DonationCoder.com Forum

News and Reviews => Mini-Reviews by Members => Topic started by: IainB on June 08, 2013, 11:59 AM

Title: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on June 08, 2013, 11:59 AM

Original post:	2013-06-08
Last updated:	2016-03-20

Basic Info

App Name	[ You are not allowed to view attachments ] + DNSCrypt
Thumbs-Up Rating	:Thmbsup: :Thmbsup: :Thmbsup: :Thmbsup: :Thmbsup:
App URL	OpenDNS home page (http://www.opendns.com/) DNSCrypt download page (http://www.opendns.com/technology/dnscrypt/) Lifehacker overview of DNSCrypt (http://lifehacker.com/how-to-boost-your-internet-security-with-dnscrypt-510386189)
App Version Reviewed	Current stable DNSCrypt client v1.6.1 This is the current version as at the "Last updated" date at the top of this post.
Test System Specs	Windows 10-64 PRO (also used on earlier Windows versions from Win7-64 to Win8.1-64 PRO)
Supported OSes	DNSCrypt runs on:  - Windows  - Mac.
Support Methods (see also updated links and references in the post below)	Online Forums (http://support.opendns.com/categories/20060683-OpenDNS) Set up your OpenDNS account (http://store.opendns.com/get/premium-dns/) Video tutorial - OpenDNS Basic (http://www.opendns.com/support/videos/basic/)
Upgrade Policy	DNSCrypt - FREE - as and when available.
Trial Version Available?	FREE - NO limitations.
Pricing Scheme	OpenDNS + DNSCrypt are both FREE.

About using OpenDNS+DNSCrypt:
(The text from the image below has been pasted into the spoiler underneath the image.)

[ You are not allowed to view attachments ]

Spoiler

   DNSCrypt was developed/supported by the OpenDNS organisation up until:
           • OpenDNS - DNSCryptWin-v0.0.6 Beta Upgrade 2 (2012-09-01) - this was the last version from OpenDNS.
   
   DNSCrypt was subsequently placed into open source:
           • Website: https://dnscrypt.org/
           • The latest version of DNSCrypt for your particular OS is to be found at:
                   ○ https://download.dnscrypt.org/dnscrypt-proxy/
   
   ServiceManager: DNSCrypt GUI applications have been developed: (DNSCrypt is used with a command-line tool and needs some kind of an interface for most users)
           • Try this (is the only one I have used - it is one of the more simple GUIs recommended):
                   ○ https://github.com/simonclausen/dnscrypt-winservicemgr
                   ○ This is a Client program to manage service and network adapter settings.
   
   To learn more: (useful links)
           • https://support.opendns.com/categories/20060683-OpenDNS-Community
           • https://support.opendns.com/entries/70529140-What-is-DNSCrypt-
           • https://support.opendns.com/forums/21675554-DNSCrypt-Knowledgebase
           • https://support.opendns.com/entries/37597264-Tutorial-how-to-install-dnscrypt-on-Windows
           • https://dominustemporis.com/2014/05/dnscrypt-on-windows-update/
   To install and run Windows version DNSCrypt + ServiceManager:
           • Download file of latest DNSCrypt version - e.g., dnscrypt-proxy-win32-full-1.6.1.zip
                   ○ From https://download.dnscrypt.org/dnscrypt-proxy/
           • Create (or clear existing files from) directory: C:\Program Files (x86)\OpenDNS\DNSCrypt
           • Copy all files from the .ZIP file to that directory.
           • Download file of latest ServiceManager version - e.g., DNSCrypt Windows Service Manager v0.2.0.0.zip
                   ○ From: https://github.com/simonclausen/dnscrypt-winservicemgr
           • Copy the single file dnscrypt-winservicemgr.exe from the .ZIP file to:
                   ○ Directory: C:\Program Files (x86)\OpenDNS\DNSCrypt
           • Run dnscrypt-winservicemgr.exe - this will start the DNSCrypt service:
                   Play with the settings to suit your needs. Note that Cisco now owns OpenDNS per the Select Provider drop-down menu:
                  
                   Screen clipping taken: 2016-03-20 20:31
                  
           • You can view Cisco-OpenDNS network details here:
                   ○ https://system.opendns.com/
   

