Using HTTPS DNS

Discussion in 'privacy technology' started by subhrobhandari, Aug 4, 2013.

Thread Status:
Not open for further replies.
  1. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    For those who might be interested:
    https://www.privacyfoundation.de/wiki/SSL-DNS.html#Windows

    This worked with Swiss Privacy Foundation's DNS servers (see my sig) and OpenNIC servers when I tested weeks ago and will probably with others too.


    Note: This is different that using DNSCrypt. OpenDNS doesnt support DNSSEC too. In their words
     
    Last edited: Aug 4, 2013
  2. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Did you look at https://cloudns.com.au/ ?

    DNSCrypt support
    DNSSEC support
    Namecoin support
    No censorship
    No hijacking
    No logging
    Not in the US
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I may try out CloudNS. Thank you for posting that.
     
  4. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    It looks really nice, jedisct1 are you from DNSCrypt project in Github?
     
  5. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    I wrote the protocol and the client proxy.

    Someone wrote a free server proxy: https://github.com/Cofyc/dnscrypt-wrapper

    Anyone running a DNS resolver can use it to support the protocol. This is what CloudNS are using. Having more of them would be neat!
     
  6. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    Agreed, I was looking for an OpenDNS alternative for a long time to use with DNSCrypt, this just made me smile.
     
  7. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Very nice, but they are only in Australia which doesn't give great speed for the rest of the world.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Pretty sure all modern browsers cache and prefetch DNS aggressively, so performance shouldn't matter much in real world situations.
     
  9. tlu

    tlu Guest

    A possible alternative are the DNS servers of the Swiss Privacy Foundation. They support DNSSEC, but they aren't dnscrpyt compatible, are they?
     
  10. tlu

    tlu Guest

    I'm using the configuration in Kubuntu 13.04 as suggested by Hungry in combination with dnsmasq as mentioned here.

    sudo tcpdump -i eth0 dst host 113.20.6.2 or src host 113.20.6.2 -n (as suggested here) yields:

    Code:
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    13:12:34.311774 IP 192.168.0.6.54870 > 113.20.6.2.443: UDP, length 324
    13:12:35.675776 IP 113.20.6.2.443 > 192.168.0.6.54870: UDP, length 368
    13:13:07.861374 IP 192.168.0.6.54870 > 113.20.6.2.443: UDP, length 260
    13:13:08.430082 IP 113.20.6.2.443 > 192.168.0.6.54870: UDP, length 368
    
    This suggests that it works.

    dig txt debug.cloudns.com.au (as suggested by jedisct1 here) yields:

    Code:
    ; <<>> DiG 9.9.2-P1 <<>> txt debug.cloudns.com.au
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31860
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;debug.cloudns.com.au.          IN      TXT
    
    ;; AUTHORITY SECTION:
    cloudns.com.au.         3577    IN      SOA     ns1.name-services.com.au. info.cloudns.com.au. 2013072107 86400 7200 3600000 86400
    
    ;; Query time: 66 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri Aug  9 13:16:26 2013
    ;; MSG SIZE  rcvd: 128
    
    There is no line that says "dnscrypt". I had the same problem with OpenDNS. Any hints why?
     
  11. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    I tried setting dnscrypt in Windows. It works as service but it behaves like dns client, listening port 53.

    Accorting to https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDOWS.markdown there should be "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dnscrypt-proxy\Parameters" key. There is no "Parameters" key.

    I launched it using "dnscrypt-proxy -a 127.0.0.1:2053 -r 113.20.6.2:443
    --provider-name=2.dnscrypt-cert.cloudns.com.au
    --provider-key=
    1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4" command. It is verifying key and other things etc... but listening port 53. If i set dns to 127.0.0.1 in windows, it doesn't connect at all.

    What is the proper way to configure it for Windows?
     
