Advice Request [HowTo] test your DNS Security & Privacy

[ForgottenSeer 85179]

First, we check DNS leaks:

DNS Leak Test - bash.ws

Check your VPN connection for DNS leak easy and fast.

bash.ws

DNS leak test

dnsleaktest.com

Then we test DNSSEC:

DNSSEC Resolver Test

Connection test (This website test other stuff too)

With that site, we make some different tests (take a while):

Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy.

Test your browser for data leaks, such as IP address, advanced DNS test, WebRTC leak test, IP geolocation, http headers and device information. Designed for mobile and desktop.

tenta.com

And last but not least, we test the security:

GRC | DNS Nameserver Spoofability Test

GRC's DNS Nameserver spoofability testing facility

www.grc.com

Web-based DNS Randomness Test | DNS-OARC

www.dns-oarc.net

That's it.
You can share then your result here.

Also it's important that your DNS:
- don't has any leaks
- support DNSSEC
and have as good as possible these results on grc.com:

and on dns-oarc.net:

 

[TairikuOkami]

DNSSEC was supposed to improve basic DNS, but it is just obsolete and can be bypassed. DNSCrypt, DoH or DoT, is the way to go.

Against DNSSEC

recdnsfp by recdnsfp

 

[ForgottenSeer 85179]

DNSSEC was supposed to improve basic DNS, but it is just obsolete and can be bypassed. DNSCrypt, DoH or DoT, is the way to go.

DNSSEC is still a nice feature and i don't know how this can be bypassed if it's used. But of course the server and own client must support and enabled it. Anyway all DNS resolver provide DNSSEC, so i guess it's still good.
Also DNSCrypt, DoH / DoT don't use DNSSEC. They only encrypt DNS, but don't cryptographic authenticate the DNS like DNSSEC do.

Attachments

You should write these Cleanbrowsing guys a message that they fix the "external query" and "alphabetic case" problem, which increase your privacy if solved

 

[TairikuOkami]

Also DNSCrypt, DoH / DoT don't use DNSSEC. They only encrypt DNS, but don't cryptographic authenticate the DNS like DNSSEC do.

"DNSCrypt is a network protocol which authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers." - It is pretty much the same, but secured all the way. DNSSEC is meant to prevent the tampering of unsecured DNS on the way.

Also DNSCrypt, DoH / DoT don't use DNSSEC.

Many do. You can use the filter in SimpleDNSCrypt to find the supported ones.

 

[ForgottenSeer 85179]

Well i like avoiding tools to archive that. Same for external services.
Because of that i use PiHole with Unbound and directly ask the DNS Root server's instead of external DNS server's.

Anyway everyone use their own prefered solution, so it's always good to have more options

 

[valvaris]

YeY destroyed all tests with the combo of:

Adguard Home DNS and Unbound DNSSec Resolver no uplink server. (Raspi. 4)

If you need the config just quote me and ill post the steps needed.

Best regards
Val.

 

[ForgottenSeer 85179]

YeY destroyed all tests with the combo of:

Adguard Home DNS and Unbound DNSSec Resolver no uplink server. (Raspi. 4)

If you need the config just quote me and ill post the steps needed.

Best regards
Val.

Of course you can create a thread with step for step Just to keep this thread on topic as much as possible

 

[valvaris]

As requested by @security123 I will post a small guide on how to configure Adguard Home with Unbound DNS resolver.

For Raspberry Pi 4 plz use Buster Lite -> Download Raspbian for Raspberry Pi

Adguard Home Guide for Raspberry Pi (even 4 "Buster") install -> AdguardTeam/AdGuardHome

Guide for Unbound config (Pi-hole) but can be applied to Adguard Home -> Pi-hole as All-Around DNS Solution - Pi-hole documentation

Now it is just a matter on how to configure Adguard Home DNS:

- At Adguard Home DNS Web -> Settings -> DNS Settings

tcp://127.0.0.1:5353
127.0.0.1:5353

This will forward all TCP and UDP requests to the Unbound resolver.

- Bootstrap DNS for DoH / DoT Servers

127.0.0.1:5353

Do not forget! To configure your clients to use the "new" DNS Server and only that Server!

Then the Tests can begin - conveniently - already posted as first post here by @security123 -> Link to First Post -> Q&A - [HowTo] test your DNS Security & Privacy

Best regards
Val.

 

[SeriousHoax]

Also DNSCrypt, DoH / DoT don't use DNSSEC

Actually, adguard DNS, cleanbrowsing, google, cloudflare, quad9 all of their DNSCrypt, DoH, DoT implementation support DNSSEC by default.

 

[ForgottenSeer 85179]

Actually, adguard DNS, cleanbrowsing, google, cloudflare, quad9 all of their DNSCrypt, DoH, DoT implementation support DNSSEC by default.

Hmm. Don't know why i wrote that.
Of course the support DNSSEC. Maybe i had something in my head for write something and then forget

 

[Like a Western!]

i don't get it, the subject is telling test your dns security and privacy, all i see is testing its safety not its privacy. does that mean if my DNS leak test comes out okay so i have privacy with it as well?

 

[blackice]

i don't get it, the subject is telling test your dns security and privacy, all i see is testing its safety not its privacy. does that mean if my DNS leak test comes out okay so i have privacy with it as well?

Only if you trust the dns provider with your privacy.

 

[ForgottenSeer 85179]

i don't get it, the subject is telling test your dns security and privacy, all i see is testing its safety not its privacy. does that mean if my DNS leak test comes out okay so i have privacy with it as well?

If you get leaks what are then privacy problems.
But yes, this thread isn't about DNS provider privacy policy.