DNSCrypt
How we can secure DNS?
- The downside of the DNS is that we have cleartext easy to read.
- It is naturally easy to intercept
DNSCrypt
- DNS traffic is encrypted
- DNS Responses are authenticated
- Prevents MiTM (Man in the Middle)
- Prevents DDoS
- TCP or UDP 443
Pihole
- lowcost and is always on with low energy
- Dedicated secure DNS server
- Content filtering
- Ad blocking
- Protects entire network
DNSCrypt implementation
- Set up ACL to only permit what is necessary but deny everything else.
- Hey router if you see UDP 53 coming out block it
- If you see 10.11.53 Permit it, this is our Pihole which will work as our DNS server
- We can tell everyone (all clients) through DHCP that this Pihole is our DNS server
- If you need a DNS server come ask the Pihole.
- We can enable DNSsec but that would require extra client configuration.
/CAP/Network+/Visual%20Aids/Pasted%20image%2020250115133134.png)