I logged out of openbox and into xfce4 and did another test.
Every check on Opendns is green and the IP is right.
.....
And I can still read the headlines of the news I am surfing on in Wireshark.
At this point you may safely ignore all my recommendations above
I have pointed it out here:
https://support.opendns.com/entries/216 ... t_25823980
I hope I am wrong about something.....
DNSCrypt and DNSSec
Moderators: b1o, jkerr82508
Re: DNSCrypt and DNSSec
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: DNSCrypt and DNSSec
All DNSCrypt is good for is encrypting
1. your DNS queries to your DNS server [what is ip address of bjoernvold.com?] and
2. your DNS server's replies [bjoernvold.com is 205.234.200.233]
...that's it. Once DNS has given you the IP address you are looking for, the responsibility of encrypting the connection between you and the remote server is up to the protocol you are using. Since I use my ISP's DNS servers I am pretty confident that the traffic never leaves their network and that only they have the ability to record my DNS queries (even if they are in plain text). Since OpenDNS uses DNSCrypt it is pretty likely that only they have the ability to record my DNS queries. Since I trust my ISP more than I trust OpenDNS, I use them for my DNS queries.
S.
1. your DNS queries to your DNS server [what is ip address of bjoernvold.com?] and
2. your DNS server's replies [bjoernvold.com is 205.234.200.233]
...that's it. Once DNS has given you the IP address you are looking for, the responsibility of encrypting the connection between you and the remote server is up to the protocol you are using. Since I use my ISP's DNS servers I am pretty confident that the traffic never leaves their network and that only they have the ability to record my DNS queries (even if they are in plain text). Since OpenDNS uses DNSCrypt it is pretty likely that only they have the ability to record my DNS queries. Since I trust my ISP more than I trust OpenDNS, I use them for my DNS queries.
S.
Re: DNSCrypt and DNSSec
Yup it seems that you are right about that.
OpenDNS does far less than I thought. There might be some security there but not as much as I thought. It is a way to avoid man in the middle attack and that is basically it.
Why OpenDNS/DNScrypt is better than other ISP's is not that clear to me now....
It is probably better that the DNS traffic is encrypted and not in plain text though.
OpenDNS does far less than I thought. There might be some security there but not as much as I thought. It is a way to avoid man in the middle attack and that is basically it.
Why OpenDNS/DNScrypt is better than other ISP's is not that clear to me now....
It is probably better that the DNS traffic is encrypted and not in plain text though.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: DNSCrypt and DNSSec
viking60 wrote:It is probably better that the DNS traffic is encrypted and not in plain text though.
Like I said... I trust my ISP more than I trust OpenDNS, mostly because they were intentionally hijacking DNS queries in order to show advertising. If you used OpenDNS, opened your browser, and tried to type in bjoernvold.com but accidentally typed in bjeornvold.com your DNS provider SHOULD return a NXDOMAIN reply. However, OpenDNS's service would return the IP address of one of their servers which presents ads that are presented in a "search engine style" layout. That to me is intentional DNS poisoning, and further it is for their own benefit. Not cool at all. Unfortunately there is barely any mention of it on the OpenDNS Wikipedia page. For people who do not like this kind of activity, here is a nice quick writeup describing a way to use dnsmasq as a local caching DNS server to properly return a NXDOMAIN reply (though I think it is a better idea to simply switch to a DNS provider who does not poison DNS).
S.
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: DNSCrypt and DNSSec
I should also mention that if someone were to compromise my router or wireless access point they could potentially trap and record my [plain text] DNS traffic, giving them the ability to extrapolate a profile of my externally accessed servers (including the date and time of such accesses).
S.
S.
Re: DNSCrypt and DNSSec
So I have taken your profound words regarding OpenDNS (Cisco) to me .. and skipped it.
I now use european providers that are not under the direct influence of the NSA. In fact Arch and Manjaro have switched from openDNS as the standard provider for DNScrypt too.
Cisco does provide these services too .. and I would not trust them since they are clearly on the NSA "cooperation" list.
I now use european providers that are not under the direct influence of the NSA. In fact Arch and Manjaro have switched from openDNS as the standard provider for DNScrypt too.
Cisco does provide these services too .. and I would not trust them since they are clearly on the NSA "cooperation" list.
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
- Snorkasaurus
- Berserk
- Posts: 587
- Joined: 30 Dec 2013, 19:19
- Contact:
Re: DNSCrypt and DNSSec
So I took your profound words, and figured out how to make my dnsmasq caching server use dnscrypt for my name resolution at home. :-)
The process I used can be found here.
PS: Do you know anything about these okturtles fellahs?
s.
The process I used can be found here.
PS: Do you know anything about these okturtles fellahs?
s.
