[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] DNSSEC better protecting users?

I know it's off topic but if you do use DNSCrypt by forcing DNS over
TCP make sure you don't use OpenDNS servers. If you're familiar with
OpenDNS you know they have a control panel where you can admin the
service wrt it's external ip relation. DNS based filtering and
monitoring of requests. If you do use OpenDNS servers it's possible
for an exit to both track the requests made *and* filter requests. Use
an alternative server.

-- leeroy

Nicolai wrote:On Sat, Jan 10, 2015 at 12:54:23AM -0800, Virgil
Griffith wrote:

> In particular, I am concerned about what subdomain a user is
> being leaked.

DNSSEC is not encrypted, so it leaks everything -- even data that
DNS doesn't.

> Are there any established ways of preventing the subdomain from
> leaked?

The best way currently is to use DNSCrypt, which encrypts DNS queries
and responses.  It's originally from OpenDNS, although there are other
providers that support DNSCrypt also.  With DNSCrypt, only the
sees your queries, instead of the provider + anyone listening in.

Note this is only the DNS angle to your question.  (Katya mentions

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to