
DNSCrypt Reduces Privacy - mike-cardwell
https://grepular.com/DNSCrypt_Reduces_Privacy
======
efoto
DNSCrypt was not designed to guarantee privacy, but arguing that DNSCrypt
actually _reduces_ privacy seems strange to me.

~~~
tptacek
Not so much "strange" as "wrong".

The blog post is good! It makes an important point. But its conclusion is
badly flawed.

~~~
darrmit
Conclusion is fine. The clickbait title is the problem.

------
atmosx
Is SNI plaintext? I understand that it's part of the TLS handshake[1].

DNSCrypt is just an additional layer of security. You can use a VPN or Proxy
along with DNSCrypt & DNSSEC if the purpose is to avoid Gov monitoring.

[1]: [https://journal.paul.querna.org/articles/2005/04/24/tls-
serv...](https://journal.paul.querna.org/articles/2005/04/24/tls-server-name-
indication/)

~~~
mike-cardwell
The hostname in SNI is sent over plain text yes.

~~~
atmosx
Good to know, ty.

------
zquestz
The assumption that is flawed is that people are using a third party dnscrypt
sever which is not always accurate. People can put dnscrypt on their own
servers and share the instance with their friends for plausible deniability.

That in concert with dnssec will also protect you from the common practice of
ISPs rewriting dns replies as they see fit, which is a far larger privacy
concern imho.

Overall there are some good points in the article but vpn is still not a
silver bullet and the title is definitely link bait.

------
textmode
dnscurve is a way to encrypt DNS packets between an authoritative DNS server
and a client (or if you prefer, a cache).

CurveDNS is an implementation of dnscurve.

dnscurve protects the integrity of packets from tampering. That's all it does.
Encryption of packets on a per packet basis.

(For example, there are people running shared DNS caches that rewrite users'
DNS queries with varied information -- without the users knowing about it.)

dnscurve does not provide for "authentication". The protocol cannot tell the
user who is running an authoritative DNS server. A user could use ed25519 ssh
keys for that.

"DNSCrypt" was a project from a company that makes money by running shared DNS
caches and filtering domains, serving ads, and who knows what else. Now they
are part of Cisco.

There is nothing about dnscurve that forces anyone to use a shared DNS cache.

A user can run their own personal DNS cache on the loopback.

Moreover, a user can query dnscurve compatible authoritative servers (e.g.
running CurveDNS) directly using a dnscurve compatible stub resolver. Non-
recursive queries.

That's all I know. I might be wrong.

------
NeutronBoy
I don't get it. The blog kinda nails it's own point in the first paragraph.

> It allows you to _authenticate_ that the packet you received from the DNS
> server you connected to is the one that it sent, and also encrypts it over
> that single hop.

I guess the bit that's missing is, 'who is disagreeing with this?'

------
vertex-four
> but the third party running the DNSCrypt enabled DNS server now can

Assuming you're using your ISP's resolver in the first place, they can see
what you're looking up. If you're not, Verisign can when you look up a .com
domain. How, precisely, does DNSCrypt change that?

~~~
mike-cardwell
Use your ISPs resolver then your ISP can see what sites you're visiting.

Use DNSCrypt then your ISP can see what sites you're visiting _and_ the third
party running the DNSCrypt server can _also_ see what sites you're visiting.

