this post was submitted on 13 Jul 2024
38 points (100.0% liked)

Privacy

31938 readers
759 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I am wondering if an ISP or network admin on my network would be able to change where a DNS server is located at (ex: if a DNS server is located at 132.192.175.210, the ISP/netadmin can redirect it to their own server at 11.29.102.201 to change where the DNS records point to). Does DNSSEC and DoH/DoT combat this, and how? Why is it safe to use a domain for DoH/DoT if it requires going through insecure DNS to get to a secure DNS?

top 8 comments
sorted by: hot top controversial new old
[–] viking@infosec.pub 36 points 4 months ago

Yes, easily. DNS over HTTPS is the most common fix for that.

[–] explore_broaden@midwest.social 16 points 4 months ago* (last edited 4 months ago)

Unless you are verifying DNSSEC, they could intercept any outgoing DNS queries and replace the response with whatever they want, if you are using DNSSEC they won’t be able to modify the responses since they can’t create the signatures, but they could still send queries to their own server instead of your chosen server. With either of these options they can still see what you query. DNS over TLS or HTTPS is a way to prevent all of these things, since with those you know the endpoint of your HTTPS connection is the actual server with the signed certificate and the connection is encrypted.

Edit to add: it shouldn’t matter what DNS you use to look up the IP of the DoH/DoT server, because only the real servers should have the correct private key.

[–] rasensprenger@feddit.org 14 points 4 months ago* (last edited 4 months ago)

Yes they can, but it doesn't really matter. They can't send you a faked dns response if you are connecting to the website via HTTPS, because a fake website won't have the correct certificate.

They may block your DNS queries so you can't connect to things, but they're your ISP, they can block all of your traffic anyway.

The worst they can do by injecting their own DNS server is to track your queries, but if you're not doing complicated stuff you are telling your ISP which sites you visit anyway (because of TLS Server Name Indication) and where your traffic goes (because the ISP needs a target IP to route your traffic).

A VPN "solves" all of these problems in so far as that now your ISP has a harder time tracking you, but you just moved the problem and now have to trust whoever is running the VPN server.

[–] sunzu@kbin.run 9 points 4 months ago

Ain't that is called DNS boot strapping and it is a common practice?

They sell it as for your own safety but they are just data mining and likely selling it as it is pretty useful info for marketers.

[–] nick@midwest.social 6 points 4 months ago

100% possible, it’s how adguard and piholes work

[–] adespoton@lemmy.ca 2 points 4 months ago

The other thing to consider of course is that if you use DoH/DoT, you still have to trust THAT DNS authority. All you’ve guaranteed is that a secure lookup and response transaction has hit their server, not that their server is providing an authoritative result and the operator isn’t storing/selling your requests.

[–] TheBigBrother@lemmy.world -2 points 4 months ago* (last edited 4 months ago) (1 children)

I believe your ISP can modify the default DNS of your router so when you connect through DHCP a device it will set that DNS, but if you manually set the DNS in your device ISP can't notice it.

[–] sloppy_diffuser@sh.itjust.works 7 points 4 months ago

They can modify the DNS packets still. They aren't encrypted or signed so the authenticity of a response packet cannot be verified. Parental controls from ISP relay on being able to snoop and modify your DNS (and SNI from TLS ClientHello packets).