    Last edited: Aug 9, 2013
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    It is not as slow as I expected, and good results from spoofability test:
    dns.png


    You have to create the "Parameters" key yourself, and then add three new String Values to it, "ProviderKey", with the key as value, "ProviderName", with their URL, and "ResolverAddress", with their IP address as value.
    If you use copy/paste, be sure to remove any spaces before and after the value, or it won't work.

    EDIT:fixed spelling
     
    Last edited: Aug 9, 2013
  13. subhrobhandari

    subhrobhandari Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    708
    I have never seen a DNS used mixed alphabetic case before, thats exciting. And I agree, speed is not that bad. Obviously slower than Google and my ISP but thats to expect for such security.
     
  14. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    329
    UPDATE:changed ResolverAdress to ResolverAddress". It works now.

    I set "ProviderKey" -->
    "1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4", "ProviderName" --> "2.dnscrypt-cert.cloudns.com.au", "ResolverAdress" --> "113.20.6.2:443" And set dns to "127.0.0.1" it doesn't work.
     
    Last edited: Aug 9, 2013
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    "Inspired by the HTTPS-DNS project.. "

    The page has been moved to another URL but that one leads to Page Not Found o_O

    Whoops, I always misspell Address :D

    Ah yes, I thought this topic was about DNS over HTTPS in general, and didn't notice it was the actual name of the project.
     
    Last edited: Aug 9, 2013
  17. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    209
    Location:
    CSA Consulate, Glos., UK
    i did what metwurst did, works fine.

    i have an added flip in that i use acrylic dns proxy to cache dns requests in lieu of win7's dns client service (which i disabled).

    acrylic uses 127.0.0.1 in the adapter's ipv4 tcpip dns settings
    (in the acrylic config it is bound to 127.0.0.1 on port 53)

    i set acrylic to resolve from 127.0.0.7 on port 40 as the primary server.

    i used the registry parameters from the opendns project home page like metwurst, but added the LocalAddress string parameter set to 127.0.0.7:40 and all is well.
     
  18. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    This is not the way to check that it works.

    Use Wireshark, and check that packets are encrypted (i.e. Wireshark reports garbage, not outgoing DNS queries). That said, if you get responses from 127.0.0.1, it also means that it works.
     
  19. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    Mixing alphabetic case is yet another layer of protection against spoofing.
     
  20. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
  21. tlu

    tlu Guest

    But isn't that what you suggested here for OpenDNS - and it didn't work for that one, either.

    I tried that but I cannot detect malformed packages or something like that.

    Okay.

    dig microsoft.com yields:

    Code:
    ; <<>> DiG 9.9.2-P1 <<>> microsoft.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38684
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;microsoft.com.                 IN      A
    
    ;; ANSWER SECTION:
    microsoft.com.          1184    IN      A       65.55.58.201
    microsoft.com.          1184    IN      A       64.4.11.37
    
    ;; Query time: 65 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sat Aug 17 19:46:30 2013
    ;; MSG SIZE  rcvd: 74
    
    Executed a second time gives:

    Code:
    ; <<>> DiG 9.9.2-P1 <<>> microsoft.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17715
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;microsoft.com.                 IN      A
    
    ;; ANSWER SECTION:
    microsoft.com.          1181    IN      A       65.55.58.201
    microsoft.com.          1181    IN      A       64.4.11.37
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sat Aug 17 19:46:33 2013
    ;; MSG SIZE  rcvd: 63 
    Query time is 0 seconds as data comes from the dnsmasq cache now. Msg size is smaller compared to the first query. My interpretation is that this is due to the missing SSL overhead (as opposed to the first query). Is this interpretation correct?
     
  22. doveman

    doveman Registered Member

    Joined:
    Sep 6, 2008
    Posts:
    119
    I've got DNScrypt-proxy working with cloudNS but it doesn't seem possible to add the second resolver using the registry parameters, which is a bit of a downside as it can be a bit intermittent with only the one resolver.

    Also, http://test.dnssec-or-not.com/ appears to be down but even when it was working it was telling me that I wasn't using DNSSec when I was using cloudNS.
     
Loading...
Thread Status:
Not open for further replies.