3

Is there a way to make encrypted DNS resolutions, so that a packet sniffer in the same network still can't guess what DNS has been requested?

Maybe, just thinking, by tunneling DNS requests through an HTTPS connection?

Mark
  • 442
  • 5
  • 12
  • 1
    The real question here is, who is it that you can't trust? – Michael Hampton Nov 11 '12 at 22:52
  • Other people in the same network. For example, if I'm at Starbucks, I don't trust other people with their packet sniffers running. – Mark Nov 11 '12 at 23:06
  • 5
    You're [asking security-oriented questions](http://serverfault.com/questions/447653/does-ssl-also-encrypt-the-dns-address), but you're not articulating a clear goal. Rather than asking us about each individual (possibly misguided) piece, why not tell us what your end goal is, and ask how to accomplish it? You will probably get a better/more complete/more usable answer. – voretaq7 Nov 11 '12 at 23:58
  • 1
    Maybe you shouldn't be doing whatever you're doing on somebody else's network. If you need to hide your activity then it's extremely unlikely that it's legitimate. Wait till you get home and do it from your own network instead. – John Gardeniers Nov 12 '12 at 05:31
  • 1
    @John Starbucks it's just a metaphor. I thought the question was pretty self-explanatory: is there a way to encrypt DNS queries? I personally don't know how you came to the conclusion that this means doing illegal things. What about developing a service whose authentication key is, for example, into the DNS subdomain. Ideally if the DNS query is encrypted and the whole traffic is under SSL, this would work. The advice to "go home and do it" has really nothing to do with the original question. – Mark Nov 13 '12 at 00:34
  • 1
    @voretaq7 - as I said to John, I think that the question is pretty easy to understand, that is: how to encrypt DNS queries? The end goal is explained in the question itself, and it's about making encrypted DNS queries to prevent that those queries are sniffed in a network. To make an analogy, when someone asks "How to encrypt HTTP traffic?" and the answer is "HTTPS", the end goal is not "building a finance trading web site", the end goal is encrypting the traffic. Here's the same. Just for DNS queries. – Mark Nov 13 '12 at 00:42
  • There's something fundamentally wrong with wanting to encrypt traffic that is public by design. – John Gardeniers Nov 13 '12 at 04:24
  • 1
    I didn't know it, that's why I asked the question in the first place. I've read about some workarounds, like this [http://www.opendns.com/technology/dnscrypt/](http://www.opendns.com/technology/dnscrypt/), so I was wondering if there were other strategies for doing it. Also this: [https://github.com/opendns/dnscrypt-proxy](https://github.com/opendns/dnscrypt-proxy). So I wonder why this question was closed as it was about a very specific topic. – Mark Nov 13 '12 at 06:28

3 Answers3

8

Sure. Use a VPN. Preferably one with good hard encryption. I'm thinking IPSEC using AES/SHA.

But then all your traffic gets tunneled. Not sure if that's a good thing or not, for you.

Tom O'Connor
  • 27,440
  • 10
  • 72
  • 148
2

Check out DNSCurve by Daniel J. Bernstein. It's stated main point:

Confidentiality: DNS requests and responses today are completely unencrypted
and are broadcast to any attacker who cares to look. DNSCurve encrypts
all DNS packets.
atx
  • 1,281
  • 1
  • 9
  • 25
1

I'd use a VPN to a trusted host/network, or maybe tor.

Dennis Kaarsemaker
  • 18,793
  • 2
  • 43
  • 69