver Spoofability Test
If your DNS resolver can't be spoofed it will always send you the right IPs. The least spoofable servers are:
Your own recursive DNS resolver with DNSSEC validation > ISP DNS resolver > Any DNSSEC resolver > Non-DNSSEC resolvers
1. If you want to make sure nobody can do man-in-the-middle attacks, use DNSCrypt and pick a server with DNSSEC support.
2. If you want to make sure all of your DNS queries are legit, use BIND or Unbound with DNSSEC or DNSSEC Trigger: nlnetlabs.nl :: Dnssec-Trigger ::
3. If you want to make sure all of your Internet traffic is encrypted and validated, not just your DNS, use a good, paid VPN.
- Apr 1, 2017
- 1,760
- Jul 1, 2017
- 1,396
They all have flaws except VPN. The reality is your ISP's DNS resolvers are the most secure, least spoofable because they have the most experience with resolving DNS and man in the middle attacks because they log everything and see who is messing around. Of course that also means that they will track you.Thnx for the info!
I guess I will pass cuz IDK how to install these applications and work with them
Now it's up to you to choose between security or privacy.
My opinion is, the fewer hops my connection has to do, the more secure it is.
FYI, the more hops you carry out the more secure is your connection for your IP address changes with each hop....but you suffer slow down in speed the more you hop.They all have flaws except VPN. The reality is your ISP's DNS resolvers are the most secure, least spoofable because they have the most experience with resolving DNS and man in the middle attacks because they log everything and see who is messing around. Of course that also means that they will track you.
Now it's up to you to choose between security or privacy.
My opinion is, the fewer hops my connection has to do, the more secure it is.
Double-hop VPNs allow 2 hops. Tor allows 3 hops. Some VPNs allow you to connect to Tor which means you can have 4 or 5 hops.
Of course having double hops by VPN1 and VPN2 providers will be more secure than double-hop provided by a single VPN provider
Last edited:
- Jul 1, 2017
- 1,396
That seems to be the general argument. The more hops the harder it is to track you. That is indeed what privacy advocates are saying.
But, you hear something different from security advocates. With every node, you have to deal with handshakes of servers that you don't know that may or may not cache/backup/log and that have different vulnerabilities. You cannot know if they might attach something to the packet that allows it to be tracked.
E.g. A direct HTTPS connection to your banking website is far more secure than an indirect connection through your VPN which could or might decrypt your HTTPS package. Because now you only have data on you, your ISP and the bank.
Connecting to the same bank with a VPN you now have data between you, your ISP, your VPN and the bank. If the ISP is out of country, it's even more problematic because now the NSA keeps a record of that connection as they collect data in bulk at all major web nodes that your connection has to pass. They don't know what is in the packages sent, but they know that this connection was established and they can trace it back to you. Remember VPN hides what is in the packages, but it cannot hide where it is going because everything always goes through your ISP at the end of the day.
And this is my problem. If your VPN takes your connection out of country across several nodes, it is more likely that your information will be recorded by intelligence agencies than if you have a direct connection.
In other words, the more you try to become invisible, the more suspicious you become. It is better to blend in by using the same programs and tools everyone else does. Imagine someone standing in the middle of Times Square wearing a mask. Yes, nobody knows who you are, but more people will pay attention to you because you're the only one wearing a mask and they will try to figure out what you are all about. However if you look like everyone else at Times Square nobody notices you.
That brings me to my final point: There are many other ways to track users than IP and they all reveal enough information (e.g. browser signature, computer signature, audio fingerprint, cache e-tags, canvas fingerprint, user agent, local time vs VPN time, telemetry data, Chrome DNS cache): IP checkWhether you use a VPN or not that information will be attached to you unless you:
1. Use a completely different computer in a completely different location,
2. Run Qubes or Tails OS on that computer using a live USB/CD,
3. Use Tor browser which hides your browser/canvas/audio/cache e-tag fingerprints &
4. Don't log into any services that you regularly use.
How to (actually) be anonymous online – Windscribe
Don't use VPN services. · GitHub
Streisand effect - Wikipedia
All of this made me realize if you really want to be private, you will have to sacrifice the way you use the Internet right now for the rest of your life and nobody is willing to do that so I gave up on all of it and just focus on security and blocking trackers via hosts files/Adblock etc. That is just my opinion however.
That seems to be the general argument. The more hops the harder it is to track you. That is indeed what privacy advocates are saying.
But, you hear something different from security advocates. With every node, you have to deal with handshakes of servers that you don't know that may or may not cache/backup/log and that have different vulnerabilities. You cannot know if they might attach something to the packet that allows it to be tracked.
