On Fri, Feb 7, 2014 at 2:55 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > > On Feb 7, 2014, at 7:15 AM, Maciej Soltysiak wrote: > >> On Fri, Feb 7, 2014 at 1:42 PM, Lonnie Abelbeck >> <li...@lonnie.abelbeck.com> wrote: >>> I admit is is nice to know that no-one is silently altering DNS >>> queries/responses in transit to a trusted DNS server, but is that being >>> overly paranoid ? >>> >>> Appreciate any comments... >> I treat dnscrypt as a way to prevent query snooping by my ISP, not as >> means to prevent altering. > > Thanks for your thoughts Maciej, but since the ISP routes (and logs stats) > the network data anyway, there isn't much "privacy" to be gained by > preventing DNS query snooping, is there ? Partly. The ISP A that serves your trusted DNS server will be able to corelate DNS queries and dnscrypt clients. The ISP B that serves your dnsmasq + dnscrypt-proxy will just see encrypted traffic. They would need to collude with ISP A.
Of course ISP A can see DNS traffic and then, say, a subsequent HTTP query, so you're right. But client computers also leak DNS, e.g. even when using VPN, some DNS queries might be sent outside it, so e.g. company intranet, etc. > I'm thinking DNSCrypt's best feature is preventing man-in-the-middle attacks > between the router and the trusted DNS server. Agreed! > Lonnie Maciej _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss