Hi, I am an average user, without technical knowledge. I have not a paranoid security/profile. But I am looking for an average good security/privacy protection. Not minimum, not paranoid, an average one. Please, allow me several simple questions, and please try to answer in simple language: 1) I have my Modem-Router with a password and WPA2 AES cryptography/encryption. I read that this can negatively affect computer performance (RAM, CPU, internet speed etc). So, in order to avoid that and improve my computer performance, I want to disable Modem-Router password + WPA2 AES cryptography/encryption. In compensation, in order to protect my security/privacy, I will enable access to my Modem-Router only to a predefined list of MAC addresses (devices). In other words, no MAC addresses (no devices) can access my Modem-Router, if they are not in my predefined list. Also, I hide the name of my network. Is that "ok"? Or do I need the WPA2 AES cryptography/encryption? 2) I am using SimpleDNSCrypt. Is DNSCrypt a must? Or is DNSCrypt not necessary? If it is a must, is DNSCrypt enough? Or do I need something else? 3) I read that DNSCrypt encrypts DNS. But I don't understand the meaning of that in simple language, in my real day. I know VPN will encrypt all my traffic communications. DNSCrypt is not going to encrypt my IP, the number of queries, the destiny of my queries etc. But is DNSCrypt going to encrypt at least the content of my traffic communications? (passwords, credit-cards etc). Or my confidential data will be exposed? 4) Why do I need DNSCrypt or VPN, if I have WPA2 AES in my Modem-Router? Does my WPA2 AES prevent "middle-man attacks"? 5) Why do I need DNSCrypt or VPN, if I have HTTPS in my browser? Does HTTPS prevent "middle-man attacks"? 6) How DNSCrypt avoids "middle-man attacks"? 7) I use Firefox, and recently Firefox implemented DoH+CloudFlare. I understand that DNSCrypt works in all my computer. But do I need to use DNSCrypt for all my computer? Or is enough to use Firefox DoH+CloudFlare? 8 ) In a Public Wi-Fi, let's say the owner of the Modem-Router wants to steal user credit-cards or private stuff, and he hacks his own device: What happens if I am not using nothing? Does the owner of this public Wi-Fi can steal every information passing trough his Modem-Router? How DNSCrypt will protect me in this example? Please, if possible, I will appreciate if you answer me following the number of my questions. Thank you in advance!
By default, your ISP can see DNS requests and unencrypted Internet traffic. So can operators of WiFi hotspots. DNSCrypt obscures DNS requests from adversaries observing your uplink. But they still see what sites you access. TLS (HTTPS for websites) hides what pages you access, and the content. If you add a VPN, adversaries observing your uplink can see only encrypted traffic with the VPN server. They know traffic patterns, and that provides some insight into what you're doing. Torrenting, for example, is very obvious. But of course, now the VPN provider can see just what your ISP or WiFi hotspot was seeing. If you want more privacy, you can use nested VPN chains. Your traffic goes through VPN servers from multiple providers. And each one can see only encrypted traffic incoming and outgoing. With two VPNs (three for slack), the first VPN knows who you are, but sees only encrypted traffic, and so knows only traffic patterns, but not what sites you're accessing. The last VPN sees what sites you're accessing, and can read unencrypted traffic, but doesn't know who you are, or where you are. For better privacy, and something like anonymity, you can add Tor. Whonix, comprising Tor gateway and Debian workstation VMs, is the easiest way to do that. And it's easy to have the Tor gateway VM connect through nested VPN chains. That way, you have some privacy even if Tor has been pwned.
Thank you @mirimir ! I believe you partially answered my questions 2, 3, 5 and 8. Please, if you want/can, I invite you to answer the rest of my questions. Thank you again! PS: Based on your answer, what is the difference between DNSCrypt hiding my DNS requests, and HTTPS (TLS) hiding my content? Is not enough HTTPS? Why should I hide DNS requests?
