DNSCrypt and DNSSec

[viking60]

I logged out of openbox and into xfce4 and did another test.
Every check on Opendns is green and the IP is right.
.....
And I can still read the headlines of the news I am surfing on in Wireshark.

At this point you may safely ignore all my recommendations above

I have pointed it out here:

https://support.opendns.com/entries/216 ... t_25823980

I hope I am wrong about something.....

[Snorkasaurus]

All DNSCrypt is good for is encrypting

1. your DNS queries to your DNS server [what is ip address of bjoernvold.com?] and
2. your DNS server's replies [bjoernvold.com is 205.234.200.233]

...that's it. Once DNS has given you the IP address you are looking for, the responsibility of encrypting the connection between you and the remote server is up to the protocol you are using. Since I use my ISP's DNS servers I am pretty confident that the traffic never leaves their network and that only they have the ability to record my DNS queries (even if they are in plain text). Since OpenDNS uses DNSCrypt it is pretty likely that only they have the ability to record my DNS queries. Since I trust my ISP more than I trust OpenDNS, I use them for my DNS queries.

S.

[viking60]

Yup it seems that you are right about that.
OpenDNS does far less than I thought. There might be some security there but not as much as I thought. It is a way to avoid man in the middle attack and that is basically it.

Why OpenDNS/DNScrypt is better than other ISP's is not that clear to me now....

It is probably better that the DNS traffic is encrypted and not in plain text though.

[Snorkasaurus]

It is probably better that the DNS traffic is encrypted and not in plain text though.

Like I said... I trust my ISP more than I trust OpenDNS, mostly because they were intentionally hijacking DNS queries in order to show advertising. If you used OpenDNS, opened your browser, and tried to type in bjoernvold.com but accidentally typed in bjeornvold.com your DNS provider SHOULD return a NXDOMAIN reply. However, OpenDNS's service would return the IP address of one of their servers which presents ads that are presented in a "search engine style" layout. That to me is intentional DNS poisoning, and further it is for their own benefit. Not cool at all. Unfortunately there is barely any mention of it on the OpenDNS Wikipedia page. For people who do not like this kind of activity, here is a nice quick writeup describing a way to use dnsmasq as a local caching DNS server to properly return a NXDOMAIN reply (though I think it is a better idea to simply switch to a DNS provider who does not poison DNS).

S.

[Snorkasaurus]

I should also mention that if someone were to compromise my router or wireless access point they could potentially trap and record my [plain text] DNS traffic, giving them the ability to extrapolate a profile of my externally accessed servers (including the date and time of such accesses).
S.

[viking60]

So I have taken your profound words regarding OpenDNS (Cisco) to me .. and skipped it.

I now use european providers that are not under the direct influence of the NSA. In fact Arch and Manjaro have switched from openDNS as the standard provider for DNScrypt too.

Cisco does provide these services too .. and I would not trust them since they are clearly on the NSA "cooperation" list.

[Snorkasaurus]

So I took your profound words, and figured out how to make my dnsmasq caching server use dnscrypt for my name resolution at home. :-)
The process I used can be found here.

PS: Do you know anything about these okturtles fellahs?

s.

[viking60]

Those Okturtles fellas look fairly OK. I have nothing negative on them. The one thing that always should cause worries is when someone needs to make money on this stuff.
Money can corrupt. Clearly idealistic non corporate looking sites may be better.

But then again those could be hackers..

I use the Danish alternative since it is near and they look tech minded and non commercial.

The netherlands seem OK too, but that is the default in all distros these days (including your wheezy manual) - so it must be very tempting to spy on them....I just picked another one from the list for good measure.
If you want to check out another one you can simply change your crontab to

Code: Select all

@reboot /usr/local/sbin/dnscrypt-proxy -a 127.0.0.2:53 -d -R dnscrypt.eu-dk

Manjaro/Arch handle this with daemons under systemd.

I think the european alternatives are the safest. No gag orders and surveillance allowed here. The Brits are ignoring it... but it is not allowed

Great howto there - people really need these howto's
This is the Arch way:

https://wiki.archlinux.org/index.php/DNSCrypt

[viking60]

And finally I added dnsmasq to the equation. As the eager readers already know I have Dnscrypt running. There is a small bug in that in Arch and Manjaro, so you need to add one line to
/usr/lib/systemd/system/dnscrypt-proxy.service
And that line is...

Code: Select all

After=network.target

EDIT:This bug is now fixed

It should be the last line in the Unit section. If you don't add this - you simply will be without internet. So it makes sense to let the network start first
Here is my
/usr/lib/systemd/system/dnscrypt-proxy.service

Code: Select all

[Unit]
Description=DNSCrypt client proxy
Requires=dnscrypt-proxy.socket
After=network.target

[Install]
Also=dnscrypt-proxy.socket
WantedBy=multi-user.target

[Service]
Type=simple
NonBlocking=true
ExecStart=/usr/bin/dnscrypt-proxy \
     -R dnscrypt.eu-dk

So once that is cleared up it is time to add Dnsmasq into the equation:

First install it!

