DNS ?

Discussion in 'privacy technology' started by ncage1974, Jul 10, 2012.

Thread Status:
Not open for further replies.
  1. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Just installed OpenDNS DNSCrypt for windows. I'm confused by an option that is automatically selected when you install DNSCrypt:
    "Fall back to insecure DNS"?

    What exactly is that? By the sound of it sounds like your dns queries are unencrypted. Is it misleading? Yet it says my status is "Protected". Can anyone clarify?

    Also i assume dns is usually sent with UDP Packets? There is an option "DNSCrypt over TCP / 443 (Slower)" which i assume just means DNS will be sent over SSL which would be sent over SSL but if DNSCrypt actually works and is encrypted why would you need it?

    For reference:
    Enable OpenDNS: Checked
    Enable DNSCrypt: Checked
    DNS over TCP / 443 (slower): Unchecked
    Fall back to insecure DNS: Checked
    Status shows "Protected"
    --which are all defaults.
     
  2. Tomwa

    Tomwa Registered Member

    Joined:
    Feb 3, 2010
    Posts:
    162
    If for whatever reason DNSCrypt is unable to make a successful query with encryption enabled it will resort to sending an unencrypted request to the OpenDNS servers. This is to prevent your internet from simply falling over dead should DNSCrypt stop functioning.

    If you have this option enabled then DNS queries won't fail if they aren't sent successfully while encrypted (For whatever reason) and will instead resort to a good-ole unencrypted DNS request. This shouldn't happen most of the time though I myself have disabled the option. Keep in mind DNSCrypt is still new and this option helps stability greatly (In fact I just fought with DNSCrypt a moment ago when it simply stopped handling DNS queries)

    DNS is usually sent of UDP Port 53. This is great but firewalls and other security programs can occasionally cause problems with requests. This is why the above option exists, port 443 isn't going to be as heavily restricted (since its used for secure HTTP) and may resolve the problems at the cost of speed.


    I generally disable "Fall back to insecure DNS" as I prefer security over stability but I have encountered issues with DNSCrypt which I've had to solve on my own.

    All your answers could be found here: https://www.opendns.com/technology/dnscrypt
     
    Last edited: Jul 11, 2012
  3. ncage1974

    ncage1974 Registered Member

    Joined:
    Dec 6, 2009
    Posts:
    45
    Tomwa sorry for the long delayed reply but i really appreciate the thorough explanation.
     
  4. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Don't use the "fallback to insecure" option. If you care about security, don't use the UI at all. (this also applies to the Mac UI).
     
  5. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Why so?
     
Loading...
Thread Status:
Not open for further replies.