Advice Request SIMPLE QUESTIONS: DNSCrypt, VPN, Modem router, HTTPS etc

[Decopi]

Hi,

I have not a paranoid security/profile. But I am looking for an average good security/privacy protection. Not minimum, not paranoid, an average one.
Please, allow me several simple questions, and please try to answer in simple language:

1) I have my Modem-Router with a password and WPA2 AES cryptography/encryption.
I read that this can negatively affect computer performance (RAM, CPU, internet speed etc). So, in order to avoid that and improve my computer performance, I want to disable Modem-Router password + WPA2 AES cryptography/encryption. In compensation, in order to protect my security/privacy, I will enable access to my Modem-Router only to a predefined list of MAC addresses (devices). In other words, no MAC addresses (no devices) can access my Modem-Router, if they are not in my predefined list. Also, I hide the name of my network.
Is that "ok"? Or do I need the WPA2 AES cryptography/encryption?

2) I am using SimpleDNSCrypt.
Is DNSCrypt a must? Or is DNSCrypt not necessary?
If it is a must, is DNSCrypt enough? Or do I need something else?

3) I read that DNSCrypt encrypts DNS. But I don't understand the meaning of that in simple language, in my real day.
I know VPN will encrypt all my traffic communications.
DNSCrypt is not going to encrypt my IP, the number of queries, the destiny of my queries etc. But is DNSCrypt going to encrypt at least the content of my traffic communications? (passwords, credit-cards etc). Or my confidential data will be exposed?

4) Why do I need DNSCrypt or VPN, if I have WPA2 AES in my Modem-Router? Does my WPA2 AES prevent "middle-man attacks"?

5) Why do I need DNSCrypt or VPN, if I have HTTPS in my browser? Does HTTPS prevent "middle-man attacks"?

6) How DNSCrypt avoids "middle-man attacks"?

7) I use Firefox, and recently Firefox implemented DoH+CloudFlare.
I understand that DNSCrypt works in all my computer. But do I need to use DNSCrypt for all my computer?
Or is enough to use Firefox DoH+CloudFlare?

8 ) In a Public Wi-Fi, let's say the owner of the Modem-Router wants to steal user credit-cards or private stuff, and he hacks his own device: What happens if I am not using nothing? Does the owner of this public Wi-Fi can steal every information passing trough his Modem-Router?
How DNSCrypt will protect me in this example?

Please, if possible, I will appreciate if you answer me following the number of my questions.
Thank you in advance!

 

[Arequire]

1) I have my Modem-Router with a password and WPA2 AES cryptography/encryption.
I read that this can negatively affect computer performance (RAM, CPU, internet speed etc). So, in order to avoid that and improve my computer performance, I want to disable Modem-Router password + WPA2 AES cryptography/encryption. In compensation, in order to protect my security/privacy, I will enable access to my Modem-Router only to a predefined list of MAC addresses (devices). In other words, no MAC addresses (no devices) can access my Modem-Router, if they are not in my predefined list. Also, I hide the name of my network.
Is that "ok"? Or do I need the WPA2 AES cryptography/encryption?

Do not do this. MAC addresses are easily spoofed and that encryption is the only thing stopping someone from latching onto your network and viewing your WiFi traffic.

2) I am using SimpleDNSCrypt.
Is DNSCrypt a must? Or is DNSCrypt not necessary?
If it is a must, is DNSCrypt enough? Or do I need something else?

DNSCrypt isn't necessary and can result in slower page loading if the DNS server is resolving your DNS queries slower than your ISP. It honestly depends on if you're happy leaving your DNS requests unencrypted or not (most people are as DNS attacks aren't as common as malware infections). Keep in mind that even though they are encrypted (which prevents snooping, MITM attacks and DNS spoofing) the server you're sending your DNS queries to can still see them all although most DNSCrypt servers claim to be non-logging.

3) I read that DNSCrypt encrypts DNS. But I don't understand the meaning of that in simple language, in my real day.
I know VPN will encrypt all my traffic communications.
DNSCrypt is not going to encrypt my IP, the number of queries, the destiny of my queries etc. But is DNSCrypt going to encrypt at least the content of my traffic communications? (passwords, credit-cards etc). Or my confidential data will be exposed?

DNSCrypt doesn't encrypt your network traffic, only your DNS requests (which is turning domain IP addresses into domain names). Your communications are still secure if they're being transmitted over HTTPS.

4) Why do I need DNSCrypt or VPN, if I have WPA2 AES in my Modem-Router?

WPA2 refers to the encryption governing your WiFi.

Does my WPA2 AES prevent "middle-man attacks"?

Your router's encryption would protect against an attacker decoding or injecting their own traffic as they don't know the encryption key. Encryption doesn't offer full protection on its own; authentication goes along with it to provide protection.

Why do I need DNSCrypt or VPN, if I have HTTPS in my browser?

You don't need them. They're optional.

Does HTTPS prevent "middle-man attacks"?

Router encryption answer above applies to this as well.

6) How DNSCrypt avoids "middle-man attacks"?

