Hacker News new | comments | show | ask | jobs | submit login
Introducing DNSCrypt (Preview Release) (opendns.com)
84 points by timw6n 1232 days ago | hide | past | web | 38 comments | favorite

DNSCrypt is a cool utility, but somewhat of a mixed bag, since OpenDNS serves up responses for invalid DNS records, in an effort to send you to website-unavailable.com

This hijacking (I am blanking on the technical term for it) really rubs me the wrong way. Is there a way to get around it?

1) Anyone can run a DNSCrupt resolver...

2) You can create an account with us (free) and disable DNS redirection. This will get _much_ better / easier in the coming months as we continue to move away from ad revenue as a revenue stream.

3) This is a really old story. :-)

How about AAAA (IPV6) records? I've spoken with a number of people who are unable to resolve AAAA records because they made the mistake of using OpenDNS. So instead of seeing a v6 only site, they get a face full of ads

Can't seem to find the setting to disable dns redirection, can you tell me where to look?

Edit: OK, found it - free users need to go to advanced settings > domain typos and disable that.

If you are trying to keep you children away from porn sites, you have to set that option:

"Typo Correction is required for Web Content Filtering.

You will lose 13 categories of blocking if you disable Typo Correction."

This will be resolved...soon.

OpenDNS allows you to disable interception of NXDOMAIN. Just go to your Customization settings and make sure "Enable NX Domain Redirection" is unchecked.

Ex: http://i.imgur.com/UxjoLkA.png

I invite correction, if I'm wrong, but I don't believe the option requires being a paying customer of their service.

Dnsmasq's bogus-nxdomain flag will do what you want, but it's not a good long-term solution. You'd be better off just using a DNS service that doesn't hijack responses.

Me too, that's why I use OpenNIC + unbound and now thinking of installing dnscrypt-proxy too for the local network to encryption between me and OpenNIC servers, since it's supported.

note: I had a similar on another thread on HN, weird :0

don't use their service?

easier said than done I know... my commuter train's wifi uses "Open"DNS, and most interesting websites are blocked (reddit, anything gaming related, etc), and the block pages are filled with their obnoxious advertising.

I've been saying this for years, but I can't wait for DNSSEC to put people like OpenDNS out of business (isn't it odd they want to FUD the waters by pushing DNSCrypt?)

Why do you want to put OpenDNS out of business? They offer a decent free service that is faster and more reliable than your ISP's nameservers usually are and they offer you a lot of control.

Don't like having NXDOMAIN redirected? Disable it.

Want to filter out and be alerted on queries that seem to be due to known malware and phising and botnets? Select that option.

Want to limit access to websites with certain content? Select what you want to filter (I only filter out the Web Spam, Parked Domain, and Typo Squatting categories). Filter out nothing, if you prefer.

Are you a public library or academic institution or a work place and you have to restrict certain content? Select the porn or social networking or adware or other sections (yeah, this might rub people the wrong way, but OpenDNS is giving the administrator of a given network the control over their network to do what they want with it).

Really hate doubleclick? Add them to the bocked domain list on opendns.

I really fail to see why anyone would have significant problems with OpenDNS. I've been using them for years and I'm a software engineer who requires things to work as expected on my network for testing and debugging -- and OpenDNS hasn't ever been a problem for me, so I'd really like to know what legitimate problems people have with it (other than the fact that, like Comcast or any other provider of a service, they could theoretically be collecting data on you and utilize it in some nefarious fashion, which I just assume of all services free or paid these days).

> faster [...] than your ISP's nameservers usually

This is probably incorrect.

Here's one of my ISP's (full disclosure: I work for this ISP) local NS:

    --- ping statistics ---
    50 packets transmitted, 50 received, 0% packet loss, time 990ms
    rtt min/avg/max/mdev = 0.142/0.198/0.423/0.059 ms
And here's OpenDNS:

    --- ping statistics ---
    50 packets transmitted, 50 received, 0% packet loss, time 1156ms
    rtt min/avg/max/mdev = 36.448/36.820/37.379/0.346 ms, pipe 2
So, OpenDNS responses are about 36.6ms slower (considering most queries should be cache hits, not misses), just because it's 4 hops further from me. I believe, unless local ISPs nameservers are running on particularly slow or busy server and have proper caching, they should perform better than more physically distant nameservers. I presume, for most users, OpenDNS servers are farther than local ISP ones.