_________________________________

Background:
I had been meaning to pull together a mini-review of this for some time, but after (a) some then recent events and (b)some discussion about DNSCrypt and VPNGate on the DC Forum, I figured the mini-review was probably now overdue.
(a) The then recent events were:

• 1. Guardian report: the published details of a leaked secret court order, as first reported in the gurdian.uco.uk on 2013-06-06: NSA collecting phone records of millions of Verizon customers daily (http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order)
  
  
• 2. DemandProgress email: An email sent on 2013-06-08 to subscribers, from demandprogress.org:
  

  The revelations of spying on telephone customers are extraordinary -- but it gets even worse.  The government is spying, in real time, on all Internet users. From the Guardian:
  (Referring to: NSA Prism program taps in to user data of Apple, Google and others (http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data))
  

  The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
  The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.
  

(b) The DC Forum discussions were:

• Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX (https://www.donationcoder.com/forum/index.php?topic=30362.0)
• VPN Gate - Univ. of Tsukuba launches Academic Experimental [Crowd] Project. (https://www.donationcoder.com/forum/index.php?topic=34441.0)

What this is all about is personal privacy and security: we now know that different governments - for a variety of reasons - are spying on their citizens, tapping into their Internet, telephone and general communications traffic. As well as that, there may be criminal operations with sophisticated equipment, tapping into the same communications, for multifarious criminal purposes. I'll leave it up to you, the reader, to figure out which of these two is probably the greater threat, or which countries' governments are not spying on their citizens in this manner.

Description of OpenDNS + DNSCrypt:

• 1. DNS:
  DNS stands for "Domain Name Server". Here is a somewhat over-simplification of what this server does:
  
  • When you set your browser to go to a URL (Universal Resource Locator) address - e.g., (say) google.com - your browser passes the request to your ISP (Internet Service Provider) connection node.
  • That node is usually the Primary DNS for you, and there will be a Secondary one also, as backup.
  • The IP (Internet Protocol) addresses - which are strings of numbers - of the 2 DNSes are set up in your broadband router.
  • The DNS takes the URL your browser sends it, and looks it up in a huge conversion table of all available IP addresses.
  • The DNS then finds the IP address for that URL, and sends off  a request to connect to that IP address.
  • This begins your Internet communication/transaction with (say) google.com.
  
  
• 2. OpenDNS:
  This essentially is a FREE service that you access by setting two OpenDNS IP addresses as your Primary and Secondary DNSes in your broadband router, replacing those of your ISP's:
  
  • First you could set up (it's not mandatory) your OpenDNS Premium account here (http://store.opendns.com/get/premium-dns/).
  • Then you set up these two IP addresses as your Primary and Secondary DNS in your broadband router:
    
    • 208.67.222.222
    • 208.67.220.220
  
  Once you have set up the OpenDNS IP addresses in your broadband router, the ISP becomes a passive "pass-through" node, with the OpenDNSes taking over the role of serving your request to (say) google.com, and the handling of the communications between google.com and you from that point on.
  
  The benefits of doing this are several, and include: (from the OpenDNS website (http://www.opendns.com/business-solutions/premium-dns/benefits/))
  
  • Speed up your Internet experience.
    OpenDNS’s 12 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.
    
    
  • Make your Internet more reliable.
    With our extensive data center footprint and use of Anycast technology, the OpenDNS network has built-in redundancy ensuring zero downtime. SmartCache technology, an OpenDNS innovation, enables you to access sites that may otherwise be inaccessible due to authoritative DNS outages, providing you with the most reliable Internet possible.
    
    
  • Phishing protection.
    OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website. Surf the Web with confidence.
    
    
  • Gain visibility into your network usage.
    OpenDNS’s reports provide you with visibility on your networks' Internet activity, giving you needed insight into how your Internet resources are being used.
    
    
  • Easy to set up and it’s free.
    Getting started on OpenDNS Premium DNS takes minutes; there are no downloads or additional software required and it’s completely FREE
  
  
• 3. DNSCrypt:
  DNSCrypt is a tool for securing communications between a client and a DNS resolver.
  dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server - by default OpenDNS, who run this on their resolvers.
  The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
  While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
  You can download and install the DNSCrypt application from the link given in the table at the top of this review.
  

_____________________________________

Who this app is designed for:
The combination of OpenDNS + DNSCrypt will appeal to those who wish to improve their personal privacy and security on the Internet.

