Wiki

User Tools

Site Tools

Trace:
networking:dns:dns_over_tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

networking:dns:dns_over_tls [2020/12/18 10:30] – created peternetworking:dns:dns_over_tls [2020/12/18 10:36] (current) peter
Line 1: Line 1:
 ====== Networking - DNS - DNS over TLS ====== ====== Networking - DNS - DNS over TLS ======
- 
-===== Problem Statement ===== 
  
 DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle).  This is DNS Cache Poisoning. DNS is insecure because by default DNS queries are not encrypted, which can be exploited (man-in-the-middle).  This is DNS Cache Poisoning.
  
 As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP.  So there is no guarantee that what the DNS query resolves to the real IP. As DNS is based on UDP, which is a connection-less protocol, any DNS response can easily be manipulated to provide a spoofed IP.  So there is no guarantee that what the DNS query resolves to the real IP.
 +
 +**DNS over TLS** means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries.
  
 ---- ----
  
-===== Solution =====+===== Stubby =====
  
-DNS over TLS means that DNS queries are sent over a secure connection encrypted with TLS, the same technology that encrypts HTTP traffic, so no third parties can see your DNS queries. +Stubby is an open-source DNS stub resolver which supports DNS over TLS by default and therefore it will only send DNS requests encrypted.
- +
-One approach is to use Stubby for DNS over TLS. +
- +
-Stubby is an open-source DNS stub resolver developed by the getdns team, which uses the getdns library.  Stubby supports DNS over TLS and by defaultit will only send DNS requests encrypted.+
  
 <WRAP info> <WRAP info>
-**NOTE:**  A stub resolver is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8.+**NOTE:** **stub resolver** is a small DNS client on the end-user’s computer that receives DNS requests from applications such as Firefox and forwards requests to a recursive resolver like 1.1.1.1 or 8.8.8.8.
  
 There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use. There are other stub resolvers that also support DNS over HTTPS, such as cloudflared, but Stubby is very easy to use.
  
 </WRAP> </WRAP>
- 
----- 
  
networking/dns/dns_over_tls.1608287401.txt.gz · Last modified: 2020/12/18 10:30 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki