Introducing DNSCrypt

This is being offered by OpenDNS.

Here is part of the product description:

In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks. It doesn't require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between our customers and our DNS servers in our data centers. We know that claims alone don't work in the security world, however, so we've opened up the source to our DNSCrypt code base and it's available on GitHub.

DNSCrypt has the potential to be the most impactful advancement in Internet security since SSL, significantly improving every single Internet user's online security and privacy.


Currently available for the Mac - Windows coming soon.

https://www.opendns.com/technology/dnscrypt?utm_source=n012012&utm_medium=em&utm_campaign=home

 

Got this email a few days ago but didn't bother posting due to the "mac only for now" announcement, which isn't really a good way to build hype. Whilst I'd like to be hyped about this, it might become annoying having to install a software application on every machine where as this should be proposed as an extension/addition to DNSSEC, if it's not too late to do that.

I'll definitely be tempted to try it once the Windows client is pushed out. At this point I'm hoping for one of two things:
1. This program turns out to be really good and other DNS providers such as DynDNS/NortonDNS adopt it so I can continue to use Norton plus this tool.
2. OpenDNS adopt a malware filter like Nortons so I can switch to OpenDNS again.

 

Since a client is needed I wonder how/if it would play with a VPN? Perhaps DNSCrypt wouldn't add anything to VPN security, but DNSCrypt by itself doesn't sound like a complete solution for unsecured wireless networks.

 

Assuming you were browsing an SSL page on unsecured WiFi (let's say a banking page), the DNS query itself would be readable, so DNSCrypt would encrypt that, essentially meaning everything that was broadcasted by your laptop was encrypted (SSL for webpage, DNSCrypt for DNS). However if you're browsing a standard non-SSL webpage that will be openly viewable, because encrypting the DNS query wouldn't really do much for you if they can read the passwords you're sending. (no SSL to cover webpage, DNSCrypt covering DNS)

Would it be useful on a VPN? I'm not sure. I guess it depends on the VPN and if you can send DNS queries through it, in which case there isn't really much point in encrypting the DNS query as you're already anonymous. But if the VPN doesn't cover DNS queries then it would definitely be a useful addition.

 

It has been mentioned already, not so long ago.

https://www.wilderssecurity.com/showthread.php?t=313708

That said, too bad it's for Mac only... for the time being. It's open source, though. So, maybe someone else will make a Windows version.

 

already using it on my macbook but w8ing for the pc version since i do my most work on my windows laptop.

 

Do you also use a VPN? If so can you see if it's possible to use a VPN together with DNSCrypt?

 

I wonder why the Mac version was created first.

 

its better to run your own dns server w DNSSEC enabled on your end. much faster and doesn't matter what os your clients use.

https://calomel.org/unbound_dns.html

 

yes it would be as if you use the dns server supplied by your vpn service, run run an enormous risk of becoming victim to dns spoofing attacks.

bolehvpn which i use has probably the worst dns servers ive even seen and are riddled with dns spoofing attacks for example.

for those of you that dont understand the significance of this, the spoofer sends you a dns packet with an ip pointing to the machine of their choice which usually runs some kind of SET or phishing attack to get you to load a java script, or give up your gmail login/pass etc by presenting you with a full blown copy of the gmail login interface which "looks" good so you enter your info then BAM they've got you L and P

if you run your own dns server you do NOT want to use it for your vpn connection unless it too is behind a vpn

 

Really? Please provide some examples. I can appreciate that they would "spoof" torrent sites that have been taken down, by pointing to replacements. But malicious spoofing, that's a serious issue!