Your DNS requests are encrypted, thus DNS requests can't be decoded and read by an attacker.

7) I use Firefox, and recently Firefox implemented DoH+CloudFlare.
I understand that DNSCrypt works in all my computer. But do I need to use DNSCrypt for all my computer?
Or is enough to use Firefox DoH+CloudFlare?

As far as I'm aware DoH in Firefox isn't currently available in the stable build, only the builds that are version 60.x or above such as Nightly. It's also not activated by default in said builds; you have to go and configure it yourself.

8 ) In a Public Wi-Fi, let's say the owner of the Modem-Router wants to steal user credit-cards or private stuff, and he hacks his own device: What happens if I am not using nothing? Does the owner of this public Wi-Fi can steal every information passing trough his Modem-Router?

The router's owner would be able to see all your unencrypted traffic passing through said router. They may also be able to plant malware on your system if file-sharing was turned on.

How DNSCrypt will protect me in this example?

It would only protect your DNS queries from being viewed, not your unencrypted traffic.

TL;DR:

• Keep your router encryption turned on
• DNSCrypt or a VPN are completely optional
• Your communications are secure over HTTPS
• Always use a VPN on public WiFi

I'm not the most knowledgeable person when it comes to network security but I've answered with what knowledge I have.
There are much more experienced members on this forum that are far more qualified to answer your questions. They may be happy giving you more detailed answers.

Hope this helps.

 

[Decopi]

Do not do this... Hope this helps.

What a nice, complete and clear answer! Thank you @Arequire !

Did you hear about DNSSEC?
What is your opinion?
How do I use it in Windows 10?

 

[Arequire]

Did you hear about DNSSEC?

I know about DNSSEC. It uses encryption keys and digital signatures to verify the site you're communicating with is legitimate.

What is your opinion?

It's useful but chances are you won't know it's enabled unless specifically stated by your DNS provider.

How do I use it in Windows 10?

It's up to your DNS provider to whether it's used or not. If you're using Simple DNSCrypt then some specifically state that they're using it on the list of resolvers.

 

[Decopi]

I know ... lvers.

Please @Arequire , one more question. I understood your suggestion that DNSCrypy is not really needed. But please, let me understand something else:

DoH works only in Firefox. So, specifically in my browser, I am already covered with encryption of my DNS requests. Here I don't need DNSCrypt.
However, DNSCrypt works in all my computer. If I am covered in my browser with Doh, do I really need DNSCrypt for the rest of my computer DNS requests? In other words: Out of my browser, is there anything real confidential that the rest of my computer might need DNSCrypt?

 

[Arequire]

Out of my browser, is there anything real confidential that the rest of my computer might need DNSCrypt?

I doubt it. Your ISP (assuming you're using their DNS servers) will be able to see every IP address your PC connects to (which in turn would show every site you visit and every application you use), but if you're not always using a VPN then they probably already know that anyway. DNSCrypt will ensure third-parties (besides your ISP) won't be able to see your DNS requests and will provide protection against MITM and DNS spoofing, but all three situations aren't exactly common unless you're living under some repressive regime.

Keep in mind that whether you encrypt your DNS requests or not you won't see any actual benefits or consequences of doing so. It's a completely passive security addition.

 

[Arequire]

Oh and I researched the Firefox DoH situation. I edited my answer in the list of questions and I'll put the answer here too:

As far as I'm aware DoH in Firefox isn't currently available in the stable build, only the builds that are version 60.x or above such as Nightly. It's also not activated by default in said builds; you have to go and configure it yourself.

 

[Decopi]

@Arequire , thanks for your last two answers.

My fault about Firefox! I have Firefox 60 Beta, sorry, didn't mentioned. I did implement DoH with CloudFlare and it works like a charm.

I am arriving to my final conclusions. Please, correct me if I am wrong:

a) Modem-router:
Must be encrypted with a strong password.
DNS must be defined at both, modem-router and computer level. My choice is CloudFlare (I checked, it works with DNSSEC).

b) Browser:
HTTPS is a must to encrypt content (against MiTM).
DoH is a must to encrypt DNS requests (against MiTM).
A good security combo (extensions + AV) are a must in order to protect against phishing, scams, malwares etc.
Privacy extensions are desirable (FIP, Containers, 3rd-party blockers, adblockers etc).

c) DNSCrypt only is really needed, if there are other sensible apps in the computer. And even in this case, is a very passive addition.

d) VPN is a must at public WiFis.

Anything else?
Is this a good conclusion for average users?

 

[Arequire]

DNS must be defined at both, modem-router and computer level. My choice is CloudFlare (I checked, it works with DNSSEC).

If you set your router to use Cloudflare's DNS servers then every device connected to your router (including WiFi devices) will also use Cloudflare's DNS servers. If you just set your PC to use Cloudflare and not your router then only your PC will use it.

DoH is a must to encrypt DNS requests (against MiTM).

Unencrypted DNS requests aren't the be-all, end-all. The majority of people using the internet don't encrypt their DNS requests and they get along perfectly fine. MITM attacks aren't something to be all that concerned about.

The rest looks fine.