security123

Level 27
Verified
First, we check DNS leaks:

Then we test DNSSEC:
Connection test (This website test other stuff too)

With that site, we make some different tests (take a while):

And last but not least, we test the security:

That's it.
You can share then your result here.

Also it's important that your DNS:
- don't has any leaks
- support DNSSEC
and have as good as possible these results on grc.com:
grc.png
and on dns-oarc.net:
dns-oarc.png
 

security123

Level 27
Verified
DNSSEC was supposed to improve basic DNS, but it is just obsolete and can be bypassed. DNSCrypt, DoH or DoT, is the way to go.
DNSSEC is still a nice feature and i don't know how this can be bypassed if it's used. But of course the server and own client must support and enabled it. Anyway all DNS resolver provide DNSSEC, so i guess it's still good.
Also DNSCrypt, DoH / DoT don't use DNSSEC. They only encrypt DNS, but don't cryptographic authenticate the DNS like DNSSEC do.

Attachments
You should write these Cleanbrowsing guys a message that they fix the "external query" and "alphabetic case" problem, which increase your privacy if solved (y)
 

TairikuOkami

Level 29
Verified
Content Creator
Also DNSCrypt, DoH / DoT don't use DNSSEC. They only encrypt DNS, but don't cryptographic authenticate the DNS like DNSSEC do.
"DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers." - It is pretty much the same, but secured all the way. DNSSEC is meant to prevent the tampering of unsecured DNS on the way.
Also DNSCrypt, DoH / DoT don't use DNSSEC.
Many do. You can use the filter in SimpleDNSCrypt to find the supported ones.
 

Attachments

  • capture_03072020_114712.jpg
    capture_03072020_114712.jpg
    94.2 KB · Views: 104

security123

Level 27
Verified
Well i like avoiding tools to archive that. Same for external services.
Because of that i use PiHole with Unbound and directly ask the DNS Root server's instead of external DNS server's.

Anyway everyone use their own prefered solution, so it's always good to have more options (y):emoji_beer:
 

security123

Level 27
Verified
YeY destroyed all tests with the combo of:

Adguard Home DNS and Unbound DNSSec Resolver no uplink server. (Raspi. 4) :)

If you need the config just quote me and ill post the steps needed.

Best regards
Val.
Of course you can create a thread with step for step :) Just to keep this thread on topic as much as possible
 

valvaris

Level 4
Verified
As requested by @security123 I will post a small guide on how to configure Adguard Home with Unbound DNS resolver.

For Raspberry Pi 4 plz use Buster Lite -> Download Raspbian for Raspberry Pi

Adguard Home Guide for Raspberry Pi (even 4 "Buster") install -> AdguardTeam/AdGuardHome

Guide for Unbound config (Pi-hole) but can be applied to Adguard Home -> Pi-hole as All-Around DNS Solution - Pi-hole documentation

Now it is just a matter on how to configure Adguard Home DNS:

- At Adguard Home DNS Web -> Settings -> DNS Settings
Code:
tcp://127.0.0.1:5353
127.0.0.1:5353
This will forward all TCP and UDP requests to the Unbound resolver.

- Bootstrap DNS for DoH / DoT Servers
Code:
127.0.0.1:5353

Do not forget! To configure your clients to use the "new" DNS Server and only that Server!

Then the Tests can begin - conveniently - already posted as first post here by @security123 :) -> Link to First Post -> Q&A - [HowTo] test your DNS Security & Privacy

Best regards
Val.
 
i don't get it, the subject is telling test your dns security and privacy, all i see is testing its safety not its privacy. does that mean if my DNS leak test comes out okay so i have privacy with it as well?
 
Top