Is there benefit to direct DoT and/or DoH connection compared to local DNS server?

OpenSource Ghost

Limp Gawd
Joined
Feb 14, 2022
Messages
220
Assume environment where all LAN/WLAN clients connect to local DNS server using plaintext UDP port 53, the local DNS server runs Pi-Hole that creates secure DoT and DoH connections to public resolvers such as Cloudflare.

If malicious traffic intercept happens on LAN/WLAN (not WAN), then would is it more secure for clients to directly connect to DoT and DoH DNS resolvers (bypassing local DNS server) ?
 
Last edited:
If there's something on your LAN that's intercepting DNS queries you're fucked no matter what.

Most likely, any such malicious process would be on the system(s) making the query, so whether the DNS resolver is local (e.g., a Pi-Hole+Unbound/Stubby for DoT/DoH) or directly to Cloudflare/Google/Quad9/etc. is irrelevant.
 
Last edited:
I think in this case MITM traffic sniffing is more appropriate terminology than intercept.

If WLAN traffic sniffing by MITM is happening, then wouldn't it be easier for MITM to re-direct traffic to their own servers when WiFi device is set to use local DNS server instead of being set to directly use DoT/DoH? My reasoning is that DNS queries to local DNS server over WLAN happen in plaintext, but direct DoT/DoH connection is encrypted and reduces chances of traffic re-direction by MITM. For example, Android devices have the option to use DoT directly instead of relying on local network DNS. Would it be safer to set Android devices to use DoT (and bypass local DNS server) in this case?
 
I think in this case MITM traffic sniffing is more appropriate terminology than intercept.

If WLAN traffic sniffing by MITM is happening, then wouldn't it be easier for MITM to re-direct traffic to their own servers when WiFi device is set to use local DNS server instead of being set to directly use DoT/DoH? My reasoning is that DNS queries to local DNS server over WLAN happen in plaintext, but direct DoT/DoH connection is encrypted and reduces chances of traffic re-direction by MITM. For example, Android devices have the option to use DoT directly instead of relying on local network DNS. Would it be safer to set Android devices to use DoT (and bypass local DNS server) in this case?
I'm with BlueLineSwinger. If something is on your LAN you're already fucked.

I run a Pi-hole with Unbound and it uses DNSSEC when it updates from the upstream resolvers of the world, but everything internal to my network is plain Jane DNS. I'm not worried about that in the least. If all my devices are getting DNS queries from my own trusted device I don't need to worry about DoT or DoH to protect from a MITM attack. If they're in my network and can do a MITM on my DNS queries they can pretty much do anything else they want too.
 
I think in this case MITM traffic sniffing is more appropriate terminology than intercept.

If WLAN traffic sniffing by MITM is happening, then wouldn't it be easier for MITM to re-direct traffic to their own servers when WiFi device is set to use local DNS server instead of being set to directly use DoT/DoH? My reasoning is that DNS queries to local DNS server over WLAN happen in plaintext, but direct DoT/DoH connection is encrypted and reduces chances of traffic re-direction by MITM. For example, Android devices have the option to use DoT directly instead of relying on local network DNS. Would it be safer to set Android devices to use DoT (and bypass local DNS server) in this case?
If someone is doing MITM on your LAN then they have already installed certs on your endpoints. You're already owned and DNS is the absolute least of your worries.
 
I think in this case MITM traffic sniffing is more appropriate terminology than intercept.

If WLAN traffic sniffing by MITM is happening, then wouldn't it be easier for MITM to re-direct traffic to their own servers when WiFi device is set to use local DNS server instead of being set to directly use DoT/DoH? My reasoning is that DNS queries to local DNS server over WLAN happen in plaintext, but direct DoT/DoH connection is encrypted and reduces chances of traffic re-direction by MITM. For example, Android devices have the option to use DoT directly instead of relying on local network DNS. Would it be safer to set Android devices to use DoT (and bypass local DNS server) in this case?

Well, except that it's kinda hard to MITM a transaction when there's normally nothing in between the two endpoints (e.g., a host and DNS server that are on the same subnet). I suppose some piece of malware could try to detect the address of your DNS server and spoof it, but then you'd end up with the two fighting each other in an IP and/or MAC address conflict and you'd immediately notice a problem. Not the kind of stealth such malware usually goes for.

As mentioned, the most likely infection point is a host endpoint (e.g., your PC or smartphone). If that's infected, the malware will most likely just covertly set the system to use the desired DNS server (i.e, shimming or outright replacing the host's own resolver) without outwardly reflecting any such changes. DoT/DoH will be of no help then. If that happens, just nuke the thing and start over, because it's only a matter of time before you'll be trying to figure out how to buy bitcoin to cover the ransom.

Other obvious but less likely (IMO) infection points would be the router or the Pi-Hole. My feeling is that a Pi-Hole setup is so relatively rare that few if any malware creators will go that route, the return-on-investment is just too low to bother. There are at least a couple ways to use the router. If it's a typical consumer router an obvious choice would be similar to attacking a host: shim/replace the DNS resolver, since most people just use that as the DNS server for their LAN devices (i.e., the router's DHCP serves that out). Another option would be to put a packet sniffer on the router that rewrites any unencrypted DNS queries that come across to use the desired server. This is a MITM attack, but it's between the LAN and the WAN, not two LAN nodes.
 
My reasoning was that LAN/WLAN devices can send only plaintext queries to local DNS server, but they can send send encrypted queries to public DNS servers if they bypass local DNS server. It is easier to re-direct plaintext DNS queries than encrypted DNS queries.
 
If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering if all a client has to do is change resolvers.
 
Last edited:
My reasoning was that LAN/WLAN devices can send only plaintext queries to local DNS server, but they can send send encrypted queries to public DNS servers if they bypass local DNS server. It is easier to re-direct plaintext DNS queries than encrypted DNS queries.
What are you actually trying to guard against here? Be specific. What attack vector are you concerned about? If you don't answer this, the rest of the thread is pointless.

As already mentioned, if someone/something is getting LAN traffic in any form, you're fucked beyond belief and DNS is the last thing you should be thinking about. If an attacker has that kind of access, they won't even be looking at DNS queries as such - they'll be discovering everything else on the LAN using other tools.

If you're smart enough to setup PiHole to use DoT or DoH for its upstreams, then you're also smart enough to setup PiHole to listen only for DoT/DoH traffic itself. The overhead would get annoying in short order, but, most of the friction points could be automated and mostly left alone.
 
My reasoning was that LAN/WLAN devices can send only plaintext queries to local DNS server, but they can send send encrypted queries to public DNS servers if they bypass local DNS server. It is easier to re-direct plaintext DNS queries than encrypted DNS queries.

And we've tried to explain to you that it's not so easy to successfully get between two LAN nodes in such as way to accomplish this.


If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering is all a client has to do is change resolvers.

Reasonable idea. However (kinda ironically), a lot of malware has moved to using DoH to circumvent such ACLs and detection by IPS/IDS systems.
 
Reasonable idea. However (kinda ironically), a lot of malware has moved to using DoH to circumvent such ACLs and detection by IPS/IDS systems.
Sadly this is true. You can still play the cat and mouse game of blocking known DoH servers but that's generally a loosing scenario. This is the primary reason I despise DoH. It's an abomination and should be stomped out of existence. DoT solves all the issues with plaintext DNS and does so in a reasonable and controllable fashion.
 
Back
Top