OpenDNS dnscrypt now available for Windows

Discussion in 'privacy technology' started by kupo, Apr 1, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    True. But maintaining the integrity and limiting what can be seen through DNS is nice.
     
  2. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Hi first post in this forum :cool:
    Im using Anonine VPN and Comodo DNS server, I have a 2 point question...
    Would I gain any more privacy/security using OpenDNS dnscrypt to further encrypt my traffic? I was under the impression that openVPN did a pretty good job of this anyway, and when I change my DNS settings whilst connected to Anonine all OpenDNS checks fail, am I forced to use Anonines DNS servers whilst connected to them? Thanx in advance guys.
     
  3. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    It seems to me, you can either use DNSSEC to OpenDNS servers in the US, or use regular DNS to servers like the German or Swiss Privacy Foundation in their respective countries. Which is more 'private'? Now, *in transmission*, obviously DNSSEC is...but as far as pulling records by an LE agencyo_Oo_O Both of those servers above, also offer DNSSEC, but I don't know if this Windows program is hard coded to Open DNS? Also, while on a VPN, (at least the one I use) all DNS is routed through the tunnel to the providers DNS server...so I think that a VPN that does this, is the best option: Encryption plus non-US location.

    PD
     
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    How about a case where the target is -HTTPS://www.example.com, an encrypted DNS lookup to someone other than your ISP reveals to that DNS provider that the target is -www.example.com, however -www.example.com resolves to the IP Address of a system which serves multiple hosts/domains. So your ISP sees an IP Address but is unable to know which specific host/domain you went on to communicate with. If obscuring such information from your ISP is your objective, you succeeded right?

    Note: I think by splitting things up like that you'd theoretically be making other scenarios worse by sharing information with two parties (your remote DNS provider & your ISP) rather than just one (your ISP).
     
    Last edited: Apr 3, 2012
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I still didn't make PsExec work; but, I did manage to find an alternate solution to it, using only Windows (no other tools). It's working now. It runs automatically under the credentials of the restricted limited user account. :D

    Now, I'm going to work on my DNSCrypt sandbox. It works, but there are some messages from Sandboxie I want to figure out.
     
  6. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
    Thanx PD
    pretty sure Im getting routed -as you suggest- thru my VPN's DNS servers, which explains why the OpenDNS test site fails, and non US locale/owned servers gotta be a bonus :rolleyes: :rolleyes:
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I'm wondering if adding dnscrypt-proxy.exe to EMET would break anything? :doubt: Unfortunately Wireshark and the likes won't work with my connection device, so I cannot test whether or not it would break the encryption? :doubt:

    Also, something nice with my restrictions is that, regardless of being able to use DNSCrypt from any standard user account, they're blind to dnscrypt-proxy.exe, due to privilege isolation. :D

    -edit-

    I noticed that dnscrypt-proxy.exe runs virtualized (32-bit process). After I applied an explicit medium integrity level to it, it no longer runs virtualized, but it runs just fine?
     
    Last edited: Apr 3, 2012
  8. tlu

    tlu Guest

    Or the Network Manager changed the nameserver address in /etc/resolv.conf. Have you checked that?
     
  9. HTTPS

    HTTPS Registered Member

    Joined:
    Apr 4, 2012
    Posts:
    12
    All public, censorship-free DNS server from germany are very silent.

    http://www.ungefiltert-surfen.de/

    At may 2012 the swedish and german goverments must agree to data retention (EU directive) - the log free time is probably then forever over.
     
  10. Technical

    Technical Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    471
    Location:
    Brazil
    Rocket science to set... :rolleyes:
     
  11. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    Perhaps I'm misunderstanding what you're implying, but DNSSEC will ensure data integrity for DNS records you request, but will not provide you any form of confidentiality/privacy.

    With DNSSEC, the DNS responses are digitally signed so you know that the record was supplied by the server you queried and was not modified in-between (ie. poisoning attack). There is no encryption mechanism, however.

    dnscrypt, on the other hand, uses encryption to prevent others (except the DNS provider) from seeing any of the DNS traffic. Ideally, your preferred DNS provider would use DNSSEC and dnscrypt concurrently to provide both authenticity and confidentiality :)
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    OpenDNS opposes to DNSSEC.

    Here's a blog article about it: -https://blog.opendns.com/2010/02/23/opendns-dnscurve/

    But, they do mention this as well:

    Editor’s note: Our support for DNSCurve doesn’t prevent our adoption of DNSSEC — they are not mutually exclusive. While we have reservations about DNSSEC, we can and will implement it when we see more demand and traction, but in the meantime, when we see a viable technology that can be quickly implemented to improve security for DNS users, that’s a no-brainer in our book.
     
