1

I use dnscrypt-proxy's anonymized DNScrypt with multiple relays, force it all to use TCP, route them over Tor.

Does this prevent my ISP or anyone in my country to see my DNS queries and client hellos when connecting to websites and servers hosted outside?

What can my ISP see about apps and websites/webpages I visit when I'm using anonymized DNScrypt over Tor?

I can't wait for ECH to be finalized and properly added to the browsers, so I need to know if my current config provides the same level of security as DoH + DNSSEC + ECH.

Using VPNs is out of the question.

UndercoverDog
  • 616
  • 3
  • 17
  • 1
    Everything you’ve given details on doesn’t address the ECH side of things at all. Are you connecting to the actual services over Tor too? – Ry- Jul 19 '22 at 19:23
  • @Ry- no I don't, I was hoping to only secure my DNS queries because for me Tor is slow for HTTPS traffic. so DNScrypt protocol doesn't encrypt the client hello –  Jul 19 '22 at 19:25
  • 1
    Correct. DNSCrypt encrypts DNS lookups. ClientHello is part of the TLS connection to the address the lookup returned, not DNS. – Ry- Jul 19 '22 at 19:27
  • Thank you, so with my current config, If I reroute the rest of the traffic over Tor with Socks5 proxy, I'll have encrypted my ClientHello as well? –  Jul 19 '22 at 19:31

1 Answers1

0

Running DNSCrypt over Tor will anonymize your DNS lookups. This won't prevent your ISP from knowing what websites you are visiting. They will still be able to see the domain and subdomain you are connecting to by doing rDNS lookups on the IP and by sniffing SNI.

If you route all of your traffic through Tor (by using the local Tor SOCKS5 proxy), then everything will be hidden from your ISP, barring advanced traffic analysis attacks (which are an issue with any low-latency anonymity network and are unlikely to be relevant in your scenario). If you do it that way, you won't need to use DNSCrypt either as domain resolution will be done by the exit relay which will use whatever DNS servers it has been configured to use. This is ideal.

forest
  • 65,613
  • 20
  • 208
  • 262
  • Could you explain more about what is low-latency anonymity network and why advanced network analysis attacks can cause problem for them? –  Aug 14 '22 at 07:34
  • @elias https://security.stackexchange.com/a/175186/106285 – forest Aug 14 '22 at 22:46
  • Thank you, how can I make sure that when I launch Tor browser bundle in the background and set up Windows proxy settings to `127.0.0.1:9150`, my DNS and SNI will be routed over Tor network in addition to regular packets, when using other browsers or programs? –  Aug 15 '22 at 11:53