Alternatives to DNSCrypt?

Discussion in 'privacy technology' started by Uitlander, Jun 14, 2016.

  1. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    I'm opposed to having .NET Framework on my PC, so it looks like DNSCrypt is not an option for me. Been looking at AlternateDNS, SafeDNS, DNS.watch, OpenNIC, & DNS Advantage. I'm not finding anything at their sites that claims to provide countermeasure against DNS cache spoofing, poisoning, etc.

    Are there currently any alternatives to DNSCrypt, able to offer same level of protection against DNS-based attacks?
     
  2. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    343
    Good question... Im interested too.
     
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Your problem is this irrational desire based on nothing (except paranoia?)

    Anyway, DNSCrypt doesn't use .NET, the "easy GUI's" use it.

    You can install DNSCrypt itself directly as a service if you enjoy the pain of manually updating and reinstalling it every time a major Windows patch disables the service due to it not being signed.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  5. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    689
    Seriously, don't even know what you're doing in this forum - unless you're one of those plants that's never been weeded out.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Yes we should also avoid cars because they kill people. Wake up, nearly everything in life has positive and negative effects.

    If you want to avoid threats buy a large safety bubble and live in it. For the rest of us, we take rational precautions. Avoiding .NET all together is not one of them, especially when you would sacrifice DNS security to accomplish it.
     
  7. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    If you had bothered to look into it, which you obviously didn't, you would know that .NET comes with quite a few exploits....but then you don't know that, because you didn't bother to google it. And yes, most of those exploits can be remedied (or at least lessened) but why would you bother to fix bloatware that takes up so much space, and gives nothing in return, other than allowing one to use various apps that requires it, especially when you can find alternate apps that don't require it? I'd call that irrational.

    Aside from this, you didn't even take the time to read my post too closely, or you would know that I never said that DNSCrypt requires it...I was referring to its GUI. In short, no GUI, no DNSCrypt for me. Lastly, you didn't even bother to actually answer the actual question that was actually asked, which was about alternatives.
     
  8. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
  9. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425
    Have you tried SimpleDnsCrypto_O Get it here https://simplednscrypt.org/

    You do need to install Microsoft Visual C++ 2015 for it to work. Is that too much of a security risk?
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I'm not sure, but I was under the impression that only installing .NET does not pose any security risks. The security risks come from running programs that use .NET, so in this case only DNScrypt would be vulnerable to .NET exploits.
    Using DNScrypt without a GUI is not that hard btw:
    https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown

    Is this limited to Win10? I've never noticed it.

    Those are DNS providers. If they use DNSSEC it helps with some DNS attacks, but their advantage is mosly limited to familiy/malware filters.
    DNSCrypt is a tool to encrypt the DNS queries between you and your provider if the provider supports it.
     
    Last edited: Jul 6, 2016
  11. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,127
    Location:
    USA
    Thanks for the link. I wasn't aware of the SimpleDnsCrypt front-end :thumb:
     
  12. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    49
    Location:
    Earth
  13. Holysmoke

    Holysmoke Registered Member

    Joined:
    Jun 29, 2014
    Posts:
    112
    excellent link, thanks. Do we want to use a server with DNSSEC?
     
  14. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Well, the security exploits look reasonable:

    https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3847/Microsoft-Visual-C-.html

    and the file size of 13.9MB is definitely not bloatware. At first glance it looks okay, but unless I'm misreading your link, it appears to also require .NET:


    Requirements

    • This software targets .NET 4.5.
    • It also requires Visual C++ Redistributable for Visual Studio 2015 x86.
     
  15. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    Regarding .NET exploits, here's a good place to start:

    https://www.cvedetails.com/vulnerab...product_id-2002/Microsoft-.net-Framework.html

    Google searches will uncover lots more, although exploits are only part of what I don't like about .NET, as I am equally opposed to bloatware, and with a file size of 600MB to 2GB (depending on who you ask), it definitely qualifies.

    Yes, I know they are DNS providers, and as such, are only substitutes for OpenDNS. Finding alternatives to DNSCrypt is not so easy, which is the reason for my post.
     
  16. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
  17. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    49
    Location:
    Earth
  18. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    From that link
    Of course they can, and so can the VPN provider's DNS too when we use it. There's nothing new there. Anyone can log anything despite what they say. Suppose I host a DNSCrypt server, and then use it, even if I don't log myself, my provider might be logging the queries. If they don't, their provider could do too.

    The author should rephrase the title as "DNSCrypt Reduces Privacy Compared to VPNs/Tor".

    But DNSCrypt is obviously better than using unencrypted. I would rather prefer using DNSCrypt, when I am not using VPN, or I need to have my "real" IP for something like shopping online, banking etc. SNI isn't used for most of the sites, so I am not worried about leaking the hostnames.

    As for @Uitlander, you might want to look at SSL-DNS. It worked on Windows 7 few years ago, on my computer. Their website SSL cert is expired so you will be getting an error when you check that page, just do a temporary exception.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    726
    I agree. This blog post is rather stupid, IMHO. Besides, I don't regard dnscrypt-proxy not so much as a privacy but rather a security tool as it prevents DNS spoofing.
    That's the key point.
     
  20. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    I'll need to study your link more, but at first glance it looks just as complicated as using DNSCrypt, without the GUI (that requires the gawd-awful .NET).
     
  21. Uitlander

    Uitlander Registered Member

    Joined:
    May 16, 2010
    Posts:
    71
    Location:
    Albany, CA
    I would suspect there must be an alternative to prevent DNS spoofing that does not require bloatware like .NET, or Linuxean command-line acrobatics...although I'll admit I have yet to find anything, nor has anyone else it seems.
     
Loading...