DNSCrypt and DNSSec

[viking60]

This first part is outdated - Jump here DNSCrypt is offered by OpenDNS DNSCrypt is an open source DNS encryption client program offered by OpenDNS, a third-party DNS provider, to prevent DNS snooping, spoofing, and other man-in-the-middle attacks. It does this by completely encrypting the DNS traffic to and from a user's computer and the OpenDNS servers. The encryption wraps itself around the DNS traffic much like SSL wraps itself around HTTP traffic, though DNSCrypt is using another form of encryption: a type of elliptic-curve cryptography, called Curve25519. Keep in mind, DNSCrypt is currently in the Preview Release phase with only support for users on Macs with at least Snow Leopard or Linux users. Windows support is expected by the end of April 2012.

Domain Name System Security Extensions (DNSSEC) is a separate DNS security solution that authenticates DNS traffic. It modifies DNS to add support for cryptographically signed responses, thereby preventing the tampering of the IP addresses that are returned from the DNS server.

It may seem like DNSCrypt and DNSSEC are competing solutions, but they are actually complimentary and can be used together for comprehensive security. DNSSEC provides protection against DNS spoofing and other man-in-the-middle attacks, and DNSCrypt provides double-protection and prevents any eavesdropping on traffic, even by ISPs.

It even will be available for Microsoft in April.
This software seems to become more and more important given the eagerness from all sides to spy on you for all the "good" reasons in the world (Intellectual property etc.).
Remember those ISP's who volunteered to spy on you?
more here... and here

[viking60]

So to put my foot in it I compiled dnscrypt-proxy from aur and installed it in Arch.
then I ran

Code: Select all

sudo /usr/sbin/dnscrypt-proxy –daemonize

That went fine but how do I know if it is started?
I listed my daemons and there it was with status stopped.
So I started the daemon

Code: Select all

sudo rc.d start dnscrypt-proxy

- that's it! I guess I have encrypted DnS now

Code: Select all

sudo cat /var/log/dnscrypt-proxy.log
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1323392947 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is xxx:5F90:XXXX:HHHH:TTTT:9A1E:6633:632A:0FE0:B1C5:5EF9:894A:FC7A:BA18:4A62:ABCf
[INFO] dnscrypt-proxy is ready: proxying from [127.0.0.1] to [208.67.220.220]


May I also point out that this technology is not available for MS yet, so they will probably not demand a cross licensing deal.

[dedanna1029]

LOL.

[viking60]

You can do a dirty editing of /etc/resolv.conf and put this line in there.

Code: Select all

127.0.0.1


That is all that /etc/resolv.conf should contain.
and then write protect it (in Arch):

Code: Select all

chattr +i /etc/resolv.conf

To avoid nettworkmanager overwriteing it.
In distros like Mandriva you can simply set DNS to 127.0.0.1 in the control panel.
You can check that you have succeded by clicking here

[viking60]

You can find a (rpm/deb) package here:
https://blog.opendns.com/2012/02/16/tal ... ux-rising/

[viking60]

Just checked this out in Mandriva and it runs just fine. I just downloaded and installed the file above and started in in a terminal with

Code: Select all

sudo dnscrypt-proxy

Code: Select all

:) sudo dnscrypt-proxy
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #1323392947 received
[INFO] This certificate looks valid
[INFO] Server key fingerprint is E07C:5F90:03C2:D764:A9FC:9A1E:6633:632A:0FE0:B1C5:5EF9:894A:FC7A:BA18:4A62:462E
[INFO] dnscrypt-proxy is ready: proxying from [127.0.0.1] to [208.67.220.220]

Then I set the DNS to 127.0.0.1

It works! By clicking the link above you will get a confirmation that you are using OpenDNS - Since you have not entered the OpenDns nameservers; only 127.0.0.1 it means that your DNS has been rerouted and encrypted via OpenDns.

Now dnscrypt-proxy does not put itself in the traditional daemons.
To make sure it starts every time I put this line in /etc/rc.local

Code: Select all

dnscrypt-proxy

That is all there is to it - You are now bleeding edge on Mandriva . This is good news for you and bad news for those spying on you!
Some of you gurus might even know how to place it so the dnscrypt-proxy daemon is handled by the Control Panel?

[viking60]

I checked the crypting with Wireshark; and indeed my DNS trafic from my local IP is encrypted. It reports a (sometimes malformed) packet that is unreadable

[viking60]

Update:
It seems to be impossible to write protect /etc/resolv.conf anymore. So I had to make myself a rc.local and make that overwrite whatever nameservers have been auto-written by dhcpcd or networkmanager in /etc/resolv.conf:

/etc/rc.local

Code: Select all

#!/bin/bash
#
# /etc/rc.local: Local multi-user startup script.
#
# set  nameserver
echo "nameserver 127.0.0.1" > /etc/resolv.conf


DNScrypt does only require that one. This script will simply overwrite the content of /etc/resolv.conf

This should not be necessary if you have set up your network connection properly so it should be enough to right-click on your network-applet and edit your connection there.
Under ipv4 settings you can set the connection to "Manual" and enter your preferred internal ip and gateway (your router) and under
DNS you simply enter 127.0.0.1

[viking60]

The above is pretty outdated now, due to systemd.
DNScrypt will be available in the repos on many distros by now (ie Arch) so you should search for it and install it from there.