But you're just pinging the servers, which is not as informative as the actual response time for returning a lookup.

There are exceptions, but ISP-provided nameservers are often problematic. My ISP is one of the two or three biggest in the nation and they intercept NXDOMAIN, their response time is rarely better than OpenDNS or Google's DNS, and they have gone down more than a few times.

I've had none of these problems with OpenDNS.

One would like to believe that address resolution is such a basic vital service that every provider in every region on the planet both emphasizes and executes it superbly. Unfortunately, they frequently do not.

I don't know why using your ISP's nameservers is an assumed thing. Do you assume that everyone uses their ISP's provided email service? Their ISP's complimentary crappy webhosting service? Their ISP's bundled McAffee anti-virus? Of course not. You shop around for the best option for yourself. DNS is the same way. My ISP provides me with it, but so do a lot of other people. Some free and some for pay. When your ISP or another service isn't cutting it for you, you shop around for alternatives.

> But you're just pinging the servers

Right. The reasoning is, given that most queries are cache hits (otherwise it's something wrong with the nameserver or environment), lookup times are really negligible if compared to network latency. On our servers cache hits are about 78% of all queries. So, even if 22% of queries are somehow slower (say, latency between ns1.google.com and my DNS is about 47ms, and I guess for OpenDNS it's less than 20ms - so it's, say, 22% of queries are 30ms slower), still it should hold that for a typical user in most cases local ISP nameserver performs better than OpenDNS one.

> they intercept NXDOMAIN

I only wrote about speed, and this is completely another point. Even if they're have faster response times, invalid responses are not worth it, so I'm with you on this. BTW, I remember why I hopped away from OpenDNS - when they introduced premium plans they started to do some NXDOMAIN hijacking and ads injections. Opt-out, but still that annoyed me.

Stability is another issue, too. Guess, OpenDNS should be a clear winner here, too, as they're supposedly having much more redundant nameserver infrastructure than average ISP out there.

> I don't know why using your ISP's nameservers is an assumed thing.

It's not assumed, just a reasonable default. When you set up IP layer, you need NS address(es). You don't need a email or web hosting to participate in basic network connectivity, but you need DNS. Usually, setup is done automatically, using IPCP, DHCP or other sort of configuration protocol, where ISP supplies the client's machine with the necessary information. And obviously, most ISPs provide you with their nameservers, not some third party ones, because in case of failures they can run and fix their own infrastructure, but can only wait for a third party to solve problems on their side and hope it happens soon enough.

In most cases (i.e. unless the ISP is retarded to the extent of filtering out or redirecting DNS packets to another nameservers) you're obviously free to manually override configuration with nameservers of choice. Even encouraged if ISP-provided services are crappy. I've only argued that they should be generally faster, not the other way around.

Fair enough points.

The NXDOMAIN interception is actually why I wounded up at OpenDNS, myself. It was back during the time that Comcast started to force it on users. I work with mega-enterprise-level email servers, among other things, and having my NXDOMAIN response screwed with is unacceptable. Between that and the occasional outages I had with their DNS over the years, I decided it was time to shift away.

Regardless, I think the good takeaway is that we live in a world where we have choices and I hope we keep that (and get more). You get to dislike OpenDNS and prefer your ISP and I get to dislike my ISP and opt for OpenDNS. :D

whilst I can't choose my DNS provider on the train, at home I choose an ISP that is capable of running a recursive name server (if they can't run this very basic part of the service, I dare to think what the rest of it would be like...)

I'm still not sure why the practise of deliberately returning spoofed garbage in response to legitimate queries is seen as an acceptable practise.

> an ISP that is capable of running a recursive name server

I've never experienced such an ISP, and I've been through many. The mismanagement of ISP-hosted DNS, as far as I can tell, is the most common cause of residential "internet outage."

> I've never experienced such an ISP

How did they provide DNS services to their clients then? Or they bootstrapped you (via DHCP[v6], PPP's IP[6]CP or whatever they use to set up your IP layer) with public nameserver addresses like OpenDNS or Google Public DNS?

I believe I heard somewhere desktop Windows' resolver won't work iteratively and requires a nameserver capable of recursion. Although I may be mistaken on this matter.

