oxeo0/opsec-blogposts
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/opsec-blogposts.git synced 2025-06-08 07:29:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

finished intro

Browse source
This commit is contained in:
cynthia 2025-06-03 17:16:34 +01:00
parent 33e0cdd994
commit 69ba86eedc
1 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
dnscrypt/index.md
View file

@ -12,6 +12,8 @@ This blogpost includes: DNS over TLS (DoT), DNS over HTTPS (DoH), DNSCrypt, DNS
## Introductions to all the DNS protocols ## Introductions to all the DNS protocols
**NOTE**: The interceptor in the graphs may not be reflective of a interceptor in a real situation. While we've tried to make the interceptor reflective of most DPIs and situations involving them, there are several factors (such as TLS fingerprint, etc.) that may allow for protocol identification.
### DNS over TLS (DoT) ### DNS over TLS (DoT)
![](1.png) ![](1.png)
@ -30,22 +32,23 @@ DNSCrypt is the oldest DNS encryption wrapper protocol, It is more optimized for
#### Anonymized DNS #### Anonymized DNS
![](4.png) ![](4.png)
(TODO) Anonymized DNS is a relay system where your DNS queries and responses are relayed through a DNSCrypt server, so that the final DNSCrypt server is not able to tell where the queries came from (granted if the relay and final DNSCrypt server are both not owned or associated with each other). This allows for anonymous, yet still fast DNS queries.
### DNS over Tor ### DNS over Tor
![](5.png) ![](5.png)
(TODO) DNS over Tor is simply the act of routing your DNS queries over Tor. Since Tor does not support UDP (which DNS uses), it's done using a special feature in the Tor daemon which hosts a DNS port locally that resolves domain names over at the exit node's resolver. Although the DNS data is encrypted during transit through the Tor relays, it will most likely end up unencrypted during the transmission between the exit node and the exit node's DNS server, which will allow for any 3rd parties spying on the exit node's traffic to be able to look at (or even tamper with) your DNS query and responses. But, due to the nature of Tor, it may still be anonymous.
### DNS over VPN ### DNS over VPN
![](6.png) ![](6.png)
(TODO) DNS over VPN is the act of routing your DNS queries over a VPN, This has about the same advantages and disadvantages as DNS over Tor (provided that the benefit of anonymity is dependent on the VPN you're using). For the sake of the ratings table below, we'll be referring to both DNS over Tor and DNS over VPN as DNS over Tor/VPN.
### Local DNS ### Local DNS
![](7.png) ![](7.png)
(TODO) Local DNS is the act of hosting a DNS server locally rather than using a public one on the Internet, This doesn't provide any privacy or anonymity benefits whatsoever other than the fact that the initial query (and the device who made it) is private inside your LAN, since DNS is unencrypted and the recursive queries that the DNS server makes to authoritative DNS servers is visible to any 3rd parties spying over your traffic.
The only reason you should be doing this is to host a PiHole or a DNS server that blocks away analytics domains, but for the sake of this blogpost, we'll be referring to a regular local DNS (with no blocking capabilities).
## DNS protocol ratings ## DNS protocol ratings
First of all, if we were to figure out which of these protocols protects us, we'll need some way to measure how well they perform. We will be measuring each of the following abilities: First of all, if we were to figure out which of these protocols protects us, we'll need some way to measure how well they perform. We will be measuring each of the following abilities: