-
Notifications
You must be signed in to change notification settings - Fork 0
/
encrypted-dns.html
106 lines (88 loc) · 5.35 KB
/
encrypted-dns.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
<!DOCTYPE html>
<html lang=en>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; img-src 'self'; style-src 'self'; script-src 'self'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; base-uri 'none'">
<meta name="referrer" content="no-referrer">
<link rel="stylesheet" type="text/css" href="styles.css">
<title>Encrypted DNS | Madaidan's Insecurities</title>
</head>
<body>
<h1>Why encrypted DNS is ineffective</h1>
<p class="date"><em><time datetime="2022-03-06">Last edited: March 6th, 2022</time></em></p>
<p>
Encrypted DNS (<a href="https://en.wikipedia.org/wiki/DNS_over_HTTPS">DoH</a>, <a
href="https://en.wikipedia.org/wiki/DNS_over_TLS">DoT</a>, <a href="https://en.wikipedia.org/wiki/DNSCrypt">
DNScrypt</a>, etc.) is often recommended as a solution to some network privacy and security issues, but this is
not the case. This article explains why encrypting your DNS queries alone will not have any meaningful privacy
or security benefits.
</p>
<h2 id="security"><a href="#security">Security</a></h2>
<p>
Normal DNS queries are unencrypted and unauthenticated, so they can be modified and examined by an attacker.
This may sound like a big issue, but HTTPS has already solved this problem. If someone visits "madaidans-insecurities.github.io",
their browser expects a valid TLS certificate for that website, regardless if an attacker may have messed with
the DNS query. If the certificate is incorrect, the browser will produce a clear warning. <br>
<br>
If the connection is not done over HTTPS, then encrypted DNS still doesn't make a difference. The attacker can
simply modify anything other than the DNS query and achieve effectively the same result.
</p>
<h2 id="privacy"><a href="#privacy">Privacy</a></h2>
<p>
Encrypted DNS does prevent someone monitoring your traffic from seeing what domain you looked up via DNS, but
this doesn't really matter since <a href="https://twitter.com/PowerDNS_Bert/status/1175744071673028608">
there</a> <a href="https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/">
are</a> <a href="https://grapheneos.org/faq#private-dns-visited">so</a> <a href="https://arxiv.org/pdf/1911.00563.pdf">
many</a> <a
href="https://old.reddit.com/r/GrapheneOS/comments/fajx43/verizon_pixel_how_dangerous_to_install_graphene/fiz0klm/?context=3">
other</a> <a href="https://www.ndss-symposium.org/wp-content/uploads/2020/02/24301-paper.pdf">ways</a> to get that
exact same information anyway.
</p>
<h3 id="sni"><a href="#sni">SNI</a></h3>
<p>
<a href="https://en.wikipedia.org/wiki/Server_Name_Indication">Server Name Indication</a> (SNI) is an
extension to TLS which leaks the hostname that the client is attemping to connect to. For example, if
you connect to this website, someone monitoring the connection can see the following: <br>
<img src="images/wireshark-sni.jpg" alt="SNI in Wireshark">
<br>
<br>
There have been <a href="https://blog.cloudflare.com/encrypted-client-hello/">efforts to encrypt SNI</a>
which solves this issue, but currently, it's not very widespread.
</p>
<h3 id="ocsp"><a href="#ocsp">OCSP</a></h3>
<p>
<a href="https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol">Online Certificate Status Protocol</a>
(OCSP) is used to validate TLS certificates and <a
href="https://blog.seanmcelroy.com/2019/01/05/ocsp-web-activity-is-not-private/">is another way to determine the
website that you're visiting</a>. OCSP responses contain the serial number of the website's TLS certificate which
can easily be used to lookup what certificate it belongs to. <br>
<img src="images/wireshark-ocsp.jpg" alt="OCSP in Wireshark">
<img src="images/github-serial-number.jpg" alt="Github serial number">
<br>
<br>
There is also a way to prevent this via <a href="https://en.wikipedia.org/wiki/OCSP_stapling">OCSP stapling</a>,
but again, it's not very widespread.
</p>
<h3 id="ip-addresses"><a href="#ip-addresses">IP Addresses</a></h3>
<p>
Even if you are using some form of encrypted DNS, eSNI/ECH and OCSP stapling, the IP addresses of the websites you visit are
still leaked, and they can be used to identify <a href="https://blog.apnic.net/2019/08/23/what-can-you-learn-from-an-ip-address/">
over 95% of websites</a>. Some IP addresses may host multiple domains that can obscure this a small bit, but that's not
reliable and won't make any difference in most cases.
</p>
<h2 id="conclusion"><a href="#conclusion">Conclusion</a></h2>
<p>
Encrypting your DNS queries alone is not enough to hide the domains you visit and gives no security advantage.
It will only help against some very rudimentary censorship systems that rely entirely on DNS blocking, but it isn't
hard for those systems to develop workarounds. If you do want to effectively hide the websites you browse, use
a VPN or preferably, Tor.
</p>
<p class="p-final">
<a href="index.html" class="back">Go back</a>
</p>
<button class="dark-mode-toggle">🌓</button>
<script type="text/javascript" src="toggle.js"></script>
</body>
</html>