The Good:
The combination of OpenDNS + DNSCrypt works in this regard - i.e., the improvement of your personal privacy and security on the Internet.
The privacy/security could be further improved with the use of VPN (Virtual Private Network) services.

The needs improvement section:
Not so much needs improvement, but caveats to bear in mind:

• Though you can set your OpenDNS Premium account to not maintain your traffic logs, a government authority could oblige the OpenDNS operator to maintain logs, regardless of users' wishes, and these logs could be used for surveillance (spying).
• DNSCrypt only encrypts traffic between your PC and your OpenDNS server(s). The traffic between those DNSes and the Cloud is unencrypted, and compulsory government access and surveillance could still monitor that traffic at some point.

However, on balance, it would seem that the chances of improved personal privacy and security would be better with using the combination of OpenDNS + DNSCrypt than without it.
Further privacy/security and also anonymity could be gained through the use of a VPN (Virtual Private Network), in addition to OpenDNS + DNSCrypt.

Why I think you should use this product:

• Because your personal privacy and security would likely be improved with using the combination of OpenDNS + DNSCrypt.
• Because if you are using a VPN, then DNSCrypt could help avoid the risk of "DNS leak" (refer the Lifehacker review for explanation of this).

How does it compare to similar apps.:
I am not aware of any closely similar current services/applications.
Some paid-for (not FREE) VPN service providers might offer some form of PC-to-DNS encryption, but I do not know.

Conclusions:

• 1. Objective achieved: Using OpenDNS should improve on the Internet service experience that you might normally expect to receive from your ISP.
• 2. Objective achieved: Combining that with the use of DNSCrypt should improve your levels of personal privacy and security on the Internet, even if you are already using a VPN.
• 3. Experience indicates that OpenDNSCrypt is very stable: I started using OpenDNSCrypt in May 2012 on a laptop running Win7-64 Home Premium, and in May 2015 migrated with it to Win8.1. OpenDNSCrypt has run flawlessly at all times, but it will always be dependent on the underlying network infrastructure being in a robust state.
  

________________________________________________
Links to other reviews of this application:
OLDER Links:

• Lifehacker: How to Boost Your Internet Security with DNSCrypt (http://lifehacker.com/how-to-boost-your-internet-security-with-dnscrypt-510386189)
• OpenDNS: Introducing DNSCrypt (Preview Release) (http://www.opendns.com/technology/dnscrypt/)
• Wikipedia: OpenDNS (http://en.wikipedia.org/wiki/OpenDNS)
• OpenDNS website overview: OpenDNS - A Technical Overview (http://www.opendns.com/technology/)
• Bearware.info (http://bearware.info/) DNS review - here (http://docs.google.com/document/d/1jIs55BWrowWbC9AGTClslfT4NRw9WF4o6tv-RP6mOSw/edit).
• Various other Internet references (google "OpenDNS" and DNSCrypt".

[/list[/list][/list]

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: mouser on July 06, 2013, 12:33 PM

I overlooked this post originally -- just wanted to say thanks for taking the time to post it.  Much appreciated  :up:

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on July 07, 2013, 07:57 AM

@mouser: Thanks for your appreciation. Always nice to have.
I am no expert on TCP/IP telecommunications, but I like to know how things work and why I should probably be using them, so using OpenDNS and later DNSCrypt was an educational voyage of discovery for me. Hopefully, posting the mini-review will help others take a shorter learning curve for DIY in this. The Lifehacker post I linked to was especially informative.

Having used OpenDNS + DNSCrypt for a while now with no issues, I have been trialling VPN gate (http://www.vpngate.net/en/) for greater security/privacy, and have found it pretty good.

Coincidentally, I read this rather relevant post in LewRockwell.com today: Want to Defend Your Privacy? (http://www.lewrockwell.com/2013/07/doug-hornig/want-to-defend-your-privacy-2/)

In the post, he discusses using VPN (Virtual Private Network) services, refers to various links (some offshore to the US) for improved security/privacy, and recommends consideration be given to the use of the likes of:

• Tor (http://www.torproject.org/)
• Cryptohippie (http://secure.cryptohippie.com/)

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: TRDaggett on July 15, 2013, 03:28 PM

I recently started using DNSCrypt after seeing it listed in the latest SnapFiles freeware updates. I've been using OpenDNS (and the OpenDNS Updater) for years and when I saw how long DNSCrypt has been available I had to wonder how I'd missed it (although with my leaky memory I might find it on an old 'To Do' list that's been buried by others..).