1) Please don't do that. Keep your WPA2. Hiding your SSID or using MAC filtering is nothing but a speed bump to determined hacker (I know because I scan my ******* neighbours who think they are oh so clever when hiding/filtering... simple software and MAC spoofing will handle that) 2) DNSCrypt is good and should be simple enough for average user. But there are also other maybe stronger encryption options coming available like DNS-over-TLS (I wrote few guides but you definetely need patience and Linux for those) https://www.wilderssecurity.com/threads/taking-control-of-dns-for-linux-users-part-1.398676/ https://www.wilderssecurity.com/threads/taking-control-of-dns-for-linux-users-part-2.399021/ Besides DNSCrypt & DNS-over-TLS there is also DNS-over-HTTPS. 3) If you use VPN and are sure that it does not leak your DNS then you are good to go. But it does not hurt to use encrypted DNS just in case ... 4) Your WPA2 does nothing to protect your DNS request that go out into wild big bad Internet. It only protects your neightbour hacking you (and even that is not guaranteed ... ). Without any encryption (VPN, DNSCrypt etc...) anyone can see the sites you connect to. 5) Like @mirimir said HTTPS is for only the content of the site not for DNS.
Thanks @Stefan Froberg ! I am starting to get the picture, thanks to you and @mirimir . 1) Is really that easy to hack a Modem-Router with MAC filter enable? I heard that WPA2 also is easy to hack. I am sure you are aware that past year they found a big vulnerability (https://www.krackattacks.com/). 3) Is DNSCrypt going to encrypt at least the content of my traffic communications? (passwords, credit-cards etc). Or my confidential data will be exposed? 5) What is the difference between DNSCrypt hiding my DNS requests, and HTTPS (TLS) hiding my content? Is not enough HTTPS? Why should I hide DNS requests? If you want/can, I invite you to answer my questions 6, 7 an 8. Thank you again!
1) Yes MAC filtering is trivial to bypass. There is an software called aircrack-ng (and others) that let you see the the MAC of the client that connects to the WiFi router. Of course, if there is no connections then nothing is shown but after seeing the client MAC address, nothing prevents the attacker to spoof it. And you can leave these attack tools running and logging everything so sooner or later the attacker will see the client MAC address and knows what MAC address he/she needs to spoof to defeat filtering. If you have good password then WPA2 is actually quite strong protection. The problem is that many don't have a good password. Worse, there is also a thing called WPS that was like a heaven for crackers. Instead of bruteforcing long WPA2 password attacker only needed to bruteforce a very short pin number to gain access to router. I think never models have better protection for against that but I would still disable WPS if you don't need it. Yeah that Krack attack was a big news and there should be fix available for most software and routers bynow. Also WPA3 is coming and should offer better protection. 3) No, it only encrypts the site you visit. Everything else is clear and need to be handled with some other encryption protocol like HTTPS. Of course, any e-commerce or bank site is using HTTPS anyway so you should not need to worry about that (make sure you see that green padlock in the firefox addressbar). 5) HTTPS only hides content. DNSCrypt only hides DNS requests. You definetely want both. 6) DNSCrypt (and also other encryption methods too of course) prevents tampering of your DNS request. Without any encryption anyone could see (and modify) the DNS traffic between your computer and DNS server. So yes, it's a Man-in-the-middle attack. But DNS encryption is only part of the story, there is also a thing called DNSSEC. It's a technology that verifies that the remote DNS server your computer is talking to (like, for example: google's public DNS) is really the real one and not some fake one. Think of it like a unique tamper proof signature that only real site has. Unfortunately, DNSSEC is still not widely used ... 7) I honestly don't know much about DOH (DNS-over-HTTPS) at this point to know if is better than DNSCrypt. I guess there will be at least some overhead for connections... 8 ) You mean, if the public Wi-Fi router is a rogue one and sniffing users stuff? Sure, if you don't use any encryption then he/she can log/tamper/redirect your traffic anyway he/she pleases. If you use only DNSCrypt then at least he/she can't redirect your DNS connections to some fake phishing site that looks like real thing. Of course, if you are not using even HTTPS then that is a small comfort...
