I’ve learn that, when browsers ship web site requests, the DNS lookup a part of the request just isn’t encrypted, and is due to this fact a safety vulnerability.
It’s not the lookup half that’s unencrypted; a typical DNS consumer to resolver connection is fully unencrypted. As for the safety threat, it’s largely a privateness concern as each entity between the consumer and resolver can sniff out the site visitors to see what/the place you’re visiting. Nevertheless, there’s the opportunity of DNS Hijacking although this can be a comparatively small threat.
In DNS Hijacking, a nefarious actor can redirect you to a website they management to assemble authentication information, it additionally means they should construct that website convincingly sufficient that you simply’ll imagine its the location you supposed to go to. This implies they’d have foreknowledge of the place you had been going
Additionally, I am conscious that routers have DNS settings, over which WiFi customers haven’t any management.
That is incorrect. Sure, your router has DNS settings, probably populated by your ISP, however you finally have management over the DNS servers you make the request to.
Can and will bizarre Safari customers, accessing shared WiFi in numerous places, implement end-to-end safety of the DNS requests originating from their Apple cell units? If sure, then how?
No. You’ll probably break issues. Community admins use port 53 for DNS site visitors so, that site visitors is permitted by the firewall. That is how they’ll inject adverts, do content material filtering and logging. Encrypted site visitors will undergo a distinct port (853) which is probably going blocked which means you’ll break your consumer’s skill to resolve IPs to domains.
Additionally, you will must to get a DNS consumer that helps encryption for this to work. For instance, one of many diagnostic instruments we use with DNS is dig nonetheless to make encrypted queries, you’ll want kdig from Knot DNS. As on your cell units, you’ll want a consumer like 1.1.1.1 App from Cloudflare
Wouldn’t it assist safety if customers swap to Firefox or one other browser?
It is going to assist your privateness and at some minuscule degree, it’ll assist safety, however all of that’s moot if the shared WiFi networks you’re connecting to doesn’t enable that site visitors. There’s one caveat to this, nonetheless. In case your browser makes use of DoH (DNS over HTTPS), then it could seem like regular HTTPS encrypted site visitors. The problem right here could be to discover a consumer and a resolver service that supplied this.
TL;DR
Ought to customers swap to encrypted DNS. (IMO) It might be good to see, however it’s unlikely to occur within the close to future as a result of community admins/ISPs aren’t prepared to surrender the visibility and management unencrypted DNS site visitors affords them.
