unfinished intro
cynthia
BIN
dnscrypt/1.png
Normal file
|
After Width: | Height: | Size: 38 KiB |
BIN
dnscrypt/2.png
Normal file
|
After Width: | Height: | Size: 34 KiB |
BIN
dnscrypt/3.png
Normal file
|
After Width: | Height: | Size: 40 KiB |
BIN
dnscrypt/4.png
Normal file
|
After Width: | Height: | Size: 34 KiB |
BIN
dnscrypt/5.png
Normal file
|
After Width: | Height: | Size: 38 KiB |
BIN
dnscrypt/6.png
Normal file
|
After Width: | Height: | Size: 26 KiB |
BIN
dnscrypt/7.png
Normal file
|
After Width: | Height: | Size: 77 KiB |
|
|
@ -10,6 +10,36 @@ DNS is the most common way to resolve domain names into IP addresses. It's a pre
|
|||
Several solutions have popped up over the years to fix these issues, These mostly just act as wrappers around the DNS protocol in a way. This blogpost will measure the advantages and disadvantages of these solutions, and also offer a guide on how to set up each of them.
|
||||
This blogpost includes: DNS over TLS (DoT), DNS over HTTPS (DoH), DNSCrypt, DNS over Tor/DNS over VPN and Local DNS
|
||||
|
||||
## Introductions to all the DNS protocols
|
||||
|
||||
### DNS over TLS (DoT)
|
||||
|
||||
DNS over TLS is (one of) the first RFC-standard DNS encryption wrappers, wrapping the protocol around the Transport Layer Security, other than that, it's fairly simple. The problems that it has is that it has its own standard port number, which makes it easy to tell to a 3rd party that you are using DNS over TLS, and that it's slower, since it has to run over TCP rather than UDP.
|
||||
|
||||
### DNS over HTTPS (DoH)
|
||||
|
||||
DNS over HTTPS is the more newer RFC-standard DNS encryption wrapper, which wraps the protocol around HTTPS and uses 443 on TCP. The benefits are about the same as DNS over TLS, except that the fact that DNS is transmitted over HTTPS makes the protocol much harder to block than DNS over TLS (DoT) due it blending in with regular HTTPS traffic. ISPs and DPIs have to resort to blocking IPs associated with common DoH servers (which does not block DoH as a whole).
|
||||
|
||||
### DNSCrypt
|
||||
|
||||
DNSCrypt is the oldest DNS encryption wrapper protocol, It is more optimized for speed than DoT and DoH and uses 443 on TCP/UDP (same port as HTTPS). The port number helps obfuscate the protocol at a basic level from ISPs and other MiTMs from detecting the usage of the protocol (although it won't help against DPIs). DNSCrypt also has a feature called Anonymized DNS which we will be talking in the next sub-section.
|
||||
|
||||
#### Anonymized DNS
|
||||
|
||||
(TODO)
|
||||
|
||||
### DNS over Tor
|
||||
|
||||
(TODO)
|
||||
|
||||
### DNS over VPN
|
||||
|
||||
(TODO)
|
||||
|
||||
### Local DNS
|
||||
|
||||
(TODO)
|
||||
|
||||
## DNS protocol ratings
|
||||
First of all, if we were to figure out which of these protocols protects us, we'll need some way to measure how well they perform. We will be measuring each of the following abilities:
|
||||
* Security: Whether the DNS queries and responses are fully end-to-end encrypted (from user to the DNS server, including the Tor nodes/VPN node in-between)
|
||||
|
|
|
|||