Use DNSCrypt by default in Kicksecure? (not Whonix!)

Looks good. What about DNSSEC?
Some domains support it. Other’s don’t. Therefore probably nobody is setting their browsers or programs to only accept authenticated DNS replies.

1 Like

https://madaidans-insecurities.github.io/encrypted-dns.html#security will likely apply to DNSSEC too.

This paper is nice as its relative to show aspects of clearnet DNS flaws and advantages of GNS.

This tool looks cool for system DNS.

1 Like

maybe this can be added to ESNI advantages and compromises:


1 Like

DNSSEC seems more useful in theory. Under the assumption that DNSSEC cannot be stripped similar to sslstrip… [1] [2]

DNSSEC can transmit information signed/authenticated information. (DNSSEC root trust key… [3]) Some such information can be potentially very worthwhile.

  • CAA policy:
    • CAA policy is written in DNS which can restrict which CA can issue certificates.
      (DNS Certification Authority Authorization (CAA) Policy / DNSSEC for whonix.org / ssllabs.com test results)
    • CAA policy is similar to CA pinning. Unfortunately, CAA policy is only consumed by CA authorities to check if they are allowed to issue a certificate for a website. A malicious/hacked CA might ignore it. But then there is nowadays certificate transparency logs so such CA would be spotted and expelled. I recognize that doesn’t help the victims of successful MITM in case of a compromised CA.
    • Unfortunately browsers do not check CAA policy from DNS. [4]
  • DANE TLSA [5] [6]
    • In short: use DNS (authenticated by DNSSEC) to authenticate the TLS certificate.
    • Not an option for browsers yet, or ever(?) but perhaps good for mail servers? Didn’t investigate that.
  • Other seemingly less important DNS entries such as SPF, DKIM, DMARC.

Can browsers such as Firefox, Chrome, Tor Browser verify DNSSSEC and can these be DNSSEC striped in their current default configuration? If yes, are fixes planned? I mean, if a domain was DNSSEC signed and the signature was stripped, would these browsers reject the connection?

[1] Let’s call that DNSSEC strip?

[3] Ignoring the issue of who is holding the highest hierarchy DNSSEC root signing key. At least it is a different key holder than the many trusted key holders in the TLS CA system.
[4] https://security.stackexchange.com/questions/180903/why-dont-browsers-check-caa-records-to-help-ensure-a-certificate-is-valid
[5] https://www.whonix.org/wiki/Dev/About_Infrastructure#DANE_TLSA

It’s in Debian.
Kicksecure was previously enabling it by default. Considering an opt-in package to easily enable it.


I think it’s better to download the package from here - https://github.com/dnscrypt/dnscrypt-proxy/releases/tag/2.0.44
$ sudo ./dnscrypt-proxy

Thus, it can be used when needed.
Can be installed as a service.

I don’t see any reason for this. And there are reasons against that:

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]