Re: DNSCrypt and DNSSec
Those Okturtles fellas look fairly OK. I have nothing negative on them. The one thing that always should cause worries is when someone needs to make money on this stuff.
Money can corrupt. Clearly idealistic non corporate looking sites may be better.
But then again those could be hackers..
I use the Danish alternative since it is near and they look tech minded and non commercial.
The netherlands seem OK too, but that is the default in all distros these days (including your wheezy manual) - so it must be very tempting to spy on them....I just picked another one from the list for good measure.
If you want to check out another one you can simply change your crontab to
Manjaro/Arch handle this with daemons under systemd.
I think the european alternatives are the safest. No gag orders and surveillance allowed here. The Brits are ignoring it... but it is not allowed
Great howto there - people really need these howto's
This is the Arch way:
https://wiki.archlinux.org/index.php/DNSCrypt
Money can corrupt. Clearly idealistic non corporate looking sites may be better.
But then again those could be hackers..
I use the Danish alternative since it is near and they look tech minded and non commercial.
The netherlands seem OK too, but that is the default in all distros these days (including your wheezy manual) - so it must be very tempting to spy on them....I just picked another one from the list for good measure.
If you want to check out another one you can simply change your crontab to
Code: Select all
@reboot /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 -d -R dnscrypt.eu-dk
Manjaro/Arch handle this with daemons under systemd.
I think the european alternatives are the safest. No gag orders and surveillance allowed here. The Brits are ignoring it... but it is not allowed
Great howto there - people really need these howto's
This is the Arch way:
https://wiki.archlinux.org/index.php/DNSCrypt
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
Re: DNSCrypt and DNSSec
And finally I added dnsmasq to the equation. As the eager readers already know I have Dnscrypt running. There is a small bug in that in Arch and Manjaro, so you need to add one line to
/usr/lib/systemd/system/dnscrypt-proxy.service
And that line is...
EDIT:This bug is now fixed
It should be the last line in the Unit section. If you don't add this - you simply will be without internet. So it makes sense to let the network start first
Here is my
/usr/lib/systemd/system/dnscrypt-proxy.service
So once that is cleared up it is time to add Dnsmasq into the equation:
First install it!
Then I edited /etc/dnsmasq.conf and basically uncommented and filled in three lines:
The Arch wiki told me to - so monkey see and monkey do....(It configures Dnsmasq as a local DNS cache).
The port has been changed from the default 53 so we need to alter that in the socket with this command:
This opened an empty file on my Manjaro so I pasted this content into it:
You dont understand? Do it anyway; after the monkey see and monkey do method The Arch wiki is like Jesus you just do it because it told you so
Now we have to stop the dnscrypt-proxy.service Je... eh.. the Archwiki says:
and start dnscrypt-proxy.socket
Ah that should be it then; time to surf on the internet:
...
and nothing
Maybe we should remember to start the dnsmasq.service too, even if Je... the Wiki didn't say so..
The internet better be there now
- And the miracle has happened
Now I have to check why dnsmasq is good for me...
/usr/lib/systemd/system/dnscrypt-proxy.service
And that line is...
Code: Select all
After=network.target
EDIT:This bug is now fixed
It should be the last line in the Unit section. If you don't add this - you simply will be without internet. So it makes sense to let the network start first
Here is my
/usr/lib/systemd/system/dnscrypt-proxy.service
Code: Select all
[Unit]
Description=DNSCrypt client proxy
Requires=dnscrypt-proxy.socket
After=network.target
[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target
[Service]
Type=simple
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
-R dnscrypt.eu-dk
So once that is cleared up it is time to add Dnsmasq into the equation:
First install it!
Code: Select all
sudo pacman -S dnsmasq
Then I edited /etc/dnsmasq.conf and basically uncommented and filled in three lines:
Code: Select all
no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1
The Arch wiki told me to - so monkey see and monkey do....(It configures Dnsmasq as a local DNS cache).
The port has been changed from the default 53 so we need to alter that in the socket with this command:
Code: Select all
sudo systemctl edit dnscrypt-proxy.socket
This opened an empty file on my Manjaro so I pasted this content into it:
Code: Select all
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40
You dont understand? Do it anyway; after the monkey see and monkey do method The Arch wiki is like Jesus you just do it because it told you so
Now we have to stop the dnscrypt-proxy.service Je... eh.. the Archwiki says:
Code: Select all
sudo systemctl stop dnscrypt-proxy.service
and start dnscrypt-proxy.socket
Code: Select all
sudo systemctl start dnscrypt-proxy.socket
Ah that should be it then; time to surf on the internet:
...
and nothing
Maybe we should remember to start the dnsmasq.service too, even if Je... the Wiki didn't say so..
Code: Select all
sudo systemctl start dnsmasq.service
The internet better be there now
- And the miracle has happened
Now I have to check why dnsmasq is good for me...
