Author Topic: Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX (Read 39503 times)

db90h · « **on:** March 19, 2012, 07:59 PM »

OpenDNS has been working on a new encrypted DNS service for the past 6 months or so. They've kept fairly quiet about it, though it has been mentioned on Slashdot and elsewhere. At first there were only OS X, BSD, and Linux clients available. However, a Windows client is now available for download at their GitHub repository. I am not sure if it is considered 'final' or not. I just noticed it was there, tried it out - and it works

.

Why encrypt my DNS queries?

Even if you use HTTPS on every site you visit, your DNS queries are painfully obvious to anyone. Whether it is your ISP, or a local sniffer, if you want privacy, your DNS queries are a glaring hole in it. In some cases, encrypted DNS queries may get you around site blockers/firewalls too (though not all cases).

More at http://thepileof.blo...ith-windows-via.html ...

Renegade · « **Reply #1 on:** March 19, 2012, 08:03 PM »

Beautiful!

I wonder how long it will be before OpenDNS is designated as a terrorist organization though...

Like, privacy is a clear indicator! They must be in league with... <transmission cut />

db90h · « **Reply #2 on:** March 19, 2012, 08:09 PM »

LOL ... the even better news is that soon we'll have this integrated into third-party router firmwares, and maybe even come stock with some router firmwares. That will allow seamless, and painless, integration with your whole network. Myself, I'm in the process of using an older router set up as an experimental encrypted DNS server. I'll send the patch to OpenWrt when I'm done, then we can go from there.

I've been using it for DNS queries on my development PC for a while now, works GREAT.

Whether OpenDNS is declared a terrorist organization, who knows ;p. They have been strangely quiet about all this.

nosh · « **Reply #3 on:** March 19, 2012, 10:21 PM »

Beautiful!

+1, thanks for posting about this!

Deozaan · « **Reply #4 on:** March 21, 2012, 03:23 PM »

OpenDNS's official announcement of DNSCrypt for Windows was on March 13th:

~~http://blog.opendns....nscrypt-for-windows/~~

EDIT: They've moved the blog entry here: http://blog.opendns....nscrypt-for-windows/

40hz · « **Reply #5 on:** March 21, 2012, 04:05 PM »

Ok. That looks very good. Just applied. (Liked the quiz. Fun!)

db90h · « **Reply #6 on:** March 21, 2012, 08:03 PM »

There's no need to apply for it... you can 'just use it'. Yea, they put that beta test application there, but the code is 'up', pre-built for you.

40hz · « **Reply #7 on:** March 21, 2012, 09:14 PM »

@db90h - found it! Thx.

db90h · « **Reply #8 on:** March 21, 2012, 10:42 PM »

Steve Gibson actually mentioned this, me, and my blog post on this and the mod_status 'vulnerability' on big servers in his last Security Now podcast. Doing what I can to save the Internet, lol ;p.

I noticed OpenDNS has extended capabilities you can turn on or off. You can choose to have it log your DNS queries, so you can see what sites everyone in your household is visiting, for instance.. block sites.. or you can have it not log ANYTHING, and it says it throws away all DNS queries. Of course, I opted for the latter, for privacy. That said, I'm not too concerned about anyone knowing what sites I visit, but I still like my privacy. At least this way you've got your DNS separate from your ISP or Google, and encrypted to protect from Sniffers. For these features you must sign up for an account, which also offers a DNS client to update your dynamic IP address at home (so it can track you if your IP address changes).

Don't bother signing up at all (even for their normal service) and you're probably most private, as their DNS servers (plaintext and encrypted) are open no matter what.

IainB · « **Reply #9 on:** March 28, 2012, 04:30 PM »

Cross-posted to this thread. SORRY! - and thanks for pointing it out to @Deozan.

OpenDNS's latest newsletter makes a call for application ß-testers:
DNSCrypt for Windows: After weeks of searching for the perfect candidate to build DNSCrypt for Windows, our own Senior Software Engineer Geoff Townsend took on the challenge. In a matter of days he had the client ready and we recently announced a call-for-beta-testers-dnscrypt-for-windows/]call for beta testers[/u]! It won't be long before everyone can use the revolutionary DNSCrypt. Stay tuned here for updates on the full release.

