Dnscrypt-proxy: QUESTIONS: Modem router, VPN, Firefox, Public WiFi etc

Created on 4 May 2018  路  6Comments  路  Source: DNSCrypt/dnscrypt-proxy

Hi,

I am a new user of SimpleDNSCrypt.
I am reading lot of stuff about it, trying to learn/understand how it works.
Naturally, lot of questions emerge, I tried to found answers, but it is not easy for me. So please, I have several questions:

1) In simple terms for laymen-users: What is the difference between DNSCrypt and VPN?

2) Do I need DNSCrypt if I have VPN?

3) I am a Firefox-user. Firefox recently implemented DoH + CloudFlare. If I activate it, do I need DNSCrypt for Firefox?

4) Having both "on" (DNSCrypt and Firefox DoH+CloudFlare), does it impact browser or computer performance (RAM, CPU, Internet speed etc)?

5) Using DNSCrypt, should I change DNS 127.0.0.1 at my router-modem? Should I change any other settings in my router-modem in order to use DNSCrypt?

6) If I use DNSCrypt, it will work in a public Wi-Fi?

Thanks a lot in advance!

Most helpful comment

  1. A VPN will encrypt and authenticate all your traffic. Encrypted DNS (DNSCrypt, DNS-over-SSH, DNS-over-HTTP/2, whatever) only encrypts and authenticates DNS.
  2. Depends on what you mean by DNSCrypt. You don't need encrypted DNS if you use a VPN. However dnscrypt-proxy (even through interfaces such as Simple DNSCrypt) let you block ads, trackers, inspect queries being made, remove duplicate queries, and more, to further enhance privacy.
  3. If your system has been configured to use a secure DNS, you don't. Having secure DNS in Firefox is nice, but only protects Firefox. Firefox is not the only software installed on your system, and everything else also constantly sends DNS queries.
  4. It can only degrade performance. dnscrypt-proxy has a cache, so that recent queries are served from memory. You won't take advantage of a central cache if you have two distinct things doing the same thing.
  5. Unless dnscrypt-proxy is running on your modem, you shouldn't. Just keep the default DNS configured on your modem.
  6. Yes, and that's the main use case.

All 6 comments

  1. A VPN will encrypt and authenticate all your traffic. Encrypted DNS (DNSCrypt, DNS-over-SSH, DNS-over-HTTP/2, whatever) only encrypts and authenticates DNS.
  2. Depends on what you mean by DNSCrypt. You don't need encrypted DNS if you use a VPN. However dnscrypt-proxy (even through interfaces such as Simple DNSCrypt) let you block ads, trackers, inspect queries being made, remove duplicate queries, and more, to further enhance privacy.
  3. If your system has been configured to use a secure DNS, you don't. Having secure DNS in Firefox is nice, but only protects Firefox. Firefox is not the only software installed on your system, and everything else also constantly sends DNS queries.
  4. It can only degrade performance. dnscrypt-proxy has a cache, so that recent queries are served from memory. You won't take advantage of a central cache if you have two distinct things doing the same thing.
  5. Unless dnscrypt-proxy is running on your modem, you shouldn't. Just keep the default DNS configured on your modem.
  6. Yes, and that's the main use case.

Hi @jedisct1 ... as usual, excellent answers from your side! Thank you!

Sorry my ignorance, I still have some questions:

1) I read similar answers in other articles, but I still can't understand the difference between "traffic encryption" (VPN) and "DNS encryption" (DNSCrypt). Please, can you explain in other way? I understand VPN encrypts my IP, the number of queries, the IPs I visit etc (and DNSCrypts doesn't encrypt that). So, is this the difference between VPN x DNScrypt?

5) I can't use DNSCrypt in my modem (no open firmware). SimpleDNSCrypt is in my computer with CloudFlare. So based on you answer, my modem should be 1.1.1.1 / 1.0.0.1... right?

Thanks!

  1. Traffic encryption includes many protocols, and DNS is just one of them. With a VPN, your ISP doesn't see the IP addresses you are connecting to. With only DNS encryption, it does. But with a VPN, the VPN provider sees all the protocols. You have to ultimately trust them. With DNS encryption, the DNS provider only sees DNS. You also need to trust it, but less :)

  2. You can use 1.1.1.1/1.0.0.1 on your router. If it breaks related equipments such as TV or telephony, switch back to your ISP DNS.

OK @jedisct1 , please let's keep talking a little more about point 1:

With a Public Wi-Fi, let's say the owner of the modem wants to steal user credit-cards or private stuff, and he hacks his own device:

What happens if I am using DNSCrypt in my computer? How DNSCrypt avoids "middle-man attacks"?
Why did you say that one of the main DNSCrypt uses is with public Wi-Fi?

What happens if I am using a VPN?

What happens if I am not using nothing? Does the owner of this public Wi-Fi can steal every information passing trough his modem?

Thanks!

PS: Please, what is the difference between HTTPS vs DNSCrypt? And HTTPS vs VPN?

I can only recommend https://www.wilderssecurity.com/ to learn about privacy technologies.

Hi @jedisct1 ,

Thank you, once again, for all your answers here in my post, in my other first post also here at GitHub, and in my other post at CloudFlare forum. You have been great!

I always knew GitHub is not a forum, not the place for my kind of questions.
And you have been more than patient with me. Thanks also for that!

Before asking, I tried to read, to learn, to understand about DNSCrypt, VPN etc.
The problem @jedisct1 is that I don't have knowledge to differentiate garbage from trusted sources. And sorry @jedisct1 to disagree with you, even at Forums, there are a lot of people writing bullshit without any know-how. In a Forum, everyone becomes an IT expert. Another problem at Forums is that when a serious guy appears to help, he uses terms so technical that is difficult to understand, at least for average users like me.

My final conclusion is a suggestion for you:
Please, consider the possibility to add a kind of FAQ at DNSCrypt webpage/GitHub, answering questions for laymen-users but in simple language/terms. I know the DNSCrypt' Wiki and the webpage in general is full of great technical explanations. Nothing to critic there. I am just suggesting to add more simpler explanations for average users.

Thank you!

PS: Following your orientation, this is the link of my questions at Wilder Security forum. Feel free to participate:

https://www.wilderssecurity.com/threads/simple-questions-dnscrypt-vpn-modem-router-https-etc.403444/#post-2755013

Was this page helpful?
0 / 5 - 0 ratings