- Apr 16, 2017
- 2,603
The associated guide may contain user-generated or external content.
- Apr 1, 2017
- 1,782
IF you use Yandex browser you don't need it.
I can't use it any more cuz government blocked it(5 months ago)
DNS spoofing protection
Protect active security technology scans files and website for viruses, blocks fraudulent webpages, protects passwords and bank card details, and keeps online payments safe from theft.
DNSCrypt
The world's first browser with support for DNSCrypt technology. Encrypts Domain Name System (DNS) traffic. For example, it protects from a trojan DNSChanger, a tracking Internet provider, or hackers. This option must be enabled in the browser settings.
I can't use it any more cuz government blocked it(5 months ago)
DNS spoofing protection
Protect active security technology scans files and website for viruses, blocks fraudulent webpages, protects passwords and bank card details, and keeps online payments safe from theft.
DNSCrypt
The world's first browser with support for DNSCrypt technology. Encrypts Domain Name System (DNS) traffic. For example, it protects from a trojan DNSChanger, a tracking Internet provider, or hackers. This option must be enabled in the browser settings.
- Jul 1, 2017
- 1,396
Just make sure your connection is HTTPS using TLS and it will get validated that way. Any site that cannot be validated will not be resolved using HTTPS and your browser will tell you that it could not connect or reset the connection or connection timeout.
I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you.
This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: GRC | DNS Nameserver Spoofability Test
Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway.
I would also argue to worry less about the last mile from DNS resolver to your PC. Worry more about what your DNS resolver does. If you have DNSCrypt but your resolver doesn't use DNSSEC, what's the point. Your resolver gets fooled and will send you the wrong address. If your DNS resolver validates DNSSEC, you get herd immunity by it validating all queries it receives for you before they get sent to you.
This is another example where you choose between privacy and security. If you want security, actually your ISP has DNSSEC validating resolvers that are the least likely to be spoofed because they have the experience, they log traffic to pay attention to criminals, and it would hurt their image the most if people found out that their traffic gets routed to the wrong place. Your ISP's DNS resolvers also can only be accessed by subscribers like you which further reduces the attack surface. Finally most ISP DNS resolvers will reject pings and other queries making them practically invisible on the web. If you don't believe me, test them here: GRC | DNS Nameserver Spoofability Test
Long story short your ISP's DNS resolvers are the most secure but also the least private when it comes to govt surveillance and logging. Those other DNSCrypt resolvers may be more private but also easier to fall victim to DNS cache poisoning because they are run by volunteers, not billions in revenue from paying customers. Unless you are on public wifi I wouldn't worry. If you are on public wifi, VPN is a must anyway.
- Jun 4, 2017
- 174
totally agree but whould like to add that using a VPN is not always everything you need. most of the clients you'll get from the vpn providers change your DNS Servers for privacy reasons... this makes you vulnerable for dns poisening / spoofing!
Agreed. That's why you need to select a VPN provider which has secure DNS server
- Jun 4, 2017
- 174
or overide the vpn providers settings and use your prefered ones...
- Jul 1, 2017
- 1,396
Rightfully so. A good VPN will encrypt all of your traffic and tunnel DNS queries to its own DNS servers. Now it's up to the VPN provider to protect you.
According to this article there are 4 common types of MITM attacks and these are
1) ARP Cache Poisoning
2) DNS Spoofing
3) Session Hijacking
4) SSL Hijacking
Understanding Man-in-the-Middle Attacks - ARP Cache Poisoning (Part 1) - TechGenix
For the ARP Cache Poisoning I thought there are specific software to handle this form of attack and also some firewall which has this feature too? Anyone knows?
1) ARP Cache Poisoning
2) DNS Spoofing
3) Session Hijacking
4) SSL Hijacking
Understanding Man-in-the-Middle Attacks - ARP Cache Poisoning (Part 1) - TechGenix
For the ARP Cache Poisoning I thought there are specific software to handle this form of attack and also some firewall which has this feature too? Anyone knows?
You don't have to worry about ARP unless you are connected to a LAN.
COMODO has a setting for ARP spoofing.
Research ARP cache poisoning or spoofing online. You might have to read multiple articles and piece it altogether.
The whole point of changing the DNS is precisely to protect against DNS poisoning\spoofing. The better VPNs offer secure DNS.
I think Zonealarm firewall also has such a feature
How about if your laptop is connected to public WiFi? Thanks
- Apr 16, 2017
- 2,603
would you please share the names of a few vpn that you KNOW offer secure dns. I'm looking into 2 vpn and unclear how secure their dns is, at least at first look...
- Nov 19, 2014
- 2,350
Private internet access, airvpn...
Basically they force their dns which is rooted through their servers. So it doesn't leak or use your isp or location dns.
Last edited:
- Jun 4, 2017
- 174
My choice when it comes to privacy: Mullvad - World-Class VPN Service
Or if you would like to take a look at a good comparisson: That One Privacy Site | Welcome
Or if you would like to take a look at a good comparisson: That One Privacy Site | Welcome
If I'm not wrong Windscribe VPN has it
Actually. AV software like paid products from Avast have Secure DNS too
Secure your DNS | Defend against DNS hijacking attack
I only recommend IVPN, but it is expensive
Search online for "That one privacy guy" and it will take you to a page where all major VPNs are reviewed
Find the Excel comparison spreadsheet
- Jun 4, 2017
- 174
- Apr 16, 2017
- 2,603
Similar threads