The link takes you to an OpenDNS blog entry that has an application form (the form uses Google docs forms).

I had been skeptical that this would occur, but maybe I misjudged the thing:
The OpenDNS experiment to offer PC-to-DNS node encryption - added to existing node-to-node encryption, and currently only available in ß on Mac, not Windows - must be scaring the pants off the Establishment. Anarchy must not be tolerated. Regulation will be necessitated.
This OpenDNS venture could be quietly shut down as it "Didn't work very well", or something. Or maybe the encryption keys will be stored by a government department - same difference.
-IainB (March 12, 2012, 06:23 PM)
Anyway, here's hoping.
-IainB (March 28, 2012, 02:15 PM)

DNSCrypt sure looks useful. FYI there's already another thread with some discussion about this:
https://www.donation...ex.php?topic=30362.0
-Deozaan (March 28, 2012, 02:45 PM)
Ah! Thanks for that @Deozan - I knew it had been discussed, but I had not read the rest of the thread where you provide the link.
Nor was I aware that - from the thread you link to - you could already get your hands on the ß Windows code, without being an offcial ß tester.
I shall cross-post this to the link you give.

So, this thread can be closed.
-IainB (March 28, 2012, 04:20 PM)

But I can't find the code at at the link given by @Deozan - http://blog.opendns....nscrypt-for-windows/
- it says "Sorry, the page you tried was not found.", so it must have been taken down.

Could someone send me a link to a copy of the file please?
(Thanks.)

Carol Haynes · « **Reply #10 on:** March 28, 2012, 04:46 PM »

How does this actually work then?

So you use OpenDNS-Secure to look up a website IP but when you visit the website the IP address you are going to is still clear??? Surely anyone who wants to can just do a reverse look up to find where you were going (or if is is your ISP reporting back to Big Brother lust look up the IP at their own DNS server!!!)

Am I missing the point?

Or is OpenDNS acting as an Anonymizer type service and all the traffic goes through there server so your ISP only sees you going to OpenDNS ???

Can someone explain?

db90h · « **Reply #11 on:** March 29, 2012, 05:31 AM »

So you use OpenDNS-Secure to look up a website IP but when you visit the website the IP address you are going to is still clear??? Surely anyone who wants to can just do a reverse look up to find where you were going (or if is is your ISP reporting back to Big Brother lust look up the IP at their own DNS server!!!)
-Carol Haynes (March 28, 2012, 04:46 PM)

Short of using an SSH Tunnel, the IP address would remain clear.

MOSTLY, the biggest deal is that DNS queries is a method that ISPs and corporations can easily use to track (or block) your behavior. Now, that easy mechanism isn't so easy.

Carol Haynes · « **Reply #12 on:** March 29, 2012, 06:29 AM »

So because the DNS lookup is taken away from the ISP it makes it harder for them to block your surfing because they would have block IP addresses rather than block access to the domain name? Is that the point?

Surely ISPs that want to block sites can just use their own DNS server to setup IP blocking so it won't make it any easier to get to blocked sites - or are we relying on ISPs to be lazy?

Deozaan · « **Reply #13 on:** March 30, 2012, 02:11 AM »

But I can't find the code at at the link given by @Deozan - http://blog.opendns....nscrypt-for-windows/
- it says "Sorry, the page you tried was not found.", so it must have been taken down.

Could someone send me a link to a copy of the file please?
(Thanks.)
-IainB (March 28, 2012, 04:30 PM)

Strange. They moved it to the 19th instead of the 13th.

http://blog.opendns....nscrypt-for-windows/

But that just has a form to fill out to apply to be a beta tester. If you just want the files, read db90h's guide. It has lots of information.