  13. tlu

    tlu Guest

    Thanks for sharing that! I have it in enforce mode, and no problems so far.
     
  14. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163

    Thanks mate, I was a little undereducated on that one. Cheers!

    PD
     
  15. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    Think I'll give this a try.
     
  16. JimboW

    JimboW Registered Member

    Joined:
    Oct 22, 2010
    Posts:
    280
    This is actually working pretty fast, just like usual OpenDNS, being encrypted I had my doubts. I think I'm going to keep it around for awhile.
     
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Has anyone noticed that, whenever you access a non-existent website, that you're redirected to an HTTP service: -http://www.website-unavailable.com/?url=URL_HERE ?

    From what I understand, DNSCrypt only encrypts DNS. This means that, when in a HTTP website, anyone can still see the contents of the said website. In this case, they would see person A tried to access website X.

    Hopefully, I'm not wrong in this.

    Then, this means that if you were to enter a website you didn't want others to know about, and this website actually offers HTTPS, if you make a typo, for instance, then OpenDNS will redirect you to this other page, in HTTP, which will let everyone know that you tried to access website Y. There may be a typo, but anyone with minimal brains can figure out you tried to access Z website, and not Y. Y was just a typo.

    Is it just me, or this redirection page should be in HTTPS as well? Doesn't it beat the purpose of DNSCrypt + HTTPS as well? I mean, even if they don't get to know what you were going to do, anyone could still know where you tried to go to.

    Maybe I'm being paranoid :argh:, but I think the redirection page should be in HTTPS.
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think it's less about privacy and more about preventing MITM attacks on DNS. Regardless of encrypted DNS responses combined with HTTPS the IP of the website is still shown to anyone in the middle, right? So it's not really for that (unless used in combination with TOR) and moreso for protecting against an attacker redirecting your DNS resolution to an exploit page.
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    But, that can include privacy as well. Anyway, with DNSCrypt anyone between you and the server, will see an IP, but if that IP hosts many domain names, then they won't know which domain name it is. So, in combination with HTTPS, for most of websites, which are in shared IPs, it will be impossible for anyone to know where we are or what we're accessing. They know the IP address, but not where we are.

    It's like having a street number, but not knowing the address. Many streets within a same location may share the same number, but if you don't know the street, then you got nothing; only a bunch of houses sharing the same number.

    -edit-

    The issue I see with what I previously mentioned about OpenDNS, is that when we're redirected to that HTTP page, we lose the benefit of DNSCrypt. Not in its entirety, of course, but whenever we may make some typo or domain names no longer existing...
     
  20. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa
    Based on this post, I am trying out the beta of dnscrypt.

    Has anyone used it w/ wireshark? The info field displays

    9428 2012-04-15 00:21:21.044538 208.67.220.220 XXX.XXX.XXX.XXX DNS 503 Unknown operation (12)[Malformed Packet] domain 63xxx

    Not an expert on wireshark, and searched ask.wireshark and web generally. Dnscrypt appears to be doing look ups, but am concerned encryption could be ineffective. Or is wireshark not familiar w/ this type of dns? Anyone experience this?

    Thanks.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    How did you verify/intercept the communication? Did you run Wireshark in the same machine, or in another machine, in the same network?

    DNSCrypt's aim is to encrypt DNS between you and the DNS servers. This means that it won't be encrypted in your own machine. You'd need to use another machine, connected to your network and run Wireshark from there and see what happens.
     
  22. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    That's not entirely true. The DNS query will be sent to yourself (127.0.0.1 proxy) unencrypted, but following that should be the outgoing encrypted DNS query. "Malformed packet" could well be the encrypted DNS query that Wireshark fails to recognize.
     
  23. popcorn

    popcorn Registered Member

    Joined:
    Apr 3, 2012
    Posts:
    239
  24. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, but what I meant is that something like Wireshark is of more use (for this kind of "study"), when run from another machine. You see things, not from your own perspective, but how others could potentially see it. I believe this to be the preferable way. :)
     
  25. learningcurve

    learningcurve Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    47
    Location:
    usa

    Moonblood, appreciate your response. My computer is stand-alone on network. When I have the opportunity, I will employ Wireshark on my network from another machine. Relatively new to Wireshark and proxies -- and definitely new to security compared to all here.

    Now trying to get KIS to update using dnscrypt. Perhaps a proxy config issue that I will be learning.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.