[Berlin-wireless] encryption over open wifi

[Carsten Schiefner]

On 02.04.2022 13:21, tomas at tuxteam.de wrote:
>On Sat, Apr 02, 2022 at 01:40:08AM -0700, freifunki098 at riseup.net wrote:
>> [...]
> 
>> https has become a standard so about that part there isn't to much to
>> worry about.
>> ssl for DNS requests aren't yet.
> 
> That would be DNSSEC (it can't be TLS, DNS uses the wrong protocol
> suite for that). It's not widespread, but it exists.

Ahem...

That does not appear to be entirely correct.

DNSSEC "only" protects the authenticity of the DNS data received - that 
e.g. is that the data has not been altered on its way from the server to 
the requestor. It still is full clear text and can be looked at by any 
interceptor between the server and the requestor.

If that is not wished for, e.g. for reasons of privacy, one could deploy 
DNS over TLS ("DoT") and/or DNS over HTTPS ("DoH") to protect one's 
queries - be them plain DNS or DNSSEC - from any third party inspection.

As such, both approaches are pretty much orthogonal to each other as 
they serve different and independent purposes.

Best,

	-C.