DNSCrypt Preview

jyavenard · Jul 30, 2012

Mangix said: ↑

How beneficial is DNSCrypt at the router level? What I've gathered from it is that it's just encrypted DNS. However once it gets out of the router, it's unencrypted and those are the results clients get. Something like that is easily MITMable by doing DHCP spoofing and setting a custom DNS server.

I have DNSCrypt installed on my Windows 8 box and on it it makes sense since the information only gets unencrypted on the computer.

All I can make of this is that it makes ISPs not being able to know exactly which website you visit without some packet inspection(IP addresses are still visible). Am I missing something here?

The connection to OpenDNS is encrypted..

To me, DNSCrypt is a fad anyway. It serves no real purpose as all it does is shift the privacy concern elsewhere while only adding downsides.

So sure, your queries aren't sent to a public server anymore... but you send it to OpenDNS ! and all of your queries at that. IMHO, that's worse! As opposed to sending your queries to multiple servers. And once you've resolved your IP address, what are you hiding then ? A reverse dns lookup would be all you need to retrieve what your query was about.

You also loose one of the core feature of DNS: multi-path. A DNS request is typically an UDP request (can be done with TCP, but usually, it's all UDP for a client), if one doesn't answer, you go to another etc... In this DNSCrypt setup, you now only have one server, and it uses TCP.

For a home setup, you also loose the ability to have your DNS request resolved with a nearby server like what Akamai or Amazon Web Services, which will only slower your typical internet experience.

If you're that concerned about privacy, encrypting your DNS request and only deal with a single provider isn't the way to go.

So to summarise, I don't see the point. It serves no purpose and only make things slower.
If you want privacy use a VPN or tunnel and use the DNS servers via that VPN or tunner

lancethepants · Jul 30, 2012

shibby20 said: ↑

@lancethepants - dnscrypt-proxy-1.0.tar.gz is out 9 days ago. Did you test it? Or maybe you suggest use 0.12? I dont know which one use better in next tomato release.

I've compiled 1.0 and have been using it for about a week without any hiccups. I've made some standalone binaries available at http://lancethepants.com/files for anyone else to test also. The author has also made a "--diable-ssp" configuration option so it's no longer necessary to manually edit the configuration file.

jyavenard said: ↑

The connection to OpenDNS is encrypted..

You also loose one of the core feature of DNS: multi-path. A DNS request is typically an UDP request (can be done with TCP, but usually, it's all UDP for a client), if one doesn't answer, you go to another etc... In this DNSCrypt setup, you now only have one server, and it uses TCP.

DNSCrypt does use UDP, but also has the capability of running over TCP. You are correct, DNSCrypt encrypts between your router and OpenDNS. They will not be able to decipher any requests or responses. DNSCrypt DOES NOT, however, encrypt anything other than DNS, as you've stated. If you are visiting a HTTPS site, that communication will be secure as HTTPS encrypts the URL. Your ISP will be able to see all other traffic, non-encrypted traffic. If you want complete anonymity from your ISP, use a VPN as stated.
This is not so targeted to you jyavenard as it is to everyone in general.

http://www.opendns.com/technology/dnscrypt/

jyavenard · Jul 30, 2012

lancethepants said: ↑

Iour ISP will be able to see all other traffic, non-encrypted traffic. If you want complete anonymity from your ISP, use a VPN as stated.

http://www.opendns.com/technology/dnscrypt/

My point is that while your dns query will be encrypted, as the next step will usually be to connect to that site, https or not, the ISP or whomever else wants to listen will know which IP you were trying to resolve. Making the whole concept moot IMO.

lancethepants · Jul 30, 2012

jyavenard said: ↑

My point is that while your dns query will be encrypted, as the next step will usually be to connect to that site, https or not, the ISP or whomever else wants to listen will know which IP you were trying to resolve.

Absolutely true, DNSCrypt will not maintain any level of anonymity between you and your ISP, use a VPN for that purpose.

Anonymity, however is not DNSCrypt's aim .
http://www.opendns.com/technology/dnscrypt/

Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak -- particularly in the "last mile." The "last mile" is the portion of your Internet connection between your computer and your ISP.