Enable and start dnscrypt-proxy "the systemd way"; the rest is the same.

To check that it is properly enabled you can use

Code: Select all

drill txt debug.opendns.com


or

Code: Select all

dig txt debug.opendns.com


It will look something like this

Code: Select all

[viking@thomas-pc ~]$ drill txt debug.opendns.com                                                                                     
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9605
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; debug.opendns.com.   IN      TXT

;; ANSWER SECTION:
debug.opendns.com.      0       IN      TXT     "server 9.fra"
debug.opendns.com.      0       IN      TXT     "flags 20 0 2b6 0"
debug.opendns.com.      0       IN      TXT     "id 944120"
debug.opendns.com.      0       IN      TXT     "source 12.345.67.89:82993"
debug.opendns.com.      0       IN      TXT     "dnscrypt enabled (7165393751484877)" <-----------

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 52 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 127.0.0.1
;; WHEN: Thu May 15 13:52:30 2014
;; MSG SIZE  rcvd: 208


[viking60]

DNScrypt is enhancing your security but there is this one thing that has been criticized:
If you encrypt your DNS why do you have to use the nameservers of OpenDNS? How do you know that you can trust them?

It would have been an even greater service if you can encrypt your DNS and choose your nameserver.

Now you can! DNScrypt.eu is a new service that works like DNScrypt but with the freedom to choose European nameservers.
This is important these days because the American ones can be approached by the NSA, but naturally you can pick American domain nameservers that you trust too.

The service is new so on the Linux side it is only available "out of the box" on Debian. But it shouldn't be to hard to implement it (he said, without having tried any of it )

Instructions on how to install it here

[viking60]

Now the DNScrypt service comes with the ability to choose European resolvers; at least in Manjaro.

Install dnscrypt-proxy and configure it like this:

Code: Select all

sudo dnscrypt-proxy --daemonize opendns

You can pick any resolver from this list it does not have to be opendns.
Then do a:

Code: Select all

sudo dnscrypt-proxy -R opendns

This will generate a key and fetch the server certificate:

Code: Select all

[NOTICE] Starting dnscrypt-proxy 1.4.0
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #123456789 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #123456789 is valid from [2014-02-10] to [2015-02-10]
[INFO] Server key fingerprint is B459:B056:CEO:D32O:F0C3:345C:DD58:260C:D67D:1859:BDBD:9E7A:014C:7686:09C3:9E26
[NOTICE] Proxying from 127.0.0.1:53 to 99.44.111.30:54


(The data above are altered and not "correct")


Your /etc/resolv.conf should look like this:

Code: Select all

# Generated by resolvconf
nameserver 127.0.0.1


The easiest way to achieve this is to edit the network connection:

Under IPv4-settings I have added the manual ip of 10.0.0.9 and added the IP of my router in gateway.
The important point is to set the nameserver to 127.0.0.1

Start the dameons:

Code: Select all

sudo systemctl enable dnscrypt-proxy

and

Code: Select all

sudo systemctl start dnscrypt-proxy

Now you can check if your trafic is encrypted with:

Code: Select all

sudo systemctl status dnscrypt-proxy

If you picked opendns you can also go here:
http://opendns.com/welcome
And get a confirmation that you are using the encryption.


Now your traffic between you and your chosen resolver will be encrypted - not even your own ISP will be able to peek in on it.

[viking60]

Well... I have checked DNScrypt with wireshark ...and ...I cannot se that the data are encrypted - in fact I am able to read the content of the websites I surf to.
My system indicates that dnscrypt is running;

I have set "dns" as filter and checked out a line that was from my IP to some destination.
there I picked the Transmission Control Protocol line and at the bottom I could read the content of the site I had surfed too - and I should not be able to do that - it should be encrypted.

I surfed to the German newspaper bild.de and clicked on the fotball game Dortmund against Juventus - stopped the capture in wireshark and here is the result:

Clearly you can see the url I surfed to and football and dortmund etc.

As far as I can tell that is not encrypted
I have set Opendns on my computers and not in the router.
By the looks of it; Dnscrypt is crap and only will trick you into believing that your data are encrypted. I will investigate this further though....

Edit:
I checked out my dashboard over at opendns.com and noticed that my external IP was not correct so I had to manually click a refresh button that updated my IP to the correct one (You can check your external ip on the top right at http://bjoernvold.com).
Once that was done wireshark came up with nothing other than completely jiberish stuff - which is what we want.

What I do not like is that all checks do indicate that everything is working perfectly even with the wrong IP in which case nothing is actually encrypted.
So check out your opendns dashboard even if there are clients to update this automatically.
According to OpenDNS these clients should only matter for recording statistics on their site - that was not the case here though. The encryption did not work.

I will admit that I am not using the dyndns update client for this - I use no.ip for providing the backup site for this forum. I do not want to confuse me and my computer with yet another dns updater .