Using CloudNS For DNS Resolution – Integrity, Authenticity, Confidentiality

Discussion in 'all things UNIX' started by Hungry Man, Aug 9, 2013.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I found CloudNS really interesting, so I set it up. Currently, on Linux, you can just run this command.

    dnscrypt-proxy --user=dnscrypt --daemonize --resolver-address=113.20.6.2:443 --provider-name=2.dnscrypt-cert.cloudns.com.au --provider-key=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4

    Obviously you have to set up DNSCrypt first. You can read more on my site if you'd like, otherwise the above command is all you need.

    Let me know what you think of it. DNSSEC + DNSCrypt + Hosted outside of the US.

    http://www.insanitybit.com/2013/08/09/using-cloudns-for-dns-resolution/
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Features are nice, problem is the server location, 414ms.
     
  3. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    i'm using them in dnscrypt (see separate thread here at wilders) thru acrylic dns proxy in lieu of the win7 dns client service.

    ping time is horrible at 303ms, i'm in the UK 12000 miles from australia, so that was expected. cached responses are essentially zero ms tho. as long as the initial request is properly cached for subsequent requests, the initial slow one is not terribly noticeable.

    gibson's dnsbench test shows it miles ahead of any other public dns when cached. if i was concerned, i'd use the opendns secure dnscrypt settings (ping is 18 ms), but that is filtered and blocks some ip's.

    i'll keep using cloudns for a while.
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Performance really doesn't matter to me. Like kronckew mentioned, caching is nearly instant, and every modern browser caches aggressively. 99% of the sites I go to are the same sites I've been to, so no look up is necessary. And any links on a page have their DNS prefetched before I click them anyways.

    The only time there's a lookup that isn't fetched is when I type a URL into the omnibox that I've never typed before, which is rare.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    A second resolver has been added. And you can now resolve to them via a hidden service (use the .onion address).
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    That argument only considers DNS lookups though.

    However it is common place for CDN providers to check your DNS IP to select the closest server for you. I don't think YouTube Australian servers would be great performance for me but I haven't tested it. :p
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think it chooses based on servers near you that host cached versions of the content you want. But that doesn't mean all of your streaming comes from Australia. It may have an effect though.
     
  8. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I've got this working by setting up the Parameters in the registry for dnscrypt-proxy accordingly,
    "ProviderKey" --> "1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4", "ProviderName" --> "2.dnscrypt-cert.cloudns.com.au", "ResolverAddress" --> "113.20.6.2:443"

    http://test.dnssec-or-not.com/ says I'm not using DNSSEC though.

    It says on https://cloudns.com.au/ that Windows users can use https://github.com/FivfBx2dOQTC3gc8YS4yMNo0el/dnscrypt-winclient to test the resolver. I'm not sure if I'm downloading it wrong as I get confused by GitHub but I've tried right-clicking on Raw here https://github.com/FivfBx2dOQTC3gc8...aster/binaries/Release/dnscrypt-winclient.exe and doing "Save as" which gives me a 38KB file but when I run it I get

    Code:
    Description:
      Stopped working
    
    Problem signature:
      Problem Event Name:	CLR20r3
      Problem Signature 01:	dnscrypt-winclient (2).exe
      Problem Signature 02:	1.0.0.0
      Problem Signature 03:	51f5395e
      Problem Signature 04:	System.Windows.Forms
      Problem Signature 05:	2.0.0.0
      Problem Signature 06:	50c29e85
      Problem Signature 07:	211d
      Problem Signature 08:	54
      Problem Signature 09:	System.ArgumentOutOfRange
      OS Version:	6.1.7601.2.1.0.256.1
      Locale ID:	2057
    
    Read our privacy statement online:
      http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409
    
    If the online privacy statement is not available, please read our privacy statement offline:
      C:\Windows\system32\en-US\erofflps.txt
    
     
  9. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I'd like to use acrylic dns proxy as well and have installed it but I'm not sure how to configure it to work with clouddns. Could you perhaps share your config with me please or explain to me how to set it up to work with dnscrypt-proxy?

    EDIT: Never mind. I found your helpful post here https://www.wilderssecurity.com/showpost.php?p=2265411&postcount=17 and set Acrylic to forward to 127.0.0.7:40, to listen on 127.0.0.1:53 and added LocalAddress=127.0.0.7:40 to the registry parameters and it all seems to be working thanks :)

    Although I've set:

    LocalBindingAddress=127.0.0.1
    LocalBindingPort=53

    the debug log does show it's receiving on other ports:

    2013-08-25 17:59:31.791 TResolver.Execute: Request ID 49817 received from client 127.0.0.1:61174
    2013-08-25 17:59:31.793 TResolver.Execute: Request ID 49817 forwarded to server 127.0.0.7:40.
    2013-08-25 17:59:32.790 TResolver.Execute: Response ID 49817 received from server 127.0.0.7:40.
    2013-08-25 17:59:32.793 TResolver.Execute: Response ID 49817 sent to client 127.0.0.1:61174 and put into the address cache as positive.
    2013-08-25 17:59:33.402 TResolver.Execute: Request ID 36701 received from client 127.0.0.1:63746
    2013-08-25 17:59:33.403 TResolver.Execute: Response ID 36701 sent to client 127.0.0.1:63746 directly from address cache.

    but I presume that's normal?

    http://test.dnssec-or-not.com/ still says I'm not using DNSSEC though.
     
    Last edited: Aug 25, 2013
  10. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    Hmm, I just came back to my PC and it no longer could open any webpages. I had to stop Acrylic and dnscrypt-proxy services and set the DNS back to 8.8.8.8 and restart the Windows DNS Client before it started working again.

    So it seems rather unreliable unfortunately.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I have had slight issues, but not since I added the second resolver.
     
  12. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    How do you add that to DNSCrypt-proxy? It only seems to support one set of registry parameters.

    It was a major pain getting Internet working again on this PC. I rebooted but acrylic and dnscrypt-proxy services were set to Automatic, so they started and were intercepting the DNS lookups and I still had no access even after disabling them, re-enabling the Windows DNS Client, disabling and re-enabling the NIC. In the end, I had to disable the acrylic and dnscrypt-proxy services and reboot and that fixed it. Strangely my router seemed to start having problems at the same time so I had to reset that as well.
     
  13. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    210
    Location:
    CSA Consulate, Glos., UK
    since my last, i also have been having inconsistent results, and have stopped using the dnscrypt. i had tried using it also with maradns's deadwood dns proxy resolver service, with similar inconsistent results.

    something is killing the localhost chain. even using acrylic or deadwood on their own seems to prompt the yellow warning triangle with the exclamation mark in the network notification area icon. it seems related to using localhost,

    if i add a secondary 'real' dns address (ie. my router's internal ip) in the adapter tcpip settings, it's OK, localhost on it's own, not so. i've only noticed that recently. i wonder if the last tuesday patch night from microsoft has changed anything.
     
  14. tlu

    tlu Guest

    And how did you do that? When adding it to /etc/init/dnscrypt.conf, DNS resolution doesn't work any more.
     
  15. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I actually had some broadband problems in my area, so my problems with this may have been due to that. However, it still seems like we need to add the second resolver and no-one's suggested a way to do that with the Windows registry parameters yet, so I'm reluctant to set this PC to use CloudNS at the moment.

    There also seems to be a problem with http://test.dnssec-or-not.com/ as I can't even open it anymore. Other sites all seem to be working.
     
Loading...
Thread Status:
Not open for further replies.