

DNSCrypt: A tool for securing communications between a client and a DNS resolver - gits1225
http://dnscrypt.org/

======
ds9
It would be nice to have encrypted DNS, but it is pointless if the server is
untrustworthy. This defaults to Open DNS, a commercial service that gives
false results (replacing NXDOMAIN) unless the user signs up giving personal
info!

And for the same reason I don't want to use my ISP's DNS. I did a quick
websearch for public DNS servers that give honest results without requiring an
account, but did not see any mention of encryption compatible with this.

~~~
simcop2387
The best i've been able to come up with is using something like dnsmasq plus a
public resolver. it'll filter the results for you so that you can have their
fake A records get turned into nxdomains. it's not a perfect solution (they
can change the a records and you have to reconfigure) but it certainly seems
to help.

~~~
jedisct1
You don't need dnsmasq for that. dnscrypt ships with the ldns-blocking plugin
to block list of domains and IPs: [https://github.com/jedisct1/dnscrypt-
proxy/blob/master/src/p...](https://github.com/jedisct1/dnscrypt-
proxy/blob/master/src/plugins/example-ldns-blocking/example-ldns-blocking.c)

------
bcl
This isn't any better than using Google's DNS, your ISP's or OpenDNS directly.
All your requests eventually go through a central location where they can be
logged. Better to install your own caching dns server so they at least can't
do traffic analysis on your repeat requests.

~~~
dsl
OpenDNS has open sourced technology that allows you to secure DNS against
eavesdropping, something no other technology will let you do at the DNS level
(DNSSEC only does security, not privacy). They are also a major backer of
DNSCrypt which provides transport security between recursive and authoritative
servers.

Without OpenDNS'es work, your cute little caching DNS server at home is still
subject to the same interception as queries flowing to your ISPs DNS cache.

So what if they optionally replace some NXDOMAIN queries so they can make a
little bit of money? If they didn't have a business model that was up front,
you'd claim they were obviously funded by the government.

We as a community need to not be so hard on commercial companies that are
actually trying to protect us. Some of them are ran by genuine geeks like us
and trying to help out.

~~~
blibble
let's be honest here: they've released this in an attempt to stop/muddle
DNSSEC adoption, as DNSSEC represents an existential threat to their business:
messing with the answers to DNS requests

~~~
dsl
Thats just overly cynical.
[https://yourlogicalfallacyis.com/genetic](https://yourlogicalfallacyis.com/genetic)

DNSSEC is only signatures for DNS. It provides no secrecy of queries or
responses. In light of the current PRISM disaster, DNSSEC does nothing to
protect you.

I'll copy a snippet from OpenDNS' original announcement [1] here: Our support
for DNSCurve doesn’t prevent our adoption of DNSSEC — they are not mutually
exclusive. While we have reservations about DNSSEC, we can and will implement
it when we see more demand and traction, but in the meantime, when we see a
viable technology that can be quickly implemented to improve security for DNS
users, that’s a no-brainer in our book.

1\. [http://blog.opendns.com/2010/02/23/opendns-
dnscurve/](http://blog.opendns.com/2010/02/23/opendns-dnscurve/)

~~~
dfc
_In light of the current PRISM disaster, DNSSEC does nothing to protect you._

Let's say Nation State A has all the data that prism has collected and Nation
State B has the same exact dataset minus DNS traffic. Do you really think
there is a lot that _A_ can do that _B_ can not?

EDIT: Changed hypothetical actors from me/you to state a/ state b. It made it
seem personal and its not i was just being lazy.

~~~
tptacek
There's nothing you can do with the DNS at all, regardless of whether we use
DNSSEC, DNSCurve, DNSCrypt, or 1995 BIND where the query IDs increase
monotonically, that will deter any nation state actor. DNS security is
marginally relevant to online crime, and to nothing else.

~~~
dfc
This was my point but I was leaving open the possibility that I was completely
oblivious to something. The only situation where I can think of DNS privacy
having any impact is with an overlay (VPN/Tor) that leaks DNS requests at the
client endpoint.

------
jicksta2
I had issues with DNSCrypt after using it for a few months. I had strange DNS
resolution issues, felt I couldn't truly trust it, and found myself
disabling/re-enabling it too often to see if it was the point of failure. I
now use [https://proxy.sh](https://proxy.sh) for a private VPN with the
Viscosity VPN client which properly sends DNS traffic over the VPN.

That said, I'll probably give DNSCrypt a try again in the coming months. YMMV

------
flueedo
I've been using DNSCrypt on linux for probably a year. The only issue I had a
few times some months ago was that the first nameserver would stop responding,
the solution would be to switch to the second nameserver. Lately though I
haven't had any issues, for me at least it has been fast and reliable.

------
driverdan
Note to DNSCrypt users: Apparently the update feature of 0.10 doesn't work.
I've been running that version since it came out and it always said it's up to
date. I assumed they just weren't actively developing it. Apparently it just
didn't update because the current version is 0.19.

------
jedisct1
I don't get why this is on the HN front page. dnscrypt is 2 years old, and
nothing special happened to it lately. Did I miss something?

------
ecesena
How does it compare to DNSCurve ([http://dnscurve.org](http://dnscurve.org))?

~~~
jedisct1
How does it compare to DNSSIG? ([http://dnssig.org](http://dnssig.org))?

~~~
ecesena
I think DNSSIG is (at least designed) more for relationships among DNS servers
and especially to protect the integrity of the DNS records, while this project
seems more for securing the client-to-relay channel, with (I guess) focus on
confidentiality.

~~~
jedisct1
Both focus on integrity. Read the dnscrypt project description and grep for
"authentic _" , then grep for "encrypt_".

DNS confidentiality is useful when running an IP-over-DNS tunnel like iodine,
not so much in combination with other protocols.