Well @Stefan Froberg ... one of the best, most complete and clear answer I received. Thank you! 5) Based on your answer, if content is hidden/encrypted (HTTPS), I don't really see why to worry with DNS requests. What am I missing here? My interest is to avoid someone to steal my name, address, credit card etc etc etc. I don't really care if somebody knows the websites I visit. But please, help me here, how important is to hide my DNS requests? How important is to use DNSCrypt in terms of privacy and also security? Am I not enough covered by HTTPS? 6) How do I use DNSSEC in Windows 10?
1) MAC filter won't help you much against targeted attack, since MAC addresses can be spoofed. As Stephan already said it's only minor inconvenience. 3) DNSCrypt is not going to encrypt your whole traffic - only DNS requests and answers. It won't protect your passwords and other data. 5) HTTPS will protect most of your data traveling over encrypted chanell but it won't protect your initial request which can be modified or forged by MiTM. So instead of ending on Facebook.com you can be redirected to Faceboook.com and by mistake give your credentials to bad guys. Also you may value your privacy you might not want your ISP or any other MiTM to know which domains you are visiting. 6) DNSCrypt prevents MiTM by encrypting your DNS traffic by key belonging to DNS resolver. 7) DNSCrypt will encrypt all DN traffic regardless of which app sent DNS request. DNSCrypt can replace FF built-in protection but not the other way around. Owner of router won't be able to intercept you traffic (passwords, data) if you use HTTPS. If you don't use DnsCrypt they will know your DNS requests bur not much more. So for this example HTTPS is more important than DNScrypt. In such situation I would personally use VPN or not use that Router to connect to Internet. EDIT: OK, I'm typing slowly. You can disregard this post since Stefan already answered your questions.
Nice answers @Minimalist ! Thank you. 5) I force HTTPS. Also I have Netcraft extension + Malware extension + AV Avast free. I tested them with tons of phishing pages, malwares etc... and this combo catches 90% of the webgarbage. Considering your nickname "minimalist", don't you think that my security combo already protects me against MiTM attacks? Not to mention that Firefox implemented DoH. Do I really need DNSCrypt?
Personally, if I was worried about MiTM attacks, I would use VPN service to secure my communications. Though, you have to pay for "good" ones. If you don't think that you are under targeted attack, then you don't have to worry about it and your setup is just enough. Just don't disable encryption (WPA2) on your router. Computer performance degradation is minimal compared to security it brings to you.
Thanks again @Minimalist ! I still remain waiting @Stefan Froberg answers. But please, let me share with you the questions I asked him: 5) If content is hidden/encrypted (HTTPS), I don't really see why to worry with DNS requests. What am I missing here? My interest is to avoid someone to steal my name, address, credit card etc etc etc. I don't really care if somebody knows the websites I visit. But please, help me here, how important is to hide my DNS requests? How important is to use DNSCrypt in terms of privacy and also security? Am I not enough covered by HTTPS? 6) How do I use DNSSEC in Windows 10? And @Minimalist , what is your opinion about DNSSEC, considering my average profile (not paranoid)?
5) DNS requests can be modified by MiTM if not protected. And you end up connecting to server you did not want to. That's just one example where DNSCrypt can help you. 6) I've never set up or used DNSSEC so I can't give you any relevant answer. If you are not "paranoid" I guess that you don't need it
If you mainly care about MitM attacks, and not privacy, you can run your own VPN. For OpenVPN, this looks pretty good: https://vpntips.com/how-to-setup-a-vpn-server/ On AWS, there's a template for OpenVPN Access Server, and it has a webGUI for setup and configuration. See https://openvpn.net/index.php/access-server/on-cloud.html Or you can create a VPN server using CloudFormation: This guide for AWS: https://www.cloudassessments.com/blog/roll-vpn-aws-cloudformation-part-one/ For an IPSec IKEv2 server, which works best with macOS and iOS clients, check out https://github.com/trailofbits/algo
@Minimalist and @mirimir ... thank you both! Very nice answers, very nice content, ideas, suggestions... thanks a lot!
