

DNSCrypt release for Linux - tux1968
http://blog.opendns.com/2012/02/16/tales-from-the-dnscrypt-linux-rising

======
onedognight
DNSCrypt / DNSCurve will be great for security of DNS and the internet in
general. I hope this helps it reaches wide deployment.

For background, it is the first implementation of DNSCurve designed by DJB
(qmail, tinydns, daemontools, etc). See <http://dnscurve.org/> or the excerpt
below.

DNSCurve uses high-speed high-security elliptic-curve cryptography to
drastically improve every dimension of DNS security:

Confidentiality: DNS requests and responses today are completely unencrypted
and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS
packets.

Integrity: DNS today uses "UDP source-port randomization" and "TXID
randomization" to create some speed bumps for blind attackers, but patient
attackers and sniffing attackers can easily forge DNS records. DNSCurve
cryptographically authenticates all DNS responses, eliminating forged DNS
packets.

Availability: DNS today has no protection against denial of service. A
sniffing attacker can disable all of your DNS lookups by sending just a few
forged packets per second. DNSCurve very quickly recognizes and discards
forged packets, so attackers have much more trouble preventing DNS data from
getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but
protecting DNS is the first step.

Despite its extremely high level of security, DNSCurve is very easy for
software authors to implement, and very easy for administrators to deploy.

DNSCurve is part of a larger project to encrypt and authenticate all Internet
packets. The techniques used in DNSCurve are easily adapted to other Internet
protocols.

~~~
pjscott
A summary of the summary is that it encrypts and authenticates all
communication with DNS servers that support the protocol, and does so with
very little overhead, in a way that can be rolled out incrementally.

~~~
zdw
A comparative clarity enhancing corollary to the summary of the summary:

DNSCurve is like ssh - no central authority, secures and hides the contents of
the connection, not the data at rest. Server keys are published as part of the
NS record of the domain.

DNSSEC is like PGP with SSL's centralize certificate authorities - trusted
parties use keys to sign zone files which can be stored on an untrusted server
but still authenticated. No encryption on server-client communication.

They're really complimentary techniques with different goals and means of
achieving them.

~~~
aidenn0
Does DNSCurve offer any protection against a MITM attack (e.g. open wifi with
dns hijacking)

~~~
zdw
Depends on the client implementation. If your client machine's resolver is set
to use DNSCurve enabled recursive servers and has know good copies of their
keys and IP addresses, then trying to MITM would require breaking the
encryption (ie, impossible/very unlikely).

That said, if you have control at the registrar level or an intermediary or
above the recursive nameserver, you could change the NS records to use your
keys and MITM it that way.

------
zdw
I deployed CurveDNS a few weeks ago for a few of my domains. It's pretty easy
following the instructions here:

<http://curvedns.on2it.net/docs>

I wrapped the CurveDNS binaries with fpm, which made installing it on all the
servers very easy. For the DNS server I used the djbdns stack (already in
debian experimental, patched with IPv6 support). The big advantage of this is
that tinydns's data format is atomic on a line level, so you just cat all the
zone files together and build the data.cdb file. I do this with Rake and and
push the zone all over SSH to the servers - making an internet facing change
is usually as trivial as adding a single line in a text file and running rake.

Glad to see the client side of things is becoming as easy to set up as the
server side.

------
kleiba
_we’re searching for a rockstar win32 hacker to build a Windows release_

Cool, just noticed that I haven't seen the term "rockstar hacker" in job ads
in a long time. Can't say I miss it.

~~~
fletchowns
I guess they are looking for an egotistical self absorbed drug addict with a
tendency to mistreat women?

------
happyman
It doesn't seem to work for me. I am on a network where all web proxies are
blocked. I tried accessing anonymouse.org and I got the default page which is
used to inform blocked domains on my network. I can ping to the ip of
anonymouse.org. I tested whether I have setup dnscrypt correctly with: "sudo
tcpdump udp port dns" it showed very long unreadable lines which I have not
seen before using dnscrypt. For anonymouse.org this was the tcp dump output:

12:57:43.523694 IP mypc-ubuntu.local.38481 > resolver2.opendns.com.domain:
28982 updateM [b2&3=0x666e] [27192a] [30295q] [20660n] [52086au][|domain]

12:57:43.801981 IP resolver2.opendns.com.domain > mypc-ubuntu.local.38481:
29238 updateM [b2&3=0x666e] [27192a] [30295q] [414n] [12287au] Type65535
(Class 13704)? [|domain]

There should have been a third line with the encrypted lines, but it doean't
show up for anonymouse.org. Where as the third line with encrypted payload
gets shown to the domains that are whitelisted in my network.

------
mike-cardwell
So this only works if I route all of my DNS requests through OpenDNS or some
other DNSCrypt supporting recursive resolver?

I'm currently running my own recursive resolver. I would like to add DNSCrypt
support, but I'm not handing over my DNS queries to somebody else.

~~~
geekbri
This is what I was wondering as well. Is there a way to deploy DNSCrypt into
our own servers (Bind9, tinydns, MS DNS, etc). Any information would be
welcomed if somebody knows.

------
nodata
Can someone explain to me how this is working? It seems like the equivlanet
stunnel for DNS: I still have to trust my provider's (here: OpenDNS) DNS
servers, they have control over the encryption, not the owner of the DNS
records?

