Re: Securing DNS traffic

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Mon, 25 May 2020 20:37:07 -0700
Andy Ruhl <acruhl%gmail.com@localhost> wrote:

> So I'm not big into DNS and I don't have a firm grasp on all of these
> techniques, but I have an idea.
> 
> This is all just a big game of who are you hiding from right? If you
> hide from your ISP, now you have to trust the DNS server provider. Who
> among them are to be trusted?

It's not just ensuring privacy, but security as well. In the last few
years there have been quite a few attempts to subvert DNS. I found this
blog from cisco that is not too technical and most people can follow it:

https://blogs.cisco.com/security/dns-under-attack

Personally I'm not so much concerned about hiding my activity from ISP,
but making sure web and email services cannot be hacked or redirected
to malicious servers. So DNSSEC and DNS over TLS can help to some
extent. But there are many other layers to this security onion.

I've just ordered these two books, they seem like a good read:

"Managing Mission - Critical Domains and DNS: Demystifying nameservers,
DNS, and domain names"

"DNSSEC Mastery: Securing the Domain Name System with BIND"

Within a few days of me starting this thread, I got a notification from
Name.com warning that someone from China attempted to log into my old
and abandoned account.

Failed login notification
Failed on May 24, 2020, 2:42 am
IP Address: 222.173.92.154

I've not used Name.com for the past 10 years, but they seem to keep
your details forever and don't provide a facility to delete your
account. So you also need to be careful about domain registrars, some
of them could have quite lax security policies.