When using an anonymous communication network like Tor, to ensure privacy you must route your DNS traffic through the system even if your computer always uses DNSSEC for DNS lookups, would this be true? If so, why?
3 Answers
DNSSEC does not protect against eavesdropping, in this respect it only signs the response so the client knows it has not been spoofed:
It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
Emphasis mine.
- 33,408
- 6
- 67
- 178
If you do DNS over your local unencrypted network, a third party could see what names you were looking up and might be able to glean some information out of those lookups. If you're a deep-cover CIA operative somewhere and they can see that you're going to super-sekret-email.cia.gov, well, even without that traffic you might be in trouble. There's also a chance that they could poison your lookups (so your traffic would go over Tor to their server) or block them entirely to deny you access. DNSSEC only prevents one of those three threats.
- 777
- 3
- 15
When your system makes DNS requests without the anonymisation network you are normally using an eavesdropper is able to predict which sites you are visiting. Assume you want to visit https://security.stackexchange.com/. Your browser makes a DNS request and sends it to your anonymisation network, which in turn requests the site. So the eavesdropper has an idea what you are currently doing.
DNSSEC gives you authenticated DNS answers. So in the example above an attacker could forge the request and send you to another, malicious site. With DNSSEC this is not possible. However the eavesdropper still sees what DNS requests you do and can still predict the sites.
Thatswhy it is important that also your DNS (or DNSSEC) requests go through the anonymisation network.
- 1,601
- 2
- 14
- 27