DNSCrypt – Not Fundamental Enough

This is a pretty interesting piece I saw on DNSCrypt;

http://blog.trendmicro.com/dnscrypt-–-not-fundamental-enough/

Pretty wild from Trend Micro's blog....

 

From what I gathered they are pretty much saying that DNSCrypt is a hack, which I doubt anyone is surprised by. We know it is, and we'd all love to see encryption be a standard with DNSSEC, but until such a thing happens, tools such as DNSCrypt will be needed.

I wonder why they don't mention HTTPS alongside that? Seems like they are just trying to make the blog post longer by posting garbage. Anyone knowledgeable enough to understand and install DNSCrypt will know that the point of it is to combine HTTPS and encrypted DNS to make the 100% privacy. You're not going to get 100% if you only encrypt DNS or only encrypt the webpage.

 

I agree Funky - they kind of miss the point. DNSCrypt is something that OpenDNS compared to SSL - they go together.

It's weird because they say "If you want security use DNSSEC" but only a few sentences before they quote OpenDNS as saying that DNSSEC + DNSCrypt work fine together.

They also could have talked about DNSCurve http://dnscurve.org/.

 

Well not all sites are going to be HTTPS, so then what? At least we get a little...

Also the man page has this to say;

dnscrypt-proxy is not a DNS cache. Unless your operating system already provides a decent built-in cache (and by default, most systems don't), clients shouldn't directly send requests to dnscrypt-proxy.

Intead, run a DNS cache like Unbound, and configure it to use dnscrypt-proxy as a forwarder. Both can safely run on the same machine as long as they use different IP addresses and/or different ports.

So now it makes me wonder, does the end-user really need Unbound, because when you go to their blog and start reading all this, they don't really mention this to Mac or Windows users, at least I haven't noticed it...

Also this makes me wonder, the German Privacy Foundation has DNSSEC servers you can use, so why not just plug those into your adapter and be on your happy way?

http://server.privacyfoundation.de/

 

Obviously, but that's besides the point. If you're at a place where privacy is an issue (e.g. public WiFi) then you're not going to be browsing non-encrypted websites, or if you are, it's because you don't care about privacy for those websites (e.g. Wikipedia). It's supposed to supplement secure sites, such as shopping or banking.

 

Yes, I meant for a big part of the internet experience, just surfing, etc., there's still a lot out there that's not HTTPS is what I was getting at...

 

Yup I agree, addons like HTTPS Everywhere can help ease that. (I wish there was an IE version)

 

Yes, but what's the point of forcing HTTPS on a site that isn't enforcing it?

Now I need to figure out if I want to use DNSCrypt with unbound, if that's a really great combo...

 

What's wrong with just using OpenDNS + DNSSec with no DNS cache? I have a DNS I can put on my server but just curious about the issues.

 

Last I checked using the GRC spoofability test, OpenDNS didn't support DNSSEC. I just did it just now and it seems one of the 2 servers tested supports it, how odd...

 

OpenDNS doesn't support DNSSEC - they support DNSCurve.

 

Re-read my post. Also, they aren't mutually exclusive.

 

That's nice that there servers apparently support it, but they're saying that they don't.

Perhaps a false positive with DNSCurve? I really don't know. But I can't find anything online with them saying that they support it.

I'm not saying they're mutually exclusive.

 

Browsing the OpenDNS forums seems to show that they support it, and don't support it. The GRC spoofability test says 1 supports it and 1 doesn't. It's anyone's guess.