[dns-operations] DNSCrypt.

Paul Wouters paul at cypherpunks.ca
Fri May 31 15:45:18 UTC 2013 

On Fri, 31 May 2013, Dobbins, Roland wrote:

> On May 31, 2013, at 10:17 PM, Paul Wouters wrote:
>
>> Whoever designs a security protocol with no crypto algility should take up another hobby, something nice like gardening or star gazing.
>
> There's no crypto anything inherent in DNS today, heh.  VPN transport-level security is the only option, DNSCrypt being an example of an organic VPN, which greatly reduces the barrier to deployment.
>
> There are many drawbacks to it, don't get me wrong.  I just thought it was interesting, especially given a) the TCP angle and the benefits thereof and b) the additional scaling and other operational drawbacks of SSL, in addition to TCP overhead and misfiltering.

If I draw a padlock on your screen, will you feel safer? And if so, will
you not actually be _more_ unsafe by assuming you are safe?

Half-assed security theatre endangers people, it does not protect them.

Thinking they are secure because their DNS was encrypted, could actually
endanger someone's life if their next TCP session immediately outs them.

And again, you can already connect over TLS to various DNS resolvers,
such as unbound. It's a feature mostly used to bypass UDP/TCP 53
filters, but it can bring you your query privacy if you (mistakenly)
believe that to be an asset:

# Fedora DNS offering over TLS/port 443
ssl443: 80.239.156.220 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:A A:87:E6:F2

Example use:

/usr/sbin/unbound-streamtcp -s -f 152.19.134.150 at 443 nohats.ca a in

To change a local unbound DNS resolver to use just this, you can issue:

unbound-control forward_add . 80.239.156.220
unbound-control set_option ssl-upstream:yes

But again, you're better of not using 1) a central DNS server that can
be tracked 2) just use TOR for a complete privacy protection package.

Paul

More information about the dns-operations mailing list