topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 9:30 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX  (Read 36566 times)

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
OpenDNS has been working on a new encrypted DNS service for the past 6 months or so. They've kept fairly quiet about it, though it has been mentioned on Slashdot and elsewhere. At first there were only OS X, BSD, and Linux clients available. However, a Windows client is now available for download at their GitHub repository. I am not sure if it is considered 'final' or not. I just noticed it was there, tried it out - and it works ;).

Why encrypt my DNS queries?

Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).

More at http://thepileof.blo...ith-windows-via.html  ...

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Beautiful!

I wonder how long it will be before OpenDNS is designated as a terrorist organization though... :(

Like, privacy is a clear indicator! They must be in league with... <transmission cut />

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
LOL ... the even better news is that soon we'll have this integrated into third-party router firmwares, and maybe even come stock with some router firmwares. That will allow seamless, and painless, integration with your whole network. Myself, I'm in the process of using an older router set up as an experimental encrypted DNS server. I'll send the patch to OpenWrt when I'm done, then we can go from there.

I've been using it for DNS queries on my development PC for a while now, works GREAT.

Whether OpenDNS is declared a terrorist organization, who knows ;p. They have been strangely quiet about all this.

nosh

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,441
    • View Profile
    • Donate to Member
Beautiful!

+1, thanks for posting about this!

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
OpenDNS's official announcement of DNSCrypt for Windows was on March 13th:

http://blog.opendns....nscrypt-for-windows/

EDIT: They've moved the blog entry here: http://blog.opendns....nscrypt-for-windows/
« Last Edit: March 30, 2012, 02:16 AM by Deozaan »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Ok. That looks very good. Just applied. (Liked the quiz. Fun!) :Thmbsup:

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
There's no need to apply for it... you can 'just use it'. Yea, they put that beta test application there, but the code is 'up', pre-built for you.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
@db90h - found it! Thx. :)

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
Steve Gibson actually mentioned this, me, and my blog post on this and the mod_status 'vulnerability' on big servers in his last Security Now podcast. Doing what I can to save the Internet, lol ;p.

I noticed OpenDNS has extended capabilities you can turn on or off. You can choose to have it log your DNS queries, so you can see what sites everyone in your household is visiting, for instance.. block sites.. or you can have it not log ANYTHING, and it says it throws away all DNS queries. Of course, I opted for the latter, for privacy. That said, I'm not too concerned about anyone knowing what sites I visit, but I still like my privacy. At least this way you've got your DNS separate from your ISP or Google, and encrypted to protect from Sniffers. For these features you must sign up for an account, which also offers a DNS client to update your dynamic IP address at home (so it can track you if your IP address changes).

Don't bother signing up at all (even for their normal service) and you're probably most private, as their DNS servers (plaintext and encrypted) are open no matter what.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Cross-posted to this thread. SORRY! - and thanks for pointing it out to @Deozan.
OpenDNS's latest newsletter makes a call for application ß-testers:
DNSCrypt for Windows: After weeks of searching for the perfect candidate to build DNSCrypt for Windows, our own Senior Software Engineer Geoff Townsend took on the challenge. In a matter of days he had the client ready and we recently announced a call-for-beta-testers-dnscrypt-for-windows/]call for beta testers[/u]! It won't be long before everyone can use the revolutionary DNSCrypt. Stay tuned here for updates on the full release.

The link takes you to an OpenDNS blog entry that has an application form (the form uses Google docs forms).

I had been skeptical that this would occur, but maybe I misjudged the thing:
The OpenDNS experiment to offer PC-to-DNS node encryption - added to existing node-to-node encryption, and currently only available in ß on Mac, not Windows - must be scaring the pants off the Establishment. Anarchy must not be tolerated. Regulation will be necessitated.
This OpenDNS venture could be quietly shut down as it "Didn't work very well", or something. Or maybe the encryption keys will be stored by a government department - same difference.
Anyway, here's hoping.

DNSCrypt sure looks useful. FYI there's already another thread with some discussion about this:
https://www.donation...ex.php?topic=30362.0
Ah! Thanks for that @Deozan - I knew it had been discussed, but I had not read the rest of the thread where you provide the link.
Nor was I aware that - from the thread you link to - you could already get your hands on the ß Windows code, without being an offcial ß tester.
I shall cross-post this to the link you give.

So, this thread can be closed.
But I can't find the code at at the link given by @Deozan - http://blog.opendns....nscrypt-for-windows/
 - it says "Sorry, the page you tried was not found.", so it must have been taken down.

Could someone send me a link to a copy of the file please?
(Thanks.)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
How does this actually work then?

So you use OpenDNS-Secure to look up a website IP but when you visit the website the IP address you are going to is still clear??? Surely anyone who wants to can just do a reverse look up to find where you were going (or if is is your ISP reporting back to Big Brother lust look up the IP at their own DNS server!!!)