One thing I've noticed (in System Explorer's 'Connections' tab) are continuous UDP connections by OpenDNSInterface.exe that are constantly varying in number. There's always at least one, then two, three, four and sometimes five entries, then it will drop back to one, then the process repeats, 24/7. Any idea what is going on with that?
It's not using a huge amount of memory and the "dnscryptproxy.exe" uses even less.

- Other observations:
I don't know if it's related to DNSCrypt, but since I've been running it the OpenDNS Updater message window (and the on & off again "Using OpenDNS?" "No" alerts) has stopped popping up.

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on July 16, 2013, 03:34 AM

You may have missed the advent of DNSCrypt because, almost immediately after it was announced/released, OpenDNS seemed to stop talking about it. It was kinda buried away. I suspect that they may have been asked to do that, as the implications of using DNSCrypt are that government snooping (NSA) is frustrated to some extent...

I can't answer "What is going on with that?", but here is a screenshot capture of the relevant OpenDNSCrypt connections on a laptop, as viewed in Process Hacker:

[ You are not allowed to view attachments ]

It rather looks as though DNSCrypt may be automatically dynamically making as many connections - and polling the relevant ports - as it needs at any given point.

I was not sure what the OpenDNS Updater was as I don't use it and I don't get any messages from anything by that name.
I looked it up and found it referred to at https://www.opendns.com/support/dynamic_ip_tech/
Windows IP Updater (http://www.opendns.com/download/windows/)

This is the officially supported OpenDNS Windows client, which sends your network's new IP Address to OpenDNS whenever it should change.

I have the Primary and Secondary DNS nodes (IP addresses) set in my router as being the OpenDNS addresses, so when I restart the router or my ISP assigns a new dynamically allocated IP address, it doesn't stop the connection going to the OpenDNS nodes.

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on June 07, 2014, 11:58 PM

2014-06-08 1605hrs: I have just updated the opening post with some more information.
The OpenDNSCrypt version has not been incremented/changed, and it still runs flawlessly after my having migrated it from a laptop using Win7-64 to Win8.1.

Some people (not me, you understand) might say that, In light of revelations regarding snooping - e.g., including US-driven **AA (music licencing Mafia) snooping, US/UK+Others NSA/SnowdenGate snooping, Australian and NZ Government authorised censorship snooping - installing OpenDNSCrypt could be a no-brainer for users wishing to protect their rights to privacy and security of personal information, but I couldn't possibly comment.

Title: Announcement - A new reason to love OpenDNS: no more ads
Post by: IainB on June 08, 2014, 03:53 AM

An announcement from OpenDNS.

Link via Lifehacker: http://lifehacker.com/good-news-for-users-of-opendns-no-more-ads-ads-were-p-1583933443

A new reason to love OpenDNS: no more ads or redirections. (http://www.opendns.com/no-more-ads/)
The OpenDNS Guide is going away.

Starting on June 6, 50 million plus users of OpenDNS’s free DNS around the world will no longer see ads in our service. We put a great deal of thought into this decision. Here’s why we made the call to eliminate it:

    We always want to do what’s best for you.
    The Internet has evolved and it’s simply no longer in the best interest of Internet users to redirect to search results. The OpenDNS Guide was, until recently, a helpful tool. If the website you wanted to visit wasn’t loading, we took you to search results instead of an error page. But times have changed. Browsers work differently. Internet users have become accustomed to their browser address bar behaving like a search box. We want to give you the behavior you expect. As of June 6th, all of OpenDNS’s users will get NXDOMAIN and SERVFAIL messages to get truly RFC compliant DNS.
    Ads are annoying.
    Let’s be honest, few of us like to see them. So we’re making them go away, at least within OpenDNS. We provide the safest, fastest and most reliable DNS service in the world free of charge. The revenue from the ads on the Guide has historically enabled us to do that. But we’re excited to report that in the past few years we’ve built a thriving enterprise security business and now have more than 10,000 happy, paying customers. So, while that revenue from ads is nice, it’s more important to us to provide you with a delightful user experience.
    Ads and security don’t mix.
    OpenDNS is a security company above all else, and ads can often be a vector for security infections and intrusions. Malware might surface through third-party ad networks, or be hidden inside the ad creative itself in the form of flash exploits or javascript tricks. Removing the ads makes our service more secure and that’s a good thing for both users of our free DNS service and of our enterprise security service. Finally, pretty much every major ad network out there participates in pervasive user tracking through cookies. Those cookies can compromise your privacy, and in the wrong hands, your security. Less of that is better for you.