And just to make it easy, here's a direct link to the DNSCrypt download page: https://github.com/o...rypt-proxy/downloads

IainB · « **Reply #14 on:** March 30, 2012, 02:42 AM »

...They moved it to the 19th instead of the 13th....
...And just to make it easy, here's a direct link to the DNSCrypt download page: https://github.com/o...rypt-proxy/downloads
-Deozaan (March 30, 2012, 02:11 AM)

Thanks for the link. After posing the Q, I then did some fossicking about, and had already found the github page and downloaded the file.
I don't understand why they moved the post.

Deozaan · « **Reply #15 on:** March 30, 2012, 03:13 AM »

I don't understand why they moved the post.
-IainB (March 30, 2012, 02:42 AM)

My guess (and this is only a guess!) is that they started writing it as a draft on the 13th and didn't actually make it public until the 19th. But it was published under the original creation date, which made it hidden as "old news." So they re-posted it to the 19th as "new news."

That's the best I can come up with.

IainB · « **Reply #16 on:** March 30, 2012, 03:46 AM »

OIC. Thank goodness! It's not the Spanish Inquisition then.

IainB · « **Reply #17 on:** May 16, 2012, 04:24 AM »

OpenDNS Unveils DNSCrypt for Windows

Version 0.0.4 Official Beta Release
Updated: Wed, 9 May 2012
Official release of DNSCrypt for Windows.

I downloaded and installed it.
It installs a treat (no problems). (Small file that achieves so much.)
Here's the GUI - very simple:
OpenDNS - DNS Crypt GUI 2012-05-16.jpg

Deozaan · « **Reply #18 on:** May 16, 2012, 04:28 AM »

The GUI sure makes it a lot easier to use.

IainB · « **Reply #19 on:** May 16, 2012, 04:32 AM »

The GUI sure makes it a lot easier to use.
-Deozaan (May 16, 2012, 04:28 AM)

Sure does. Installing it and using it is simplicity itself.

That's how it should be too, IMHO.

Deozaan · « **Reply #20 on:** May 16, 2012, 09:48 PM »

I noticed one big problem with DNSCrypt: When I restart my computer, it requires admin permissions via UAC before it will run. This means that if I'm not there to click OK and grant permissions, then my computer can't connect to the internet.

IainB · « **Reply #21 on:** May 17, 2012, 12:12 AM »

I noticed one big problem with DNSCrypt: When I restart my computer, it requires admin permissions via UAC before it will run. This means that if I'm not there to click OK and grant permissions, then my computer can't connect to the internet.
-Deozaan (May 16, 2012, 09:48 PM)

That's odd. Doesn't seem to happen on a PC with Win7-64bit Home Premium. Seems to be completely transparent.

Carol Haynes · « **Reply #22 on:** May 17, 2012, 03:44 AM »

It does on mine too - but then it doesn't seem to start with Windows without me putting the shortcut into the Startup folder.

Workaround is to add a scheduled task to start it on login and set the task permissions to administrator.

Deozaan · « **Reply #23 on:** May 17, 2012, 06:01 AM »

It does on mine too - but then it doesn't seem to start with Windows without me putting the shortcut into the Startup folder.
-Carol Haynes (May 17, 2012, 03:44 AM)

I guess I checked the box for "Start DNSScrypt when Windows starts" or something similar? It's in the Startup folder for me, and I know I didn't put it there after installation.

IainB · « **Reply #24 on:** May 17, 2012, 06:20 AM »

I guess I checked the box for "Start DNSScrypt when Windows starts" or something similar? It's in the Startup folder for me, and I know I didn't put it there after installation.
-Deozaan (May 17, 2012, 06:01 AM)

Ah, that might explain why others didn't get DNS Crypt starting on reboot/startup - they maybe hadn't ticked that option.
I didn't think to ask that question, having assumed that people would have ticked that option on install.
That's actually something to give feedback on to OpenDNS about DNS Crypt. It would be good if it were an option shown in the GUI under "General" (say).
There are two parts that need to be started - one is a Service, and the other is a client process.
(You also have to have configured your router for OpenDNS too, of course.)