 

sure, http (not s) facebook.com is under constant attack.

fb redirects http to https, in that process you'll get hit regularly. run a win xp box on service pack 3 (way susceptible to loks of attacks still) and you'll see it all the time.

after seeing that, i dont dare try to hit anything of importance ie banks or any webmail. attacks such as these esp to run malicious java script thru SET can allow them to easily take control of the pc remotely *without* triggering your antivirus software. this is very well documented in the appropriate channels. primarily these attacks are done against windows machines, usually XP. however dns spoofs to run java script can and will run on win 7 as they essentially setup backdoors. keep in mind they can control everything, take a picture of you on the webcam etc.

mirimir this is less likely to actually happen to use if the wintendo boxes are behind the pfvpn as per other thread bc port forwarding will probably fail BUT nat will probably not get blocked IF the attacked machine tries to starts the connection first. then pfsense will just nat it through and bingo theyve got you

the zeus trojan will operate in this manner which there really isnt a fix for and its been a few years since it first came out.

dns spoofing is a pretty serious issue in general (and way old school trick) especially since everything is now "on the cloud" and web based which means... addi is quickly getting the fk off all cloud services

but for regular folks who use vpns on wintendo best bet is to see if you can still us your vpn while forcing it to use google dns 8.8.8.8 and 8.8.4.4 instead of the one supplied by the vpn. i go a different route all together and dont use windows so im not the one to talk to on how to make this change. maybe ask your vpn provider.

they can spoof ssl certs to pretty easily BUT if you use the calomel plugin AND, more importantly, actually look at the certs issued you can spot the crap ones as theyre almost always self signed. obviously dont accept them. this might be over the heads of some but i digress.

 

BolehVPN does not have its own DNS and we provide common DNS to the end users. The DNS are those provided by the by datacenter providers who service thousands of other servers.

DNS management has nothing to do with us. To make a statement that "BolehVPN which i use has probably the worst dns servers ive even seen and are riddled with dns spoofing attacks for example." is inaccurate and possibly defamatory and if you have solid evidence to show this, we'll be happy to look into it.

BolehVPN uses two types of connections which is Proxied and fully routed servers. If you are using Proxied servers, the DNS setting is squarely fall on the users to set, which is commonly be the one that is provided by the ISP.

Even the so called Secure DNS provided by Comodo is resulted in Moderate status under a DNS Nameserver Spoofability test(https://www.grc.com/dns/dns.htm), does it mean they are not secured? Also the recommended Google DNS which we used on many of our servers until users did not like this, returned a Bad status. In fact, if you placed Google DNS as an ALTERNATE server, it would also return a Bad status notwithstanding that the servers default two DNSes would rate excellent with it.

We noticed the same argument were raised in 2010 by another user in another forum (https://forum.perfect-privacy.com/showthread.php?t=1744) which tries to blame OpenVPN for this and yet at the end of the day, DNS has nothing to so with the VPN unless the VPN providers operate their own DNS servers.

Despite all of the above, we have been replacing the common DNS with other so called 'secure' DNS but there are cases where those DNS is unable to reach certain sites due to blocking by overzealous countries and we have to revert to common DNS which will resulted in 'Very Bad" or "Bad" status in the DNS spoofability test. We're looking into how to best achieve a happy compromise.

If it's in relation to sometimes our BolehVPN-GUI showing the wrong location, although being connected to another country, this has nothing to do with the 'spoofability' but more of a Geo-IP issue which DasFox has brought up with us. This was because in certain instances, a server provider would change the info to our Malaysian address and as such a Geo-IP lookup would show a Malaysian flag despite it being clearly in Switzerland or another country. We had raised this issue and got the info changed back but it takes a while for all these sites to update themselves and their databases.

 

Well this thread has taken an interesting turn.

No idea, but NortonDNS/DynDNS returns "excellent", you can see what a person might prefer from DNS choice, especially someone concerned about privacy.

OpenDNS (which is at the heart of this topic) also receives an "excellent" rating, but worryingly doesn't support DNSSEC yet.

 

that's a problem but easily solvable.

additionally, if your resources permit, you may want to look into running your own vs assigning 3rd party servers for improved performance and security in general for vpn users which would allow you resolve the bad status results and country blocking which you mentioned are having issues with. but you'd have to throw some resources at it since you probably have lots of traffic.

i like your service a lot, it works terrific. no gripe w you guys, just that dns as its assigned could be improved either on the client side or on your side.

the thing to remember is that when doing a dns attack you dont have to spoof the real dns servers data, thats near impossible these days anyway with almost everyone using DNSSEC. running the spoofability checker is fine but has nothing to do with being targeted through another channel. all you need to do is a MITM attack which happens frequently

good to see you have google alerts on your service tho makes for speedy responses.