Using HTTPS DNS

For those who might be interested:

https://www.privacyfoundation.de/wiki/SSL-DNS.html#Windows

This worked with Swiss Privacy Foundation's DNS servers (see my sig) and OpenNIC servers when I tested weeks ago and will probably with others too.


Note: This is different that using DNSCrypt. OpenDNS doesnt support DNSSEC too. In their words

 

Did you look at https://cloudns.com.au/ ?

DNSCrypt support
DNSSEC support
Namecoin support
No censorship
No hijacking
No logging
Not in the US

 

I may try out CloudNS. Thank you for posting that.

 

It looks really nice, jedisct1 are you from DNSCrypt project in Github?

 

I wrote the protocol and the client proxy.

Someone wrote a free server proxy: https://github.com/Cofyc/dnscrypt-wrapper

Anyone running a DNS resolver can use it to support the protocol. This is what CloudNS are using. Having more of them would be neat!

 

Agreed, I was looking for an OpenDNS alternative for a long time to use with DNSCrypt, this just made me smile.

 

Very nice, but they are only in Australia which doesn't give great speed for the rest of the world.

 

Pretty sure all modern browsers cache and prefetch DNS aggressively, so performance shouldn't matter much in real world situations.

 

A possible alternative are the DNS servers of the Swiss Privacy Foundation. They support DNSSEC, but they aren't dnscrpyt compatible, are they?

 

I'm using the configuration in Kubuntu 13.04 as suggested by Hungry in combination with dnsmasq as mentioned here.

sudo tcpdump -i eth0 dst host 113.20.6.2 or src host 113.20.6.2 -n (as suggested here) yields:

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
13:12:34.311774 IP 192.168.0.6.54870 > 113.20.6.2.443: UDP, length 324
13:12:35.675776 IP 113.20.6.2.443 > 192.168.0.6.54870: UDP, length 368
13:13:07.861374 IP 192.168.0.6.54870 > 113.20.6.2.443: UDP, length 260
13:13:08.430082 IP 113.20.6.2.443 > 192.168.0.6.54870: UDP, length 368

This suggests that it works.

dig txt debug.cloudns.com.au (as suggested by jedisct1 here) yields:

Code:

; <<>> DiG 9.9.2-P1 <<>> txt debug.cloudns.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31860
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;debug.cloudns.com.au.          IN      TXT

;; AUTHORITY SECTION:
cloudns.com.au.         3577    IN      SOA     ns1.name-services.com.au. info.cloudns.com.au. 2013072107 86400 7200 3600000 86400

;; Query time: 66 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Aug  9 13:16:26 2013
;; MSG SIZE  rcvd: 128

There is no line that says "dnscrypt". I had the same problem with OpenDNS. Any hints why?

 

I tried setting dnscrypt in Windows. It works as service but it behaves like dns client, listening port 53.

Accorting to https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown there should be "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscrypt-proxy\Parameters" key. There is no "Parameters" key.

I launched it using "dnscrypt-proxy -a 127.0.0.1:2053 -r 113.20.6.2:443
--provider-name=2.dnscrypt-cert.cloudns.com.au
--provider-key=
1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4" command. It is verifying key and other things etc... but listening port 53. If i set dns to 127.0.0.1 in windows, it doesn't connect at all.

What is the proper way to configure it for Windows?

 

It is not as slow as I expected, and good results from spoofability test:

You have to create the "Parameters" key yourself, and then add three new String Values to it, "ProviderKey", with the key as value, "ProviderName", with their URL, and "ResolverAddress", with their IP address as value.
If you use copy/paste, be sure to remove any spaces before and after the value, or it won't work.

EDIT:fixed spelling

 

I have never seen a DNS used mixed alphabetic case before, thats exciting. And I agree, speed is not that bad. Obviously slower than Google and my ISP but thats to expect for such security.

 

UPDATE:changed ResolverAdress to ResolverAddress". It works now.

I set "ProviderKey" -->
"1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4", "ProviderName" --> "2.dnscrypt-cert.cloudns.com.au", "ResolverAdress" --> "113.20.6.2:443" And set dns to "127.0.0.1" it doesn't work.

 

Pretty much all posts in this thread are irrelevant to the OP and should be moved to the CloudNS thread.

https://www.wilderssecurity.com/showthread.php?p=2265315

 

"Inspired by the HTTPS-DNS project.. "

The page has been moved to another URL but that one leads to Page Not Found

Whoops, I always misspell Address

Ah yes, I thought this topic was about DNS over HTTPS in general, and didn't notice it was the actual name of the project.

 

i did what metwurst did, works fine.

i have an added flip in that i use acrylic dns proxy to cache dns requests in lieu of win7's dns client service (which i disabled).

acrylic uses 127.0.0.1 in the adapter's ipv4 tcpip dns settings
(in the acrylic config it is bound to 127.0.0.1 on port 53)

i set acrylic to resolve from 127.0.0.7 on port 40 as the primary server.

i used the registry parameters from the opendns project home page like metwurst, but added the LocalAddress string parameter set to 127.0.0.7:40 and all is well.

 

This is not the way to check that it works.

Use Wireshark, and check that packets are encrypted (i.e. Wireshark reports garbage, not outgoing DNS queries). That said, if you get responses from 127.0.0.1, it also means that it works.

 

Mixing alphabetic case is yet another layer of protection against spoofing.

 

Also, in order to check that DNSSEC works, try this awesome page: http://test.dnssec-or-not.com/

 

But isn't that what you suggested here for OpenDNS - and it didn't work for that one, either.

I tried that but I cannot detect malformed packages or something like that.

Okay.

dig microsoft.com yields:

Code:

; <<>> DiG 9.9.2-P1 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38684
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; ANSWER SECTION:
microsoft.com.          1184    IN      A       65.55.58.201
microsoft.com.          1184    IN      A       64.4.11.37

;; Query time: 65 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 17 19:46:30 2013
;; MSG SIZE  rcvd: 74

Executed a second time gives:

Code:

; <<>> DiG 9.9.2-P1 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17715
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;microsoft.com.                 IN      A

;; ANSWER SECTION:
microsoft.com.          1181    IN      A       65.55.58.201
microsoft.com.          1181    IN      A       64.4.11.37

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Aug 17 19:46:33 2013
;; MSG SIZE  rcvd: 63 

Query time is 0 seconds as data comes from the dnsmasq cache now. Msg size is smaller compared to the first query. My interpretation is that this is due to the missing SSL overhead (as opposed to the first query). Is this interpretation correct?

 

I've got DNScrypt-proxy working with cloudNS but it doesn't seem possible to add the second resolver using the registry parameters, which is a bit of a downside as it can be a bit intermittent with only the one resolver.

Also, http://test.dnssec-or-not.com/ appears to be down but even when it was working it was telling me that I wasn't using DNSSec when I was using cloudNS.