E.g. A direct HTTPS connection to your banking website is far more secure than an indirect connection through your VPN which could or might decrypt your HTTPS package. Because now you only have data on you, your ISP and the bank.
Connecting to the same bank with a VPN you now have data between you, your ISP, your VPN and the bank. If the ISP is out of country, it's even more problematic because now the NSA keeps a record of that connection as they collect data in bulk at all major web nodes that your connection has to pass. They don't know what is in the packages sent, but they know that this connection was established and they can trace it back to you. Remember VPN hides what is in the packages, but it cannot hide where it is going because everything always goes through your ISP at the end of the day.
And this is my problem. If your VPN takes your connection out of country across several nodes, it is more likely that your information will be recorded by intelligence agencies than if you have a direct connection.
In other words, the more you try to become invisible, the more suspicious you become. It is better to blend in by using the same programs and tools everyone else does. Imagine someone standing in the middle of Times Square wearing a mask. Yes, nobody knows who you are, but more people will pay attention to you because you're the only one wearing a mask and they will try to figure out what you are all about. However if you look like everyone else at Times Square nobody notices you.
Whether you use a VPN or not that information will be attached to you unless you:
1. Use a completely different computer in a completely different location,
2. Run Qubes or Tails OS on that computer using a live USB/CD,
3. Use Tor browser which hides your browser/canvas/audio/cache e-tag fingerprints &
4. Don't log into any services that you regularly use.
How to (actually) be anonymous online – Windscribe
Don't use VPN services. · GitHub
Streisand effect - Wikipedia
All of this made me realize if you really want to be private, you will have to sacrifice the way you use the Internet right now for the rest of your life and nobody is willing to do that so I gave up on all of it and just focus on security and blocking trackers via hosts files/Adblock etc. That is just my opinion however.
That's why you have to be very careful in choosing your VPN provider if you are really privacy conscious. If you don't want your VPN provider to know you then connect in this manner YOU ==> TOR ==> VPN provider. Pay your VPN provider in tumbled bitcoin or in cash, use burner mail etc.
A decentralized VPN, like below, maybe the answer to your privacy. It works similar to Tor.
Decentralized and Secure Access to the Internet. Do we need a Decentralized VPN?
Mysterium Network – Decentralized VPN
And, if I'm not wrong, banks may not accept your connection using VPN
You can be the outstanding one but when they try to scrutinize you they are not able to do it because you are very well secured.
Like you said "...unless you......" and unless your ISP and state players are interested in you I can bet you can safely and surely surf anonymously
Yes, protecting your privacy is much more difficult than securing your system. That's no doubt about that.
- Jul 1, 2017
- 1,396
I love this writeup about why DNSSEC and most solutions to secure DNS are misguided.
Against DNSSEC — Quarrelsome
tl;dr
-The Internet is built on the assumption that DNS is not secure.
-The Internet has created several mechanisms to compensate for that, making DNSSEC obsolete.
-DNSSEC keys are under the control of governments... the very institution that we don't trust.
-DNSSEC has not reduced the number of DDoS attacks.
-DNSSEC is slower, more expensive and relies on cryptography from the 90s...
Against DNSSEC — Quarrelsome
tl;dr
-The Internet is built on the assumption that DNS is not secure.
-The Internet has created several mechanisms to compensate for that, making DNSSEC obsolete.
-DNSSEC keys are under the control of governments... the very institution that we don't trust.
-DNSSEC has not reduced the number of DDoS attacks.
-DNSSEC is slower, more expensive and relies on cryptography from the 90s...
- Apr 1, 2017
- 1,760
So whats the solution?I'm using DNS.WATCH! fast and secure(according to some websites)! but now ...
- Jul 1, 2017
- 1,396
TLS by itself is already good enough and makes DNSSEC redundant. Even DNS over TLS is unnecessary since the current TLS/SSL already checks whether the site you visit is actually the site you requested.
There are also many mechanisms that people and companies already deploy to ensure that they don't run into cache poisoning, botnets, spoofing etc which are being deployed by email providers for example.
The main problem is that with DNSSEC you shift the control over what is a legitimate CA to a few and those few are the national governments in control of top level domains as opposed to having every domain handle its own TLS. This is a big issue.
DNSSEC uses PKCS1v15 RSA-1024 which is a joke compared to TLS with forward secrecy. Finally the most dangerous thing about DNSSEC and why Quad9 is providing third party DNS for free: It enumerates zones.
My case is simple. The real key to securing DNS is for every site to use TLS.
