

Introducing DNSCrypt (Preview Release) - timw6n
http://www.opendns.com/technology/dnscrypt

======
navyrain
DNSCrypt is a cool utility, but somewhat of a mixed bag, since OpenDNS serves
up responses for invalid DNS records, in an effort to send you to website-
unavailable.com

This hijacking (I am blanking on the technical term for it) really rubs me the
wrong way. Is there a way to get around it?

~~~
blibble
don't use their service?

easier said than done I know... my commuter train's wifi uses "Open"DNS, and
most interesting websites are blocked (reddit, anything gaming related, etc),
and the block pages are filled with their obnoxious advertising.

I've been saying this for years, but I can't wait for DNSSEC to put people
like OpenDNS out of business (isn't it odd they want to FUD the waters by
pushing DNSCrypt?)

~~~
pstack
Why do you want to put OpenDNS out of business? They offer a decent free
service that is faster and more reliable than your ISP's nameservers usually
are and they offer you a lot of control.

Don't like having NXDOMAIN redirected? Disable it.

Want to filter out and be alerted on queries that seem to be due to known
malware and phising and botnets? Select that option.

Want to limit access to websites with certain content? Select what you want to
filter (I only filter out the Web Spam, Parked Domain, and Typo Squatting
categories). Filter out nothing, if you prefer.

Are you a public library or academic institution or a work place and you have
to restrict certain content? Select the porn or social networking or adware or
other sections (yeah, this might rub people the wrong way, but OpenDNS is
giving the administrator of a given network the control over their network to
do what they want with it).

Really hate doubleclick? Add them to the bocked domain list on opendns.

I really fail to see why anyone would have significant problems with OpenDNS.
I've been using them for years and I'm a software engineer who requires things
to work as expected on my network for testing and debugging -- and OpenDNS
hasn't ever been a problem for me, so I'd really like to know what legitimate
problems people have with it (other than the fact that, like Comcast or any
other provider of a service, they could theoretically be collecting data on
you and utilize it in some nefarious fashion, which I just assume of all
services free or paid these days).

~~~
blibble
whilst I can't choose my DNS provider on the train, at home I choose an ISP
that is capable of running a recursive name server (if they can't run this
very basic part of the service, I dare to think what the rest of it would be
like...)

I'm still not sure why the practise of deliberately returning spoofed garbage
in response to legitimate queries is seen as an acceptable practise.

~~~
derefr
> an ISP that is capable of running a recursive name server

I've never experienced such an ISP, and I've been through many. The
mismanagement of ISP-hosted DNS, as far as I can tell, is the most common
cause of residential "internet outage."

~~~
drdaeman
> I've never experienced such an ISP

How did they provide DNS services to their clients then? Or they bootstrapped
you (via DHCP[v6], PPP's IP[6]CP or whatever they use to set up your IP layer)
with public nameserver addresses like OpenDNS or Google Public DNS?

I believe I heard somewhere desktop Windows' resolver won't work iteratively
and requires a nameserver capable of recursion. Although I may be mistaken on
this matter.

~~~
derefr
I didn't mean they didn't provide a DNS resolver. I just meant that they
_weren 't capable_.

------
dmunoz
Is there anything new here? DNSCrypt as a preview has been available for a
good while now. Clicking through to their GitHub, I see that dnscrypt-proxy
was last updated 4 days ago, and then the two clients: dnscrypt-osx-client 11
days ago yet dnscrypt-win-client more than a year ago, with various issues
that have not been responded to, oldest being a year old as well.

I point this out mainly because I gave dnscrypt a shot more than a year ago on
windows and it severely borked my internet in a non-obvious way which had
nothing to do with DNS. For days I was limited to ~25kbps speeds. I had
disable dnscrypt at this point, and was on the verge of phoning my ISP to
report a problem when I finally fully removed the windows client and the
problem resolved itself. Playing with preview release software can seriously
suck sometimes.

~~~
IvyMike
> Is there anything new here?

I believe this is a response to the "The free wifi on the bus hijacked my DNS"
story that was on the front page earlier today.

Edit: this one
[https://news.ycombinator.com/item?id=7047682](https://news.ycombinator.com/item?id=7047682)

------
crator
DNS privacy and signature verification is a good thing, but what about
combatting random domain name confiscations?

The attackers already do it for so-called copyright infringement, but they
could do it for any reason, if they wanted to. So, what about thoroughly
_decentralizing_ the DNS system and getting rid of the centralization of
corruption at ICANN? Isn't that more urgent nowadays?

~~~
drdaeman
Namecoin?

------
xxdesmus
This was released ....at least a year ago. Am I missing something? The newest
code/content is at [http://dnscrypt.org/](http://dnscrypt.org/)

~~~
sp332
Nope, it's at least 2 years old
[http://web.archive.org/web/20111207064744/http://www.opendns...](http://web.archive.org/web/20111207064744/http://www.opendns.com/technology/dnscrypt/)

------
mike-cardwell
Bare in mind, when using DNSCrypt with OpenDNS you're actually _reducing_ your
overall level of privacy. Now _two_ companies can see what sites you're
visiting: your ISP _and_ OpenDNS.

Your ISP doesn't need to see your DNS queries in order to know what sites
you're visiting. They can see the IP's that you're sending packets to. They
can see the HTTP "Host" header for HTTP. They can even see the hostname for
HTTPS because of SNI.

~~~
pstack
Three. Don't forget the website, itself.

Well, maybe four or five or ten. Don't forget all of the advertisements and
beacons on the site you're visiting.

Well, maybe also Google, if you're using Chrome.

Oh, and maybe everybody, unless everything you're doing is always encrypted
and it's through a VPN service that doesn't maintain any logging and isn't
subject to government subpoena and can be thoroughly trusted.

Frankly, if your ISP can see it, then who cares who else along the chain does?
Nobody else providing a service that can see your data is going to do anything
with it that Comcast, Cox, Sprint, Verizon, AT&T, CenturyLink, and Frontier
isn't already doing.

~~~
mike-cardwell
None of the examples you have supplied are equivalent or relevant.

My point stands: If you use DNSCrypt+OpenDNS in order to try and hide your
browser history from your ISP, not only will you not succeed, but you will
make matters worse.

~~~
pstack
Right. My point was simply that there's little point to them being concerned
about their ISP in the first place if they're exposed elsewhere along the
chain (unless they're simply worried about being locked-down from accessing
certain servers for some reason, I guess?).

------
gararapa
These versions are really old. For the latest version, go to
[http://dnscrypt.org/](http://dnscrypt.org/).

------
zaroth
I was thinking about tunneling all UDP coming out of my servers to a
disposable address, with the intent of drop all inbound/outbound UDP, or even
seeing if I could get my upstream to always drop all inbound UDP, in order to
mitigate DDoS.

Perhaps this is an easy way to achieve that for DNS at least. Not sure how
many other protocols are necessary to tunnel from a server which is only
responding to HTTPS, and installing security updates.

------
Nux
This seems to be a DNSCurve implementation.