Am I missing the point?

Or is OpenDNS acting as an Anonymizer type service and all the traffic goes through there server so your ISP only sees you going to OpenDNS ???

Can someone explain?

db90h

  • Coding Snacks Author
  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 481
  • Software Engineer
    • View Profile
    • Bitsum - Take control of your PC
    • Read more about this member.
    • Donate to Member
So you use OpenDNS-Secure to look up a website IP but when you visit the website the IP address you are going to is still clear??? Surely anyone who wants to can just do a reverse look up to find where you were going (or if is is your ISP reporting back to Big Brother lust look up the IP at their own DNS server!!!)
-Carol Haynes (March 28, 2012, 04:46 PM)

Short of using an SSH Tunnel, the IP address would remain clear.

MOSTLY, the biggest deal is that DNS queries is a method that ISPs and corporations can easily use to track (or block) your behavior. Now, that easy mechanism isn't so easy.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
So because the DNS lookup is taken away from the ISP it makes it harder for them to block your surfing because they would have block IP addresses rather than block access to the domain name? Is that the point?

Surely ISPs that want to block sites can just use their own DNS server to setup IP blocking so it won't make it any easier to get to blocked sites - or are we relying on ISPs to be lazy?

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
But I can't find the code at at the link given by @Deozan - http://blog.opendns....nscrypt-for-windows/
 - it says "Sorry, the page you tried was not found.", so it must have been taken down.

Could someone send me a link to a copy of the file please?
(Thanks.)

Strange. They moved it to the 19th instead of the 13th.

http://blog.opendns....nscrypt-for-windows/

But that just has a form to fill out to apply to be a beta tester. If you just want the files, read db90h's guide. It has lots of information.

And just to make it easy, here's a direct link to the DNSCrypt download page: https://github.com/o...rypt-proxy/downloads

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
...They moved it to the 19th instead of the 13th....
...And just to make it easy, here's a direct link to the DNSCrypt download page: https://github.com/o...rypt-proxy/downloads
Thanks for the link. After posing the Q, I then did some fossicking about, and had already found the github page and downloaded the file.
I don't understand why they moved the post.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
I don't understand why they moved the post.

My guess (and this is only a guess!) is that they started writing it as a draft on the 13th and didn't actually make it public until the 19th. But it was published under the original creation date, which made it hidden as "old news." So they re-posted it to the 19th as "new news."

That's the best I can come up with.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
OIC. Thank goodness! It's not the Spanish Inquisition then.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
OpenDNS Unveils DNSCrypt for Windows
Version 0.0.4 Official Beta Release
Updated: Wed, 9 May 2012
Official release of DNSCrypt for Windows.
I downloaded and installed it.
It installs a treat (no problems). (Small file that achieves so much.)
Here's the GUI - very simple:
OpenDNS - DNS Crypt GUI 2012-05-16.jpg

« Last Edit: May 16, 2012, 07:52 PM by IainB, Reason: Modified screenshot. »

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
The GUI sure makes it a lot easier to use. :Thmbsup:

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
The GUI sure makes it a lot easier to use. :Thmbsup:
Sure does. Installing it and using it is simplicity itself.     :Thmbsup:
That's how it should be too, IMHO.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
I noticed one big problem with DNSCrypt: When I restart my computer, it requires admin permissions via UAC before it will run. This means that if I'm not there to click OK and grant permissions, then my computer can't connect to the internet.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
I noticed one big problem with DNSCrypt: When I restart my computer, it requires admin permissions via UAC before it will run. This means that if I'm not there to click OK and grant permissions, then my computer can't connect to the internet.
That's odd. Doesn't seem to happen on a PC with Win7-64bit Home Premium. Seems to be completely transparent.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
It does on mine too - but then it doesn't seem to start with Windows without me putting the shortcut into the Startup folder.

Workaround is to add a scheduled task to start it on login and set the task permissions to administrator.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
It does on mine too - but then it doesn't seem to start with Windows without me putting the shortcut into the Startup folder.
-Carol Haynes (May 17, 2012, 03:44 AM)

I guess I checked the box for "Start DNSScrypt when Windows starts" or something similar? It's in the Startup folder for me, and I know I didn't put it there after installation.

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
I guess I checked the box for "Start DNSScrypt when Windows starts" or something similar? It's in the Startup folder for me, and I know I didn't put it there after installation.
Ah, that might explain why others didn't get DNS Crypt starting on reboot/startup - they maybe hadn't ticked that option.
I didn't think to ask that question, having assumed that people would have ticked that option on install.
That's actually something to give feedback on to OpenDNS about DNS Crypt. It would be good if it were an option shown in the GUI under "General" (say).
There are two parts that need to be started - one is a Service, and the other is a client process.
(You also have to have configured your router for OpenDNS too, of course.)