Viscosity support for DoH (DNS-over-HTTPS)

Got a problem with Viscosity or need help? Ask here!

Joss

Posts: 4
Joined: Fri Jun 06, 2014 7:11 pm

Post by Joss » Mon Apr 02, 2018 3:10 am
I've setup DNS in Viscosity for every connection, but I was wondering: how does Viscosity contact the resolvers in Full DNS mode? Of course the DNS request is sent through the VPN tunnel, but after exiting does it perform a DNS lookup on port 53? Or does it use DoH on port 443?

If there's no DoH support, are you willing to add this functionality to Viscosity?

From a privacy standpoint DoH would be wise imho, because even if you use a VPN, a MITM could still see which IP addresses the VPN user requests from the DNS, if the last mile (so to speak) is clear text on port 53. The MITM wouldn't know the user's true IP address, but he'd still be able to create an online activity profile, which he can use later to identify the user, even if he uses a different VPN connection.

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Thu Apr 05, 2018 1:04 am
Hi Joss,

While Viscosity configures the DNS system, the actual DNS lookups are performed by macOS. macOS does not currently have support for DNS over HTTPS. Assuming traffic to the DNS server is routed through the VPN connection, the DNS request is encrypted up until the VPN server, at which point it depends on what DNS server is being used and its configuration.

The general recommended approach when running your own VPN server is to use a DNS forwarder (e.g. dnsmasq) on the OpenVPN server, and have this set as the DNS server for the VPN connection. If you wanted to use DNS over HTTPS to the upstream DNS server from the forwarder you should be able to.

Generally though if your DNS requests are going through a VPN connection DNS over HTTPS doesn't really gain you much is the way of security or privacy benefits (unless the DNS server is the authoritative server for the domains you're using). DNS over HTTPS is only really designed to protect the "last mile" of a network, which your VPN connection is doing for you. If you believe your VPN Provider is hostile and sniffing or altering DNS requests then DNS over HTTPS could potentially help, but at that point they're likely looking at other traffic too.

We are looking at the possibility of having Viscosity support using DNS over HTTPS for server address lookups (i.e. to prevent DNS poisoning attacks against establishing a VPN connection), but it's unlikely we'll be looking at overriding macOS's DNS resolution system for lookups while a VPN connection is active.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1