Sunshine-boy

Level 27
Verified
Joined
Apr 1, 2017
Messages
1,613
Operating System
Windows 10
Antivirus
ESET
#63
IF you use Yandex browser you don't need it.
I can't use it any more cuz government blocked it(5 months ago):p


DNS spoofing protection
Protect active security technology scans files and website for viruses, blocks fraudulent webpages, protects passwords and bank card details, and keeps online payments safe from theft.

DNSCrypt
The world's first browser with support for DNSCrypt technology. Encrypts Domain Name System (DNS) traffic. For example, it protects from a trojan DNSChanger, a tracking Internet provider, or hackers. This option must be enabled in the browser settings.
 
Likes: simmerskool

DeepWeb

Level 20
Verified
Joined
Jul 1, 2017
Messages
984
Operating System
Windows 10
Antivirus
Kaspersky
#64
Just make sure your connection is HTTPS using TLS and it will get validated that way. Any site that cannot be validated will not be resolved using HTTPS and your browser will tell you that it could not connect or reset the connection or connection timeout.

I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you.

This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: GRC | DNS Nameserver Spoofability Test

Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway. :)
 
Joined
Jun 4, 2017
Messages
158
Operating System
Windows 10
Antivirus
Emsisoft
#65
If you are on public wifi, VPN is a must anyway.
totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
 
Likes: HarborFront

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,221
#66
totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
Agreed. That's why you need to select a VPN provider which has secure DNS server
 
Likes: Glashouse

DeepWeb

Level 20
Verified
Joined
Jul 1, 2017
Messages
984
Operating System
Windows 10
Antivirus
Kaspersky
#68
totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
Rightfully so. A good VPN will encrypt all of your traffic and tunnel DNS queries to its own DNS servers. Now it's up to the VPN provider to protect you. :)
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,221
#69

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,337
#70
According to this article there are 4 common types of MITM attacks and these are

1) ARP Cache Poisoning
2) DNS Spoofing
3) Session Hijacking
4) SSL Hijacking

Understanding Man-in-the-Middle Attacks - ARP Cache Poisoning (Part 1) - TechGenix

For the ARP Cache Poisoning I thought there are specific software to handle this form of attack and also some firewall which has this feature too? Anyone knows?
You don't have to worry about ARP unless you are connected to a LAN.

COMODO has a setting for ARP spoofing.

Research ARP cache poisoning or spoofing online. You might have to read multiple articles and piece it altogether.
 

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,337
#71
totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
The whole point of changing the DNS is precisely to protect against DNS poisoning\spoofing. The better VPNs offer secure DNS.
 

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,221
#72
You don't have to worry about ARP unless you are connected to a LAN.

COMODO has a setting for ARP spoofing.

Research ARP cache poisoning or spoofing online. You might have to read multiple articles and piece it altogether.
I think Zonealarm firewall also has such a feature

How about if your laptop is connected to public WiFi? Thanks
 
Likes: SHvFl

SHvFl

Level 35
Content Creator
Verified
Joined
Nov 19, 2014
Messages
2,407
Operating System
Windows 10
#75
would you please share the names of a few vpn that you KNOW offer secure dns. I'm looking into 2 vpn and unclear how secure their dns is, at least at first look...
Private internet access, airvpn...

Basically they force their dns which is rooted through their servers. So it doesn't leak or use your isp or location dns.
 
Last edited:

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,221
#77

Lockdown

From AppGuard
Developer
Verified
Joined
Oct 24, 2016
Messages
4,337
#78
would you please share the names of a few vpn that you KNOW offer secure dns. I'm looking into 2 vpn and unclear how secure their dns is, at least at first look...
I only recommend IVPN, but it is expensive

Search online for "That one privacy guy" and it will take you to a page where all major VPNs are reviewed

Find the Excel comparison spreadsheet
 

Latest Posts

Latest Threads