0

I was wondering if we push our DNS over the VPN and basically let them do DNS resolution, is it possible to perform DNS poisoning and man in the middle attack on us? I know browsers check certificates but is there any other security layer that prevents a VPN provider to do that?

Improve this question
1
  • 1
    Do you need another security layer other than PKI TLS certificates?
    – schroeder
    Commented Jun 8, 2023 at 9:34

1 Answer 1

Reset to default
1

If you use plaintext UDP for DNS queries, then nothing prevents the VPN from forging the response. However, this is only a problem for plaintext protocols like HTTP which are vulnerable to man-in-the-middle attacks, anyway. When you use HTTPS, then forged DNS responses can only be used to block access to the target site. It's not possible to perform a man-in-the-middle attack due to the certificate check, as you already stated.

Additionally, you can make DNS requests over TLS (DoT) or HTTPS (DoH) to prevent forged DNS responses.

Improve this answer
11
  • DoT and DoH in themselves are equally unsafe - you just move trust from one party to another. To be completely safe your local resolver must implement DNSSec.
    – Artem S. Tashkinov
    Commented Jun 8, 2023 at 11:52
  • I disagree with both of your claims. DoT and DoH both do exactly what they were designed for: secure the DNS traffic between the client and a resolver. Since the OP specifically asked about man-in-the-middle attacks by a VPN provider, DoT and DoH are the right tools here. DNSSEC only covers the zones which actually use it, and that's still just a fraction of all zones. Besides that, DNSSEC has its own problems and is definitely not a panacea to “be completely safe”, as you claim.
    – Ja1024
    Commented Jun 8, 2023 at 16:23
  • You disagree without understanding anything. The resolver company/service/IP can be compromised and DNSSec is the only thing that will allow you to make sure that the IP address (or any other DNS field) you got for your request is valid. DNSSec covers the vast majority of modern high traffic websites. Without DNSSec you're essentially trusting your life on your super duper DoH/DoT provider. Even StackExchange is utilizing DNSSec. I have no "claims" I have facts. Oh God. I'm sorry, I have a feeling of disgust, so I'll just walk away. "Claims". What the hell.
    – Artem S. Tashkinov
    Commented Jun 8, 2023 at 17:29
  • I have no idea why you're so angry, but if you want to preach or sell something rather than have a reasonable discussion, this might not be the best community for you. You will definitely get counter-arguments when your claims are nonsense.
    – Ja1024
    Commented Jun 8, 2023 at 18:13
  • Interesting discussion you guys are having. @ArtemS.Tashkinov, With regard to DNSSEC - if the registrar that the domain is registered with (e,g. GoDaddy), or the TLD (e.g. Verisign, for .com), or the root (e.g. ICANN) were to 'go rogue', couldn't any one of these entities take over the DNS for the domian, and serve bogus DNS records that appear to be perfectly authentic via DNSSEC? If so, are we not simply shifting our trust from DNS providers (and possibly CAs for those that want to use DNSSEC instead of CA's for SSL authenticity) to these entities?
    – mti2935
    Commented Jun 8, 2023 at 21:24

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .