drduh / macOS-Security-and-Privacy-Guide

Guide to securing and improving privacy on macOS

Home Page:https://drduh.github.io/macOS-Security-and-Privacy-Guide/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Whom are you protecting against with DNSMASQ/DNSCRYPT

AndrewtheCanon opened this issue · comments

I see this write up here about DNSCRYPT/DNSMASQ and am wondering if I need it: https://github.com/drduh/macOS-Security-and-Privacy-Guide#dnsmasq

In general, the DNS traffic is unencrypted, so somebody with access to the router, and monitor port 53 could find the servers a host has visited. Using DoH (using default settings in Chrome) largely mitigates that.

If you are using VPN, most VPNs already provide services where the the DNS is resolved in the DNS provider. So assuming that the DNS provider is not snooping on your traffic, there is not much risk.

So I am wondering what is the additional benefit of using DNSCRYPT/DNSMASQ over DoH already provided by Chrome? Is this mostly useful for enterprise networks, where the number of name resolutions are much smaller and are more susceptible to DNS cache snooping attacks?

commented

I see this write up here about DNSCRYPT/DNSMASQ and am wondering if I need it: https://github.com/drduh/macOS-Security-and-Privacy-Guide#dnsmasq

1 way Browser option (any Chromium fork or Firefox)
2 way Additional soft more about software decision you can read here
Nice tute for stubby+dnsmasq is here

commented

It's mostly for privacy: to filter undesired domain names, and it is possible to block whole TLDs with dnsmasq (unlike with hosts file). It is also useful to keep a local audit trail, since as you point out DNS is unauthenticated and a possible source of attack; it's good to see and know what domains are being resolved and to what. You could run a packet capture or Wireshark, but I like this setup more.