DNS ?

[ncage1974]

Just installed OpenDNS DNSCrypt for windows. I'm confused by an option that is automatically selected when you install DNSCrypt:
"Fall back to insecure DNS"?

What exactly is that? By the sound of it sounds like your dns queries are unencrypted. Is it misleading? Yet it says my status is "Protected". Can anyone clarify?

Also i assume dns is usually sent with UDP Packets? There is an option "DNSCrypt over TCP / 443 (Slower)" which i assume just means DNS will be sent over SSL which would be sent over SSL but if DNSCrypt actually works and is encrypted why would you need it?

For reference:
Enable OpenDNS: Checked
Enable DNSCrypt: Checked
DNS over TCP / 443 (slower): Unchecked
Fall back to insecure DNS: Checked
Status shows "Protected"
--which are all defaults.

[Tomwa]

Quote:

Originally Posted by ncage1974

Just installed OpenDNS DNSCrypt for windows. I'm confused by an option that is automatically selected when you install DNSCrypt:
"Fall back to insecure DNS"?

If for whatever reason DNSCrypt is unable to make a successful query with encryption enabled it will resort to sending an unencrypted request to the OpenDNS servers. This is to prevent your internet from simply falling over dead should DNSCrypt stop functioning.

Quote:

Originally Posted by ncage1974

What exactly is that? By the sound of it sounds like your dns queries are unencrypted. Is it misleading? Yet it says my status is "Protected". Can anyone clarify?

If you have this option enabled then DNS queries won't fail if they aren't sent successfully while encrypted (For whatever reason) and will instead resort to a good-ole unencrypted DNS request. This shouldn't happen most of the time though I myself have disabled the option. Keep in mind DNSCrypt is still new and this option helps stability greatly (In fact I just fought with DNSCrypt a moment ago when it simply stopped handling DNS queries)

Quote:

Originally Posted by ncage1974

Also i assume dns is usually sent with UDP Packets? There is an option "DNSCrypt over TCP / 443 (Slower)" which i assume just means DNS will be sent over SSL which would be sent over SSL but if DNSCrypt actually works and is encrypted why would you need it?

DNS is usually sent of UDP Port 53. This is great but firewalls and other security programs can occasionally cause problems with requests. This is why the above option exists, port 443 isn't going to be as heavily restricted (since its used for secure HTTP) and may resolve the problems at the cost of speed.

Quote:

Originally Posted by ncage1974

For reference:
Enable OpenDNS: Checked
Enable DNSCrypt: Checked
DNS over TCP / 443 (slower): Unchecked
Fall back to insecure DNS: Checked
Status shows "Protected"
--which are all defaults.

I generally disable "Fall back to insecure DNS" as I prefer security over stability but I have encountered issues with DNSCrypt which I've had to solve on my own.

All your answers could be found here: https://www.opendns.com/technology/dnscrypt

[ncage1974]

Tomwa sorry for the long delayed reply but i really appreciate the thorough explanation.

[jedisct1]

Don't use the "fallback to insecure" option. If you care about security, don't use the UI at all. (this also applies to the Mac UI).

[subhrobhandari]

Quote:

Originally Posted by jedisct1

If you care about security, don't use the UI at all. (this also applies to the Mac UI).

Why so?