DNSSEC or DoH?

Is DNSSEC Same As DoH ? I mean DoH encrypts your packets right ? & seems (to me) DNSSEC is same it just “Encrypt your DNS” so is both same or near from same or what ? :joy:

See this whole section about DNS: https://infosec-handbook.eu/blog/hns5-dns-configuration/#dns-basics

And no, DNSSEC and DoH isn’t the same. DNSSEC ensures authenticity and integrity of DNS records while DoH mainly ensures confidentiality of DNS traffic.

2 Likes

What was said above, DoH/DoT/DNSCrypt provides encryption of DNS answers, while DNSSEC provides signing and validation confirming that the DNS server isn’t lying (which can only be confirmed when running a local DNS server though).

1 Like

well, i can run DoH with DNSEC ? (to make sure “website not lying” & to hide data from my ISP)

Thanks alot! also if there anyway to run both at same time?

I think you are looking for Unbound + DNSCrypt-proxy.

Unbound should verify DNSSEC by default and you will want something like:

# From https://wiki.archlinux.org/index.php/DNSCrypt
do-not-query-localhost: no
forward-zone:
    name: "."
    forward-addr: 127.0.2.1@53

Where 127.0.2.1 port 53 is the listening address/port of DNSCrypt-proxy.

1 Like

You can use DNSSEC + DoH/DoT at the same time. However, there is an important difference:

  • DoT/DoH: You need software on your device that supports DoT/DoH, and a server that supports DoT/DoH. Then, you directly connect to the server, and DNS traffic between you and this server is encrypted.
  • DNSSEC: You need either software on your device that validates DNS records that were signed with DNSSEC, or this is already supported by your DNS resolver. Then (and this is important here), domains that you enter in your clients (e.g., you enter privacytools.io in Firefox) need DNSSEC-signed DNS records. So, while DNSSEC might be enabled on your side, not every domain on the internet has DNSSEC support.

In summary, if you enable DoT/DoH (and enforce it on your clients), you always get encrypted DNS traffic between your clients and your DNS resolver. However, if you enable DNSSEC validation, you only get validated DNS records for domains which come with DNSSEC-signed DNS records.