DNSCrypt is our way of securing the "last mile" of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol. As the world’s Internet connectivity becomes increasingly mobile and more and more people are connecting to several different WiFi networks in a single day, the need for a solution is mounting.

There have been numerous examples of tampering, or man-in-the-middle attacks, and snooping of DNS traffic at the last mile and it represents a serious security risk that we've always wanted to fix. Today we can

It's about increased security, not anonymity (Your query has not been tampered with).

rhester72 · Jul 30, 2012

Very, VERY few people are in a position to tamper with the query chain between your ISP and router - it's much easier to attack the endpoint router itself and compromise its DNS tables (if not the endpoint machines). If you're truly interested in tamper-resistance, end-to-end, DNSSEC is the completely service-agnostic answer, though it's been even less widely adopted than IPv6 (but sets up easily on Tomato, with full signature validation). DNSCrypt is a marketing tool designed to drive traffic to OpenDNS (and thus away from Google) via FUD, solving problems that do not in fact actually exist in the real world.

Just my $0.02.

Rodney

lancethepants · Aug 10, 2012

http://dd-wrt.com/forum/viewtopic.php?t=148324&highlight=dnscrypt
jedisct1

DNSSec is a huge step forward and being able to securely publish data (not only domain records) through DNS is exciting.

Unfortunately, DNSSec requires that TLDs are signed, that routers are supporting it (or, at least, that they allow client-side validation), that registrars support it, that operating systems provide validating stub resolvers, that libraries providing async lookups also support it, that other pieces of software reinventing the wheel also support it, that fucked up firewalls that don't even let UDP packets > 512 bytes go through get fixed and that domain owners and sysadmins give a shit about it.

This is sad, but we're not there yet. Not even close. Even Google and Youporn don't sign their records.

Meanwhile, the best we can do, in addition to client-side DNSSec validation for the few domains that are actually signed, is to provide a secure channel between clients and upstream resolvers. It doesn't make upstream resolvers more secure, but the weakest link of the chain is often the LAN.
OpenBSD provides a way to force all DNS queries to be performed using TCP, so that you can easily tunnel them over SSH. Unbound can use a SSL tunnel to communicate with upstream resolvers. DNSCrypt is a lightweight alternative for people using OpenDNS.

All these mechanisms may be pointless once everybody uses DNSSec everywhere (although DNSSec doesn't provide any confidentiality, but these mechanisms do, to some extent). But until ALL domains are signed and every piece of hardware and software fully supports DNSSec, any effort to make the DNS protocol suck less security-wise, is worth it.

Toastman · Aug 11, 2012

I fully agree with rhester72 and jyavenard.

which is why it isn't in my builds.

leandroong · Aug 11, 2012

Shbby FW version 097 & 099 has "DNSSCRYPT-PROXY" issue when using 3G MODEM. Hard to connect and if connected, slowly killing internet connection, making webpage display errors. If unchecked, no issue. Kindly verify this matter.

leandroong · Aug 11, 2012

Using different sim provider, allows me to connect easily to 3g modem and surf successfully except for 1 url, http://repo.or.cz/w/tomato.git/shortlog/refs/heads/tomato-RT, it says gateway timeout.

Common problem for both sim card are having problem connecting using putty or winscp whenever dnscrypt-proxy is checked.

jony121 · Aug 16, 2012

I would just like to add, when I downloaded a copy of the version lancethepants kindly uploaded I lost file permissions. I used chmod and was able to execute and it runs great. Thanks so much.

GrimSage · May 30, 2013

I know this is a pretty old thread, but I am trying to get dnscrypt on my wrt310n v1. I have installed tomato-ND-1.28.5x-109-VPN.trx but have not been able to find the settings for dnscrypt. Is it not in this build?

shibby20 · May 31, 2013

no, in rhis firmware dnscrypt-proxy is not available. I will think about add this featyre in next release

Log in or Sign up

DNSCrypt Preview

jyavenard LI Guru

lancethepants Addicted to LI

jyavenard LI Guru

lancethepants Addicted to LI

rhester72 Network Guru

lancethepants Addicted to LI

Toastman Super Moderator

leandroong Networkin' Nut

leandroong Networkin' Nut

jony121 Reformed Router

GrimSage Reformed Router

shibby20 Network Guru

Share This Page