[Security/Privacy] Enable DNSSEC and ECH on Kagi

doggo_the_dog

It could be possible to further secure and add more privacy to the traffic between Kagi's web server and the final user with DNSSEC and ECH.

TLDR; you ensure you're REALLY accessing Kagi, and not a phishing, redirected hacking site (with DNSSEC). And also it helps you hide that you're accessing Kagi from network snoopers (with ECH).

Both options can be enabled server-side and are NOT known to cause incompatibilities with systems.

The final user doesn't need to change any configurations. DNSSEC/ECH should become default in most browsers soon.

DNSSEC

DNSSEC Security Extensions (or just DNSSEC) allows users to verify that the DNS information they receive has not been tampered with and truly originates from the legitimate source.

It's an extra layer that prevents DNS Spoofing/Poisoning, especially if someone's device is not configured with a secure DNS server on the go (most cases with non-tech savvy people).

ECH

Encrypted Client Hello (ECH) encrypts the "Client Hello" introductory communication of the DNS, which by default isn't encrypted even with DNS over HTTPS/DNS over TLS enabled.

Result: without ECH, an analysis of the network traffic allows anyone to know which domain you're requesting (technically, the SNI).

With ECH enabled, given the user uses DoH/DoT, everything is encrypted and it becomes considerably harder for an attacker to perform any traffic analysis on your web usage.

utopia

I agree with enabling DNSSEC, however it’ll be more complicated than you’d think. FWIW, Kagi uses AWS Route53 for DNS. Enabling DNSSEC incurs an AWS upcharge. Whether or not Kagi wants to incur this charge is up to them.

With ECH, there would be no point. The IP leaks the service we’re using. Sure, it might hide whether or not we’re searching or looking at the docs, however nothing beyond that.

doggo_the_dog

Hello @utopia , thank you for contributing to my suggestion!

A few considerations:

utopia The IP leaks the service we’re using.

Actually, the IP leaks the company who owns the IP block in question.
In Kagi's case, it uses:

IPv4 -> 34.111.242.115
IPv6 -> 2600:1901::daa1:::

Ironically, both are owned by Google LLC, and so it appears to be with any basic lookup.

You can see for yourself here. This is Kagi's IPv4:

https://www.whatismyip.com/ip/34.111.242.115/

Of course, a quick search or any lookup that goes any further beyond that reveals that "34.111.242.115" specifically is owned by Kagi.

ECH makes it much harder to pinpoint who website's you're visiting. Instead of just looking up the SNI in plain text (that would be kagi.com), they would have to look up the IP and read "Google" (and stop there most of the times).

For that reason, I believe enabling ECH is beneficial because it makes automated network traffic analysis more difficult and time-consuming, boosting the end user's privacy in return.

utopia Enabling DNSSEC incurs an AWS upcharge

That's unfortunate.

utopia Whether or not Kagi wants to incur this charge is up to them.

Undoubtedly. As users, the best we can do is suggest features and bring pros and cons to the table.

I do think having DNSSEC + ECH is attractive, considering Kagi's userbase is very technologically aware. Some evidence are the most "upvoted" domains on the search engine - GitHub and Arch Wiki are leading, if I'm not mistaken.

Once again, thank you for your contribution to this topic @utopia .