DNSCrypt – Not Fundamental Enough

Discussion in 'privacy technology' started by DasFox, Feb 19, 2012.

Thread Status:
Not open for further replies.
  1. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    From what I gathered they are pretty much saying that DNSCrypt is a hack, which I doubt anyone is surprised by. We know it is, and we'd all love to see encryption be a standard with DNSSEC, but until such a thing happens, tools such as DNSCrypt will be needed.

    I wonder why they don't mention HTTPS alongside that? Seems like they are just trying to make the blog post longer by posting garbage. Anyone knowledgeable enough to understand and install DNSCrypt will know that the point of it is to combine HTTPS and encrypted DNS to make the 100% privacy. You're not going to get 100% if you only encrypt DNS or only encrypt the webpage.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I agree Funky - they kind of miss the point. DNSCrypt is something that OpenDNS compared to SSL - they go together.

    It's weird because they say "If you want security use DNSSEC" but only a few sentences before they quote OpenDNS as saying that DNSSEC + DNSCrypt work fine together.

    They also could have talked about DNSCurve http://dnscurve.org/.
     
  4. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Well not all sites are going to be HTTPS, so then what? At least we get a little...

    Also the man page has this to say;

    dnscrypt-proxy is not a DNS cache. Unless your operating system already provides a decent built-in cache (and by default, most systems don't), clients shouldn't directly send requests to dnscrypt-proxy.

    Intead, run a DNS cache like Unbound, and configure it to use dnscrypt-proxy as a forwarder. Both can safely run on the same machine as long as they use different IP addresses and/or different ports.


    So now it makes me wonder, does the end-user really need Unbound, because when you go to their blog and start reading all this, they don't really mention this to Mac or Windows users, at least I haven't noticed it...

    Also this makes me wonder, the German Privacy Foundation has DNSSEC servers you can use, so why not just plug those into your adapter and be on your happy way?

    http://server.privacyfoundation.de/
     
  5. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Obviously, but that's besides the point. If you're at a place where privacy is an issue (e.g. public WiFi) then you're not going to be browsing non-encrypted websites, or if you are, it's because you don't care about privacy for those websites (e.g. Wikipedia). It's supposed to supplement secure sites, such as shopping or banking.
     
  6. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Yes, I meant for a big part of the internet experience, just surfing, etc., there's still a lot out there that's not HTTPS is what I was getting at...
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Yup I agree, addons like HTTPS Everywhere can help ease that. (I wish there was an IE version)
     
  8. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Yes, but what's the point of forcing HTTPS on a site that isn't enforcing it?

    Now I need to figure out if I want to use DNSCrypt with unbound, if that's a really great combo...
     
  9. x942

    x942 Guest

    What's wrong with just using OpenDNS + DNSSec with no DNS cache? I have a DNS I can put on my server but just curious about the issues.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Last I checked using the GRC spoofability test, OpenDNS didn't support DNSSEC. I just did it just now and it seems one of the 2 servers tested supports it, how odd...
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    OpenDNS doesn't support DNSSEC - they support DNSCurve.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Re-read my post. Also, they aren't mutually exclusive.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That's nice that there servers apparently support it, but they're saying that they don't.

    Perhaps a false positive with DNSCurve? I really don't know. But I can't find anything online with them saying that they support it.

    I'm not saying they're mutually exclusive.
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Browsing the OpenDNS forums seems to show that they support it, and don't support it. The GRC spoofability test says 1 supports it and 1 doesn't. It's anyone's guess.
     
Loading...
Similar Threads
  1. Overkill
    Replies:
    13
    Views:
    1,195
  2. Uitlander
    Replies:
    20
    Views:
    2,073
Thread Status:
Not open for further replies.