@Minimalist , @mirimir , @Stefan Froberg ... please, one more question: DoH works only in Firefox. So, specifically in my browser, I am already covered with encryption of my DNS requests. Here I don't need DNSCrypt. However, DNSCrypt works in all my computer. If I am covered in my browser with DoH, do I really need DNSCrypt for the rest of my computer DNS requests? In other words: Out of my browser, is there anything real confidential that the rest of my computer might need DNSCrypt?
Well that depends on software that you use. All software that connects to internet is sending DNS requests. So it depends on what software you have installed and what you are using it for. Just for record: I also don't strive for high level of privacy and security (trying to find my own "middle way") and didn't use DNSCrypt so far...
Any other Internet app that you use could be leaking info to DNS servers. Torrenting, for example. Or chat apps. Or Dropbox. Or whatever. I always use VPNs, always use the VPN service's DNS servers, and only through the VPN tunnel. So DNS and Internet access are equally obfuscated. For the first VPN in a nested chain, I use trusted third-party DNS servers. I might just as well use my IPS's DNS servers, because I'm just getting IPv4 for VPN servers. But just in case I screw up, I avoid ISP DNS servers. If I weren't concerned much about privacy, and weren't using VPNs, I'd just use trusted third-party DNS servers. It sounds like Cloudflare's 1.1.1.1 etc is OK. Or OpenDNS even.
@Minimalist , @mirimir , @Stefan Froberg ... thanks to your help + explanations + teachings + suggestions etc, I am arriving to my final conclusions. Please, correct me if I am wrong: a) Modem-router: Must be encrypted with a strong password. DNS must be defined at both, modem-router and computer level. My choice is CloudFlare (I checked, it works with DNSSEC). b) Browser: HTTPS is a must to encrypt content (against MiTM). DoH is a must to encrypt DNS requests (against MiTM). A good security combo (extensions + AV) are a must in order to protect against phishing, scams, malwares etc. Privacy extensions are desirable (FIP, Containers, 3rd-party blockers, adblockers etc). c) DNSCrypt only is really needed, if there are other sensible apps in the computer. d) VPN is a must at public WiFis. Anything else? Is this a good conclusion for average users?
Sure, but https://www.ivpn.net/blog/are-anti-malware-products-uploading-your-private-data I recommend using Linux instead of Windows or macOS. Microsoft snoops. It has Google envy. And Apple thinks that it owns your machine. Although it's far more privacy friendly than Microsoft.
+1 on 100% Linux!! Regarding MAC filtering and/or not broadcasting SSID, they are still OK ideas. The idea is to minimize low hanging fruit. While you are at work and NOT connected someone war driving won't see your network or MAC together. You must be connected for that to happen. So for most of the day an empty house will in no way be low hanging fruit for war drive hackers. My .02
I've disabled SSID broadcasting after I've read about Google mapping SSID's to their physical location. Still,I would not replace encryption with hiding SSID as it was asked in OP.
+1 And I would like to add: if possible use a Linux distro that has no systemd installed. Unfortunately there are not many beginner friendly distros like that but you could try PCLinuxOS. Here's list of others, systemd-free Linux distros https://en.wikipedia.org/wiki/Category:Linux_distributions_without_systemd That systemd thing is seriously a nightmare: why would anyone, with not networking experience (and ignoring the official DNS RFCs!!!) merge a dns service into init system? Bypassing the libc dns stub resolver and that runs at PID1 ? systemd defaults to Google dns on failure https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658 systemd dns causes dns leaks when using vpn https://github.com/systemd/systemd/issues/7182 systemd dns bug can be used for denial of service or remote code execution https://www.zdnet.com/article/linuxs-systemd-vulnerable-to-dns-server-attack/
