IPv4 DNS server: (unencrypted)

RReujemmeu35 · May 11, 2022

IPv4 DNS server: (unencrypted)

Hello everyone,

We noticed that on my father’s new PC (HP Omen 30L), when you open the properties of our home WLAN, the item “IPv4 DNS server” says “unencrypted” in brackets after the IP address.

Now we are a bit unsure about the security of our WiFi network.

It is also the case that on my PC there is nothing behind the IP address under the same point.

My question now is, does it have to be that way, and if not, how can I change it?

For your information, we have a standard Internet box.

Best regards

Andre Theiler

hed · May 11, 2022

@Reujemmeu35

Do both devices have the same operating system installed?

I don’t have this display on my PC with Win 10, but the message “unencrypted” also appears on Windows 11.

This is an indication from the operating system that the DNS (system for resolving names into IP addresses) is not encrypted with DoT (DNSoverTLS) or DoH (DNSover HTTPS) because the InternetBox does not support this. If you want to use encrypted DNS, you have to set it up manually in the PC and bypass the Internet box regarding DNS. Corresponding instructions are available on the Internet. Opinions vary widely as to whether this is necessary or not. Personally, I don’t use it because I believe there are far greater dangers on the Internet.

But this has nothing to do with the WLAN, you would also have the same display if the PC is connected to the LAN.

As far as WLAN encryption is concerned, you can choose between WPA2, WPA2/WPA3 and WPA3 in the IB. The most secure level is WPA3, if you are using older WLAN devices, you may have to choose WPA2/WPA3 or in rare cases even just WPA2.

RReujemmeu35 · May 11, 2022

Hello hed,

My father has Windows 11 on his new PC, and I have Windows 10 installed.

hed · May 11, 2022

@Reujemmeu35

Thanks, everything is clear. Both PCs run the same, well-known DNS without encryption, but Win11 specifically points out when only DNS is used instead of DNSoverTLS or DNSover HTTPS.

RReujemmeu35 · May 11, 2022

I checked our Internet box and the highest encryption that can be set is WPA2 (previous setting was WPA/WPA2).

What would be the worst case scenario that could occur if the DNS server were not encrypted or is WPA2 sufficient?

hed · May 12, 2022

Reujemmeu35

I have IB3, as far as I know WPA3 is not possible with your old IB standard.

As already written, WPA2 respectively. WPA3 has absolutely nothing to do with DNS encryption.

WPAx is about protecting the WLAN against eavesdropping and intrusion. Although WPA2 has some vulnerabilities, it is (still) considered secure, at least for private use, and it is still very widespread even in the business world. If you still want to use the more secure WPA3, you will have to get a new IB.

Encrypting the DNS means that without encryption, anyone who has access to your data stream (e.g. the provider) can “read” the addresses to which you are connected on the Internet in plain text. For example, if you enter www.sbb.ch in the browser, your PC must first find out which IP address is behind the name [www.sbb.ch](http: //www.sbb.ch). To find out you need the DNS (Domain Name Service). This means that someone who reads your computer’s unencrypted DNS queries to the DNS server somewhere on the Internet knows where you are “hanging around” on the Internet. Since the vast majority of private users adopt the default settings of the PC and the IB’s DNS, encrypted DNS is unlikely to be widespread yet. If you still want to use it, you have to change the settings on your computer, for example as follows:

OR

RReujemmeu35 · May 12, 2022

Hello hed,

If someone “reads” an unencrypted DNS, will they only see which websites I visit, or will they also see what I do there or what passwords I use?

For example with online banking?

Thanks for your tips on the settings.

user109 · May 12, 2022

@Reujemmeu35 as said is a [DNS](https://www.elektronik-kompendium.de/sites/net/0901141.htm#:~:text=DNS%20%2D%20Domain %20Name%20System, associated%C3%B6rige%20IP%2DAddress%20to%20get.) (Domain Name Sservice)only responsible for resolving the name of an IP address. The rest is done again with other protocols, e.g. HTTP or HTTPS

PowerMac · May 12, 2022

@Reujemmeu35 wrote:
[…] If someone “reads” an unencrypted DNS, does he only see which websites I visit, or does he also see what I do there or what passwords I use?

For example with online banking?

No, you definitely can’t find out passwords using DNS sniffing, and the potential for misuse isn’t particularly great. That’s probably why this issue hasn’t been given much priority for decades, even though it’s certainly a good thing if improvements are being introduced now.

hed · May 12, 2022

@Reujemmeu35

No, you cannot read the content unless you use http instead of https in the browser. But that is determined by the target server, i.e. a bank is unlikely to use the outdated http.

RReujemmeu35 · May 12, 2022

Thank you for your answers.

This is helping me at the moment.

Greetings Reujemmeu35

HP · May 12, 2022

Additional question for the specialists @hed or others:
Will this IPv4 DNS entry still be used if the rest of the traffic is over IPv6?
At https://www.wieistmeineip.ch/ my IPv6 address is shown in bold, the IPv4 is smaller next to it.
How can I determine which protocol is being used?

hed · May 12, 2022

@HP

As far as I know, IPv6 is preferred from Win10 onwards if both are configured. But this can be changed in the registry.

You can view statistics of the protocols used, for example via PowerShell or with countless other network tools. If you want to analyze every single packet that runs over the network interface, the Wireshark protocol analyzer (freeware) is best suited for this purpose.

Even if IPv6 is prioritized, you will notice that a lot of traffic (and therefore DNS) still runs via IPv4. You can only prevent this by deactivating IPv4, but I can’t recommend that because you’ll have a lot of problems with it.

Regarding DNS v6 see also here:

Solved: DNS over IPv6 | Swisscom Community

HP · May 12, 2022

@hed
Thanks for the info, I’ll get back to Wireshark from time to time, but not when the weather is nice😎

hed · May 12, 2022

@HP

Another note about DNS:

There are basically no separate v4 and v6 DNS servers. The client sends a name to be resolved (via IPv4 or IPv6) and the server responds with an A record (for IPv4 addresses) or AAAA record (for IPv6 addresses) or with both records. The DNS request is also unencrypted with IPv6.