DNS encryption

When using VPN, and assuming DNS leak tests went well, do I understand correctly that I don’t need to use any of the DNS encryption services since the VPN is taking care of that? Installing DNSCloak on iOS stopped my VPN connection.


Your normal logic internet connection (IP layer) looks usually like the following:

So you are directly connected to servers, including web servers, mail servers, DNS servers, etc.

If you add a VPN tunnel, your device is directly connected to the VPN server. This direct connection is usually cryptographically secured. Therefore, the connection between you and the VPN server comes with some additional encryption. However, the connections from your VPN server to web servers, mail servers, DNS servers, and so on are as before. There is no additional encryption on this side:

Assuming that the VPN provider just forwards your network traffic, then there is no DNS encryption between the VPN provider and the DNS server.

1 Like

So if I understand correctly the, the purpose of the DNS encryption is to prevent DNA snooping and attacks designed to divert my DNS results. Is that correct? I installed DNS Cloak on my iOS device and chose a server with DOH. But what if that server is compromised? I guess this strategy protects only from man in the middle kind of attacks? What’s the best way to use DNA encryption for free on Mac? I saw the three tools recommended on the privacytools website but they seem a bit more complicated to install/operate/understand how they work. Is there something that works out of the box like the iOS app?


We have to look at two different things here:

1. How can I be sure that the DNS response from the DNS resolver is correct?
The full Domain Name System consists of many DNS servers at different hierarchy levels. This is a complex but robust system to allow name resolution. Then, there are DNS resolvers – the servers that receive your DNS queries and send DNS responses. The DNS resolvers may forward your query to the complex DNS network behind them, but in general they use caching for performance reasons (technical detail: There is the TTL parameter for DNS records to control caching).
An attacker can inject malicious DNS records into the cache of the DNS resolver (called DNS cache poisoning or DNS spoofing). To avoid this, DNS resolvers deploy protective measures like additional checks whether DNS records are correct.
More importantly, there is DNSSEC that cryptographically secures DNS records by adding digital signatures. DNSSEC is efficient against DNS cache poisoning and deployed for the DNS root zone and original TLDs. So DNSSEC may ensure that the DNS response of your DNS resolver is correct as long as your client checks the signatures.

2. How can I be sure that the DNS response from the DNS resolver is still correct when my device gets it?
As explained before, DNSSEC adds digital signatures. However, the DNS network traffic between your client and the DNS resolver is still in cleartext. This means that some parties may be able to see the queries sent by your client and the responses of the DNS resolver. To secure this, there are either DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH). These are different standards with their pros and cons. They add encryption to your DNS queries and responses, and ensure that the DNS network traffic between your client and the DNS resolver is protected against modifications or eavesdropping.
Besides, there are several competing developments that also try to secure DNS network traffic (e.g., DNSCurve, DNSCrypt, DNS over QUIC).

Quickly looking at the description of DNSCloak, it seems to validate DNSSEC signatures and encrypts the traffic between it and the DNS resolver. So (without further technical checks) the app should ensure that you get unmodified DNS responses even if the server is compromised.

(A little side note: DNSSEC isn’t always supported. Thus, digital signatures might not be available for each and every resolved domain.)

1 Like

Great, Thanks. So in that case both my tor iOS browser and various apps on iOS will get served by the secure DNS, right? Or is tor using something else?
How can I make all of this happen on my computer (Mac) as well? I didn’t see an off the shelf easy app like this on the tools discussed on this website.

No. The Tor Browser forwards your DNS queries to the Tor exit node. So the Tor exit node asks its DNS resolver. This is necessary to prevent leaks of your real IP address. This also means that you can’t directly control the DNS resolver on the Tor network as it is configured on the Tor exit node. In many cases, the Tor exit nodes use Google or Cloudflare for DNS resolving (see https://medium.com/@nusenu/what-fraction-of-tors-dns-traffic-goes-to-google-and-cloudflare-492229ccfd42).

1 Like