DNSCrypt and DNSSec

What do you have and what do you want?

Moderators: b1o, jkerr82508

Forum rules
Post Reply
User avatar
viking60
Über-Berserk
Posts: 9351
Joined: 14 Mar 2010, 16:34

DNSCrypt and DNSMasq -testing

Postby viking60 » 18 Apr 2016, 23:00

You might think that all these extras might slow your system down.
I use DnsCrypt with DNSMasq as DNS cache so the system is getting a faster through the caching! Your Internet request does not have to bounce around the internet every time you visit a page.

Once you have been there it will only bounce in your DNSMasq cache and that does not take any time.

Here is how to test it:
Install dig (bind-tools).
Then enter this command for a page you have not visited yet (archlinux.org in this case).

Code: Select all

dig archlinux.org | grep "Query time"

This will report some time spent but now repeat the command:

Code: Select all

dig archlinux.org | grep "Query time"

And check what happens! This time the query is done in the Local DNS IP cache and way faster if DNSMasq is set up correctly.
Here is a screenshot of my result:
Image
Image

To check DNSCrypt you can go to:

https://dnsleaktest.com/

This should report your DNSCrypt server as a leak since it is not the same as your ISP.

To check how your setup is doing against DNS Spoofing - you can test it here:

https://www.grc.com/dns/dns.htm

(If you use dnscrypt and browse there with HideMy Ass it wont find anything - there is a Hidemyass button for Chromium that you can install)
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
Top
User avatar
viking60
Über-Berserk
Posts: 9351
Joined: 14 Mar 2010, 16:34

DNSCrypt servers

Postby viking60 » 29 Apr 2016, 09:26

I have used Dnscrypt.eu-dk as my DNScrypt server proxy but lately I have lost the internet from time to time.

To check if it is the DNScrypt proxy I fire up Linux from a VM where i use traditional nameservers - If that has internet then it is the DNScrypt service that is bad.
If you do not have a another OS in a VM then a simple edit of /etc/resolv.conf is neccessary like this:

Code: Select all

# Generated by resolvconf
#nameserver 127.0.0.1 <- comment out this and add tradtional nameservers below:
nameserver 8.8.8.8
nameserver 8.8.4.4

On refreshing the browser the internet will back if it is the dnscrypt server.
Then you can change your dnscrypt.server and remove the google nameserver and uncomment in /etc/resolv.conf again.

Dnscrypt.eu is open about the problem and has tweedted that the Danish server is in a sorry state and needs an overhaul.

So I decided to switch to another server on the Dnscrypt server list:

I took one of cryptstorms they seem to be pretty privacy minded (Even if the website looks bad).

So I replaced the server in

Code: Select all

sudo nano /usr/lib/systemd/system/dnscrypt-proxy.service
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
Top
User avatar
viking60
Über-Berserk
Posts: 9351
Joined: 14 Mar 2010, 16:34

Re: DNSCrypt and DNSSec

Postby viking60 » 25 Oct 2016, 13:16

ATM there are only 11 Dnscrypt servers that support DNSSEC.
This is no guarantee for anti-spoofing but it does indicate that the providers are keeping their servers up to date.

DNSSEC=Domain Name System Security Extensions so it indicates that the original insecure DNS has been improved.


It makes sense to use these servers with DNSCrypt if the providers have a "no Log" policy and as it happens all providers that offer DNSSEC do have a no Log policy.

So here is the list over servers that use DNSSEC with a no log policy:

Full name
4ARMED
CloudNS Sydney
DNSCrypt.eu Denmark
DNSCrypt.eu Denmark over IPv6
DNSCrypt.eu Holland
DNSCrypt.eu Holland over IPv6
DNSCrypt.org France
ns0.dnscrypt.is in Reykjavík, Iceland
Soltysiak
Soltysiak over IPv6
Anatomical DNS		Name to use in Dnscrypt
4armed
cloudns-syd
dnscrypt.eu-dk
dnscrypt.eu-dk-ipv6
dnscrypt.eu-nl
dnscrypt.eu-nl-ipv6
dnscrypt.org-fr
ns0.dnscrypt.is
soltysiak
soltysiak-ipv6
ventricle.us


The no Log policy will probably be worth less in countries where governments can instruct them to keep logs and demand them.
This would narrow the list down to Europe - Britain and Russia (the EU).

That would mean that you could strike 4armed, "Anatomical DNS" and Clouddns-sydney from the list.

In terms of having the strictest privacy laws I believe iceland is the best:
:A
https://dnscrypt.is/
There’s some other projects out there that currently do something similar to what you see here, but none of them host their servers in Iceland. All content is hosted on Icelandic servers because no other country on earth can match the privacy laws there.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
Top
User avatar
viking60
Über-Berserk
Posts: 9351
Joined: 14 Mar 2010, 16:34

Re: DNSCrypt and DNSSec

Postby viking60 » 02 Feb 2017, 20:29

I just switched provider and had to change my data to keep this working. :coffee_cup:
I had to find my gateway and I have no control panel for my fiber connection :coffee_smile: so here is how I found my gateway:

Code: Select all

route -n

+1

Now I could use that in my connection settings and my dns traffic is encrypted again.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
Top
Post Reply

Return to “Software”