[dns-operations] Introducing DNSCrypt

Bill Owens owens at nysernet.org
Wed Dec 7 15:37:33 UTC 2011 

On Wed, Dec 07, 2011 at 09:58:32AM -0500, Nicholas Suan wrote:
> On Wed, Dec 7, 2011 at 7:56 AM, Shane Kerr <shane at isc.org> wrote:
> > Bill,
> >
> > On Tue, 2011-12-06 at 14:15 -0500, Bill Owens wrote:
> >> On Tue, Dec 06, 2011 at 01:44:47PM -0500, Paul Wouters wrote: I
> >> understand the risk of snoopable networks; I just don't see the benefit
> >> of encrypted DNS traffic. I can have this sort of conversation:
> >>
> >> client -> RDNS DNS standard query A www.facebook.com
> >> RDNS -> client DNS standard query response A 66.220.147.11
> >> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
> >> . . . etc
> >>
> >> Or I can have
> >> client -> RDNS <some encrypted traffic>
> >> RDNS -> client <some more encrypted traffic>
> >> client -> 66.220.147.11 TCP 64982 > 80 [SYN] Seq=0
> >> . . . etc
> >>
> >> Either way it's pretty clear what I'm doing, right?
> >
> > You can also have:
> >
> > client -> RDNS <some encrypted traffic>
> > RNDS -> client <some more encrypted traffic>
> > client -> 70.40.212.69 TCP 64997 > 443 [SYN] Seq=0
> > . . . etc
> >
> > Where 70.40.212.69 is a big hosting site. Not perfect protection, but
> > there is some value here.
> >
> > Encrypting the DNS query stream does add some value, IMHO.
> >
> 
> I don't think that changes much, since SNI isn't supported by IE on
> Windows XP, which still has ~40% of the browser market.

I learn something new every day - had never heard of SNI before, but having read up on it, I discover that Wireshark knows about it, and says (for example):

client -> 74.125.91.132 SSL Client Hello
...
            Extension: server_name
                Type: server_name (0x0000)
                Length: 28
                Data (28 bytes)

If we dump the ascii:

00b0  00 00 17 62 69 6c 6c 2d 6f 77 65 6e 73 2e 62 6c   ...bill-owens.bl
00c0  6f 67 73 70 6f 74 2e 63 6f 6d 00 0a 00 08 00 06   ogspot.com......

That was Safari on OSX 10.7, FWIW. And it still threw up a warning; apparently the big hosting site in question doesn't support SNI, probably for the reason noted above. . .

It's just hard to keep things private when you're up against the local network operator, or a bad guy who has achieved equivalent access. If you want to run a full-on VPN with all of your traffic tunneled, that's fine. Otherwise, I don't think that half-measures like encrypted DNS will buy you much (or anything).

Bill.

More information about the dns-operations mailing list