Hello!
I have a question .
Is it possible to mikrotik equipment , configure encryption to DNS server?
If possible, tell me how to do it?
If you mean for the protocol itself to be encrypted with SSL/TLS, then I think this doesn’t really exist except in some labs. I did a google search on the topic and only came back with a few verisign research groups.
When you think about it, this would heavily increase the load on a DNS server to have to build a crypto tunnel, the endpoints to authenticate each other, etc - for one small packet to go through: “google = 76.12.12.139” and then tear it all down.
You could build an IPSec tunnel between the Mikrotik and the DNS server, and then the UDP would just get encrypted by the more permanent connection. Of course this requires DNS servers that you control and that IPSec software installed, and you configure a tunnel to your Mikrotik…
The question was probably about dnssec protocol…
But dnssec doesn’t encrypt DNS packets. It just “signs” them to protect from spoofing. That’s why I didn’t talk about dnssec.
OpenDNS has an encrypted resolver client, in case anyone’s interested:
https://www.opendns.com/about/innovations/dnscrypt/
I’ve been wanting this for a very long time. I have to deal with several carriers whom love to sniff DNS traffic and inject their own IP’s. My solution has been to include a small Linux box running dnsmasq and DNSCrypt-Proxy.
I would LOVE for a DNSCrypt-Proxy package to be available for RouterOS. It’s Open Source and quite easy to port to any platform. Maybe MikroTik would be willing to port it?
I run my own domain on a Linux box, and I use it to thwart evil ISP tendencies.
If Comcast were to transparent proxy DNS, you can rest assured there would be some IPSec to the rescue.
Although, DNSSec will at least keep anyone from sending bogus DNS replies.