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: Deozaan on June 08, 2014, 04:33 AM

Is DNSCrypt abandonware? The Windows client hasn't been updated in two years (https://github.com/opendns/dnscrypt-win-client). . .

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on June 08, 2014, 12:02 PM

Is DNSCrypt abandonware? The Windows client hasn't been updated in two years (https://github.com/opendns/dnscrypt-win-client). . .

-Deozaan (June 08, 2014, 04:33 AM)

I wondered the same, but came to the conclusion that it would not be correct to call it abandonware, as it has not been abandoned - it just doesn't require any further development at this stage. Quickly putting it into the Public Domain after it had achieved final version was probably a calculated move done by OpenDNS before anyone could stop them. They deliberately opened a sort of Pandora's box. It's all about transparency and trust.
That was why, in my update to "version" in the opening post I changed it to read "DNSCrypt up to v0.0.6 (since May 2012)".

The thing is, OpenDNSCrypt apparently does exactly what it was designed to do - i.e., simply provide PC<-->OpenDNS node encryption - so no further development would be needed unless (say) the encryption protocol, or something, needs to be changed for some reason.
My observation would be that it was a quite legitimate additional security service, effectively frustrating/preventing classic criminal "man-in-the middle" attacks, which would be an extremely inconvenient service for any establishment-approved agencies undertaking surveillance/censorship at the user's ISP node. Those agencies are effectively conducting "man-in-the middle" attacks and are also probably gathering "DNS leakage" data - both of which would be effectively blocked by OpenDNSCrypt.

The traffic that used to flow between the user's PC and that ISP node was in clear and could be inspected anywhere between the User's PC and that ISP node, whereas, if the user has now enabled OpenDNSCrypt, then now that traffic is encrypted between the user's PC and the OpenDNS node.
Thus, it is now unintelligible encrypted traffic that flows through the ISP node, and even if (say) one's Cisco ADSL modem/router had been compromised by these agencies, the now unintelligible encrypted traffic that flows through it to/from the PC would be of no use.

This would seem to force the point of surveillance/censorship to be moved to either inside the OpenDNS node or on to the Cloud-side of the communication links from that node. So it "...would be an extremely inconvenient service" for criminal organisations and/or establishment-approved agencies undertaking surveillance/censorship.
Bit of a bugger, that.    :D

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: Deozaan on June 08, 2014, 06:00 PM

All I know is that I have frequent connectivity issues that are almost always traced back to DNSCrypt. I.e., my problems go away when I disable DNSCrypt. And that's even with the "Fall back to insecure DNS" enabled.

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on June 09, 2014, 10:03 AM

That is odd.
I have used OpenDNSCrypt for a couple of years now, on several laptops and from 3 different locations, and it always works a treat.
From experience, if the installation is correctly set up, then it should/will run like clockwork.
I was getting a spotty connection (the OpenDNSCrypt bulb in the Systray kept going red) on this laptop I am using at present. I put it down to the fact that there was so much change going on (upgrading from Win8-64 to Win8.1-64 and lost of migration and program installs happening) that I should do a clean reinstall of OpenDNSCrypt. So I uninstalled it and reinstalled it and the problems immediately went away.

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on March 20, 2016, 03:10 AM

2016-03-20 2109hrs: Major update to opening post, including basic steps for installing and using OpenDNS-DNSCrypt.
Hope it all makes sense and is of use.
I had been meaning to do this update for a long time. Apologies for not having done it sooner, but better late than never!

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: f0dder on March 22, 2016, 07:55 AM

DNSCrypt isn't foolproof.

A couple of notes:

• It obviously only encrypts DNS requests, so it doesn't add security to non-HTTPS sites.
• For hosts running one single site, it's usually trivial to find a hostname from the IP, and a MiTM obviously can see IPs of hosts you communicate with.
• For multi-site hosts you'll either have wildcard certs, which gives some possibilities of what you're visiting, or,
• SNI (https://en.wikipedia.org/wiki/Server_Name_Indication), which shows which site you're requesting, in unencrypted form. TLS handshake sucks.
• You're placing all your DNS eggs in OpenDNS's basket. I'd be very surprised if at least the NSA doesn't have a tap.