Code: Select all

sudo pacman -S dnsmasq

Then I edited /etc/dnsmasq.conf and basically uncommented and filled in three lines:

Code: Select all

no-resolv
server=127.0.0.1#40
listen-address=127.0.0.1

The Arch wiki told me to - so monkey see and monkey do....(It configures Dnsmasq as a local DNS cache).

The port has been changed from the default 53 so we need to alter that in the socket with this command:

Code: Select all

sudo systemctl edit dnscrypt-proxy.socket

This opened an empty file on my Manjaro so I pasted this content into it:

Code: Select all

[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:40
ListenDatagram=127.0.0.1:40

You dont understand? Do it anyway; after the monkey see and monkey do method The Arch wiki is like Jesus you just do it because it told you so
Now we have to stop the dnscrypt-proxy.service Je... eh.. the Archwiki says:

Code: Select all

sudo systemctl stop dnscrypt-proxy.service

and start dnscrypt-proxy.socket

Code: Select all

sudo systemctl start dnscrypt-proxy.socket

Ah that should be it then; time to surf on the internet:

...
and nothing

Maybe we should remember to start the dnsmasq.service too, even if Je... the Wiki didn't say so..

Code: Select all

sudo systemctl start dnsmasq.service

The internet better be there now


- And the miracle has happened


Now I have to check why dnsmasq is good for me...

[dedanna1029]

Maybe edit the wiki?

[viking60]

I imported /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv into Calc (spreadsheets show those csv files nicely) and decided to find a German one

..Because the German Authorities are not going to pressure anybody to violate privacy secretly and behind closed doors - not on a general basis with everyone
The German High Court - Bundesverfassungsgericht - has ruled mass data retention illegal and in violation of the EU Human Rights charter Art 8.
So there are not only the nice intentions and the trustworthy faces of the providers but also a clear official and respected status in favor of privacy.

I Scandinavia there are good intentions and no such status. If the US say "Jump" they will Jump higher than AT & T and even if they don't say jump they are likely to do it just to impress them.

(Does fabricating rape charges to get hold of Assange so that he can be delivered to the US ring a Bell? - The Swedes are the worst - Iceland has a lot of credibility and guts to defend privacy )

Strangely enough I found only one German DnsCrypt server - but that is the one I use right now:

opennic-tumabox

http://wiki.tumabox.org/doku.php?id=dns

It works fine and the test site shows it

https://www.dnsleaktest.com

[viking60]

I just installed dnscrypt on Windows 7. It is basically the same as in Linux and not the usuall click and install.

Follow this - it works:

https://dnscrypt.org/#dnscrypt-windows

Quickstart

1) Download and extract the latest Windows package for dnscrypt.

2) Copy the dnscrypt-proxy-win32 folder anywhere.

3) Look at the list of public DNS resolvers supporting DNSCrypt and pick the one you want to use. Note its name, in the first column (for example: dnscrypt.org-fr).

4) Open an elevated command prompt (see below), enter the dnscrypt-proxy-win32 folder and type:

dnscrypt-proxy -R <name> --test=0
Replace <name> with name of the resolver you chose.

This command just tests if everything is properly installed on your end, and if the resolver is properly working. If everything looks fine, the command should display the server key fingerprint and exit right away.

If an error is displayed, retry with a different server.

5) So far, so good? Now, enable the service for real, by replacing the --test=0 part of the previous command with --install.

dnscrypt-proxy -R <name> --install
6) Open the network preferences ("Network connections", then select your network adapter and hit "Properties"). Then in the "Internet Protocol Version 4 (TCP/IPv4)" settings use 127.0.0.1 instead of the default DNS resolver address.

Congratulations, you're now using DNSCrypt!

Unzip to a folder of your choice and open a cmd Window as Administrator... and follow the instructions.

The stress with installing DNScrypt is that there always is a brief period where you loose your internet connection - so make sure to find a working service by running the test.

To be able to change dnscrypt providers on the fly with a GUI; it makes sense to download the dnscrypt proxy manager and unzip it to the same folder as Dnscrypt.


Start it from the cmd and switch to another working service. This is a good thing since your confidence regarding the service providers may vary or things can change.

ATM Cisco's OpenDNS and dnscrypt is very "out". so it may work but we don't trust them
Edit:
OpenDNS did give us DNScrypt and made the source open - so my last comments here seem a bit less respectful, but I am happy with that. Since Cisco has taken over OpenDNS I cannot trust them anymore though.
Cisco may be OK and "deeply concerned" and initiate investigations regarding NSA's activities with their products

http://blogs.cisco.com/news/comment-on- ... ganization

But that is the tragedy of the scandal - the trust is gone anyway...