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
- dedanna1029
- Sound-Berserk
- Posts: 8780
- Joined: 14 Mar 2010, 20:29
- Contact:
Re: DNSCrypt and DNSSec
Maybe edit the wiki?
I'd rather be a free person who fears terrorists, than be a "safe" person who fears the government.
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
No gods, no masters.
"A druid is by nature anarchistic, that is, submits to no one."
http://uk.druidcollege.org/faqs.html
Re: DNSCrypt and DNSSec
I imported /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv into Calc (spreadsheets show those csv files nicely) and decided to find a German one
..Because the German Authorities are not going to pressure anybody to violate privacy secretly and behind closed doors - not on a general basis with everyone
The German High Court - Bundesverfassungsgericht - has ruled mass data retention illegal and in violation of the EU Human Rights charter Art 8.
So there are not only the nice intentions and the trustworthy faces of the providers but also a clear official and respected status in favor of privacy.
I Scandinavia there are good intentions and no such status. If the US say "Jump" they will Jump higher than AT & T and even if they don't say jump they are likely to do it just to impress them.
(Does fabricating rape charges to get hold of Assange so that he can be delivered to the US ring a Bell? - The Swedes are the worst - Iceland has a lot of credibility and guts to defend privacy )
Strangely enough I found only one German DnsCrypt server - but that is the one I use right now:
opennic-tumabox
http://wiki.tumabox.org/doku.php?id=dns
It works fine and the test site shows it
https://www.dnsleaktest.com
..Because the German Authorities are not going to pressure anybody to violate privacy secretly and behind closed doors - not on a general basis with everyone
The German High Court - Bundesverfassungsgericht - has ruled mass data retention illegal and in violation of the EU Human Rights charter Art 8.
So there are not only the nice intentions and the trustworthy faces of the providers but also a clear official and respected status in favor of privacy.
I Scandinavia there are good intentions and no such status. If the US say "Jump" they will Jump higher than AT & T and even if they don't say jump they are likely to do it just to impress them.
(Does fabricating rape charges to get hold of Assange so that he can be delivered to the US ring a Bell? - The Swedes are the worst - Iceland has a lot of credibility and guts to defend privacy )
Strangely enough I found only one German DnsCrypt server - but that is the one I use right now:
opennic-tumabox
http://wiki.tumabox.org/doku.php?id=dns
It works fine and the test site shows it
https://www.dnsleaktest.com
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"
Hey I just installed DNSCrypt on Windows 7
I just installed dnscrypt on Windows 7. It is basically the same as in Linux and not the usuall click and install.
Follow this - it works:
https://dnscrypt.org/#dnscrypt-windows
Unzip to a folder of your choice and open a cmd Window as Administrator... and follow the instructions.
The stress with installing DNScrypt is that there always is a brief period where you loose your internet connection - so make sure to find a working service by running the test.
To be able to change dnscrypt providers on the fly with a GUI; it makes sense to download the dnscrypt proxy manager and unzip it to the same folder as Dnscrypt.
Start it from the cmd and switch to another working service. This is a good thing since your confidence regarding the service providers may vary or things can change.
ATM Cisco's OpenDNS and dnscrypt is very "out". so it may work but we don't trust them
Edit:
OpenDNS did give us DNScrypt and made the source open - so my last comments here seem a bit less respectful, but I am happy with that. Since Cisco has taken over OpenDNS I cannot trust them anymore though.
Cisco may be OK and "deeply concerned" and initiate investigations regarding NSA's activities with their products
http://blogs.cisco.com/news/comment-on- ... ganization
But that is the tragedy of the scandal - the trust is gone anyway...
Follow this - it works:
https://dnscrypt.org/#dnscrypt-windows
Unzip to a folder of your choice and open a cmd Window as Administrator... and follow the instructions.
The stress with installing DNScrypt is that there always is a brief period where you loose your internet connection - so make sure to find a working service by running the test.
To be able to change dnscrypt providers on the fly with a GUI; it makes sense to download the dnscrypt proxy manager and unzip it to the same folder as Dnscrypt.
Start it from the cmd and switch to another working service. This is a good thing since your confidence regarding the service providers may vary or things can change.
ATM Cisco's OpenDNS and dnscrypt is very "out". so it may work but we don't trust them
Edit:
OpenDNS did give us DNScrypt and made the source open - so my last comments here seem a bit less respectful, but I am happy with that. Since Cisco has taken over OpenDNS I cannot trust them anymore though.
Cisco may be OK and "deeply concerned" and initiate investigations regarding NSA's activities with their products
http://blogs.cisco.com/news/comment-on- ... ganization
But that is the tragedy of the scandal - the trust is gone anyway...
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"
"There are no stupid questions - Only stupid answers!"