I do use DNSCrypt myself, since Danish ISPs have stupid censored DNS servers, and I'd rather have NSA tap my activites than giving Google more information through their (otherwise pretty excellent) servers. You just have to know what security you're getting, and what you certainly aren't.

Also, VPNs do not give you any form of anonymity - the only thing they should ever be used for is getting authenticated and encrypted access to a remote network, never as a form of surveillance protection. If you do stuff that's questionable in the eyes of your government, you need TOR, and you need to be running off somebody else's wifi. (Oh, and you need to know what you're doing - there's a hell of a lot of ways to screw up using TOR and leak private information all over the place.)

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: IainB on March 22, 2016, 12:46 PM

@f0dder: Yes, I'm inclined to agree with what you wrote there - though I don't have your level of knowledge, I'm sure.

As I understand it, the improved security from using DNSCrypt is in the path between the PC and the OpenDNS node(s), with the ISP's node acting as a blind, passive pass-through in the middle. That potentially avoids a lot of government snooping which could take place (per statute) at that point, and avoids potential man-in-the-middle attacks and DNS leakage.
Whilst your transactions are outbound from and responses are inbound to the OpenDNS node(s), I guess they are anybody's game.
Post-SnowdenGate, and now that Cisco is owner of OpenDNS, then I presume that the supposition of NSA surveillance could likely be fairly accurate - even if it wasn't before.
Deceit seems to be the norm in the area of surveillance and espionage, and that means you can't tell whose lying about what. Even Snowden could be a plant to put the targets of surveillance off the scent. How would we be able to know?

Title: Re: OpenDNS + DNSCrypt - Mini-Review
Post by: f0dder on March 23, 2016, 10:57 AM

@f0dder: Yes, I'm inclined to agree with what you wrote there - though I don't have your level of knowledge, I'm sure.

-IainB (March 22, 2016, 12:46 PM)

Keep in mind that I'm just a (somewhat informed) layman - I am by no means an expert in these things, and haven't studied everything in detail :)

As I understand it, the improved security from using DNSCrypt is in the path between the PC and the OpenDNS node(s), with the ISP's node acting as a blind, passive pass-through in the middle. That potentially avoids a lot of government snooping which could take place (per statute) at that point, and avoids potential man-in-the-middle attacks and DNS leakage.

-IainB (March 22, 2016, 12:46 PM)

Well, yes, except the information leakage I mentioned in my post above.

A thing I forgot to mention, though, and a big advantage of DNSCrypt is that it prevent DNS forgery, because crypto. Given the leakage problems mentioned above, I'd say this is a bigger advantage than the privacy aspects, and it protects against very real and actually-happening attacks if you're out and about and connect to untrusted WiFi networks. (That's also one of the places a - trusted - VPN helps, since even plain HTTP will go through the encrypted VPN tunnel).

Deceit seems to be the norm in the area of surveillance and espionage, and that means you can't tell whose lying about what. Even Snowden could be a plant to put the targets of surveillance off the scent. How would we be able to know?

-IainB (March 22, 2016, 12:46 PM)

We can't know much for sure, especially considering that stuff that 5-10 years ago was labeled tinfoil-hat has been shown to be true. We know that NSA has tried to introduce backdoored crypto (Dual_EC_DRBG^w), that unknown adversaries managed to insert a Linux kernel backdoor (https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/) for a brief moment, that NSAs snooping and capabilities are worse than what people called tinfoil-hat when rumors of Carnivore (software)^w first appeared.

The trick is to question everything, but keep a balance where you don't end up as a paranoid tinfoil-hat - which is easier said than done. Also, consider which threats you want to defend against (hint: even if current crypto algorithms are safe and NSA can't bruteforce or otherwise break AES256, none of us has a chance against nation-state adversaries). If you're doing illegal stuff, do (http://www.slideshare.net/grugq/opsec-for-hackers) educate yourself (http://grugq.github.io/).

Note: I don't condone immoral behavior, but things that are indeed very moral (like, freedom fighting) are very illegal in some countries. Leaving the pure technological stuff and straying into ethics and politics is probably best done elsewhere, though, even if it's a very interesting discussion :-)