I didn't mean they didn't provide a DNS resolver. I just meant that they weren't capable.

It may be surprising how many sysadmins and staff at even huge companies and massive complex highly-technical deployments don't understand very much about DNS. I have seen so many mission-critical deployments of various systems brought to a halt, because someone didn't configure DNS properly either on the actual nameservers or on the individual hosts.

Are you using some terminals in the train or why are you forced to their choice? Just set up your system to use different servers!

Why don't you take the issue up with the train company, since they are the ones deciding to block things.

ha, it was done deliberately.

the government franchise agreement forces the train operating company (TOC) to provide a free WiFi service... it doesn't say it has to be useful, so the TOC reduces their data costs by blocking most of the Internet.

to add insult to injury it's a subsidised service, so I'm paying twice for something that's unusable.

and no, there is no other TOC and no other reasonable way to commute, so I'm stuck with it.

Question: How can people use DNSSEC right now (if it is possible)?

Swiss Privacy Foundation claims to have DNSSEC https://www.privacyfoundation.ch/de/service/server.html

I would rather use Dj Bernstein's DNSCurve though

Is there anything new here? DNSCrypt as a preview has been available for a good while now. Clicking through to their GitHub, I see that dnscrypt-proxy was last updated 4 days ago, and then the two clients: dnscrypt-osx-client 11 days ago yet dnscrypt-win-client more than a year ago, with various issues that have not been responded to, oldest being a year old as well.

I point this out mainly because I gave dnscrypt a shot more than a year ago on windows and it severely borked my internet in a non-obvious way which had nothing to do with DNS. For days I was limited to ~25kbps speeds. I had disable dnscrypt at this point, and was on the verge of phoning my ISP to report a problem when I finally fully removed the windows client and the problem resolved itself. Playing with preview release software can seriously suck sometimes.

> Is there anything new here?

I believe this is a response to the "The free wifi on the bus hijacked my DNS" story that was on the front page earlier today.

Edit: this one https://news.ycombinator.com/item?id=7047682

DNS privacy and signature verification is a good thing, but what about combatting random domain name confiscations?

The attackers already do it for so-called copyright infringement, but they could do it for any reason, if they wanted to. So, what about thoroughly decentralizing the DNS system and getting rid of the centralization of corruption at ICANN? Isn't that more urgent nowadays?


This was released ....at least a year ago. Am I missing something? The newest code/content is at http://dnscrypt.org/

Bare in mind, when using DNSCrypt with OpenDNS you're actually reducing your overall level of privacy. Now two companies can see what sites you're visiting: your ISP and OpenDNS.

Your ISP doesn't need to see your DNS queries in order to know what sites you're visiting. They can see the IP's that you're sending packets to. They can see the HTTP "Host" header for HTTP. They can even see the hostname for HTTPS because of SNI.

Three. Don't forget the website, itself.

Well, maybe four or five or ten. Don't forget all of the advertisements and beacons on the site you're visiting.

Well, maybe also Google, if you're using Chrome.

Oh, and maybe everybody, unless everything you're doing is always encrypted and it's through a VPN service that doesn't maintain any logging and isn't subject to government subpoena and can be thoroughly trusted.

Frankly, if your ISP can see it, then who cares who else along the chain does? Nobody else providing a service that can see your data is going to do anything with it that Comcast, Cox, Sprint, Verizon, AT&T, CenturyLink, and Frontier isn't already doing.

None of the examples you have supplied are equivalent or relevant.

My point stands: If you use DNSCrypt+OpenDNS in order to try and hide your browser history from your ISP, not only will you not succeed, but you will make matters worse.

Right. My point was simply that there's little point to them being concerned about their ISP in the first place if they're exposed elsewhere along the chain (unless they're simply worried about being locked-down from accessing certain servers for some reason, I guess?).

These versions are really old. For the latest version, go to http://dnscrypt.org/.

I was thinking about tunneling all UDP coming out of my servers to a disposable address, with the intent of drop all inbound/outbound UDP, or even seeing if I could get my upstream to always drop all inbound UDP, in order to mitigate DDoS.

Perhaps this is an easy way to achieve that for DNS at least. Not sure how many other protocols are necessary to tunnel from a server which is only responding to HTTPS, and installing security updates.

This seems to be a DNSCurve implementation.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact