Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX

[Stoic Joker]

(Lacking the time to check) I'm wondering how well (/if) this would work inside a (DNS dependent) domain environment.

[IainB]

(Lacking the time to check) I'm wondering how well (/if) this would work inside a (DNS dependent) domain environment.

-Stoic Joker (May 17, 2012, 06:29 AM)

Currently, I gather that:

• DNS Crypt would need to be installed and running on each client device.
• The routers would need to be configured to use OpenDNS.
• The encryption takes place between the client and the Open DNS node.
• In a chain of Client-->Router-->ISP node-->OpenDNS node, components inbetween the first and last links would thus just see encrypted traffic.

When in use, this technology would presumably defeat/frustrate:
(a) corporate scanning/sniffing of Internet traffic for security access/control purposes.
(b) ISPs statutory obligations to scan/sniff (censor) public Internet traffic (e.g., for the RIAA/MAFIAA).
(c) any other third-party scanning/sniffing of Internet traffic.

Bother.

As it says in a screenshot above:

This software (v: 0.0.4) encrypts DNS packets
between your computer and OpenDNS. This
prevents man-in-the-middle attacks and snooping
of DNS traffic by ISPs or others.

By the way, a new version of DNS Crypt (v.0.0.5) has now been released (see bottom of screenshot below):


Screenshot taken using Alt+PrtSc command in Screenhot Captor.    

[Deozaan]

Screenshot taken using Alt+PrtSc command in Screenhot Captor.   

-IainB (May 18, 2012, 04:10 PM)

If you like Alt+PrintScreen you should try Ctrl+PrintScreen.

[Stoic Joker]

(Lacking the time to check) I'm wondering how well (/if) this would work inside a (DNS dependent) domain environment.

-Stoic Joker (May 17, 2012, 06:29 AM)

Currently, I gather that:

• DNS Crypt would need to be installed and running on each client device.
• The routers would need to be configured to use OpenDNS.
• The encryption takes place between the client and the Open DNS node.
• In a chain of Client-->Router-->ISP node-->OpenDNS node, components inbetween the first and last links would thus just see encrypted traffic.

-IainB (May 18, 2012, 04:10 PM)

Right, therein lying the problem. In a domain, DNS must be handled only by the internal domains DNS server (usually the DC in small shops). Which makes the question: Will the DNS Crypt ("client") software play nice with the MS DNS server service, and only encrypt the forwarded (external domain) requests?

[IainB]

Probably worth repeating this as it might not be obvious to everyone:

I noticed OpenDNS has extended capabilities you can turn on or off...etc.

-db90h (March 21, 2012, 10:42 PM)

Useful implications/points in @db90h's post:

Option #1: If you want to:

• (a) have your DNS separate from your ISP or Google, and encrypted to protect from Sniffers.
• (b) remain at your most private.

- then:

• use OpenDNS (configured in your router).
• install/run DNS Crypt on your client device (PC/laptop).

Option #2: If you also want to take advantage of other aspects of the OpenDNS service, then:

• Sign up for an account (no charge for this or subsequently).
• You can then choose to either have it log all your DNS queries, so you can see what sites everyone in your household is visiting (for instance, if you want to block some sites). For these features you have to sign up for the account, which also offers a DNS client (you install it on your PC) to update your dynamic IP address at home (so it can track you as your IP address dynamically changes).
• OR you can have it not log anything (no record of DNS queries is thus maintained).

So, don't bother signing up at all (even for their normal service per Option #1) and you're probably most private, as their DNS servers (plaintext and encrypted) are open no matter what.

[IainB]

Will the DNS Crypt ("client") software play nice with the MS DNS server service, and only encrypt the forwarded (external domain) requests?

-Stoic Joker (May 18, 2012, 05:04 PM)

Suck-it-and-see?

[Stoic Joker]

Will the DNS Crypt ("client") software play nice with the MS DNS server service, and only encrypt the forwarded (external domain) requests?

-Stoic Joker (May 18, 2012, 05:04 PM)

Suck-it-and-see?

-IainB (May 18, 2012, 06:24 PM)

Time is a factor - Between work and some recent family issues I have none - I was hoping someone else had taken a crack at it. I can't risk knocking my lab offline right now. *Sigh*

(on a brighter note...) The OpenDNS account UI is quite nice. I've been using it successfully for a few years to manage web filtering for client networks. Between UAC, MSE, & OpenDNS the bugg problem is pretty much licked.

[Carol Haynes]

I have DNS Crypt running permanently and haven't noticed any web addresses that don't resolve properly - as far as I can tell it is totally transparent.

[IainB]

There is quite a straightforward write-up in Lifehacker about this. Makes a good explanation and covers the need for protection against "DNS leak" on the last half-mile of the connection between you and your ISP, even when you are using a VPN.
Has lots of embedded px and links, so I did not copy it here.
Go read it at  How to Boost Your Internet Security with DNSCrypt

I have been using DNSCrypt continuously since it was implemented, and it seems trouble-free and almost transparent in use. A good layer of extra security in what is becoming an increasingly censored and hacked Internet.

[Deozaan]

The main problem I have with DNSCrypt is that it pops up a UAC permission thing every time I boot my computer. And if I'm not there to click the button to give it permission, my computer does not have internet access. Normally this isn't a big problem, but in the case of power outages or whatever the case may be that my computer reboots while I'm not there, it means I can no longer remotely access my PC.

I wish there was a way to get DNSCrypt to run automatically without needing to manually click the go button each time my PC starts up. Other than that, it's mostly been pain free and transparent.

[IainB]

The main problem I have with DNSCrypt is that it pops up a UAC permission thing every time I boot my computer. And if I'm not there to click the button to give it permission, my computer does not have internet access. Normally this isn't a big problem, but in the case of power outages or whatever the case may be that my computer reboots while I'm not there, it means I can no longer remotely access my PC.
I wish there was a way to get DNSCrypt to run automatically without needing to manually click the go button each time my PC starts up. Other than that, it's mostly been pain free and transparent.

-Deozaan (June 07, 2013, 04:47 PM)

Ah, I think I understand.
This might be of help:
(I have put this in some detail so that anyone reading this and who has the same problem should be able to follow it, regardless of expertise.)
This is from my experience of having installed DNSCrypt (now up to version 0.0.6) on two laptops with:

• Win7-64bit
• Windows 7 Firewall control

I have never experienced any problem of the sort you describe with OpenDNSCrypt loading automatically after system bootup.
If you were the one to set security settings up on your PC in such a way as to get/force the system UAC permission request, then that (the UAC request) would not be a feature of DNSCrypt per se. You (or whoever installed OpenDNSCrypt on that PC) could have (probably inadvertently) created that situation.
I would therefore suggest that you inspect the security settings for your PC relating to OpenDNSCrypt, which runs as two processes in the system (visible in Windows Task Manager):

• OpenDNSCryptService.exe - a Service.
• OpenDNSInterface.exe - the UI that provides a Systray icon (right-click to open the interface's window).

Try this:
Open up the Services control window (Control Panel --> Administrative Tools --> Services), click once on any service and then type "open" - you will be taken to the OpenDNSCrypt service.
Double-clicking on that will open up the Properties for that service.
Select the Log On tab and ensure that the correct user account Password and corresponding Confirm Password have been entered, thus: (click the Apply button after making any necessary changes)



Unless you have somehow got some UAC settings peculiar to either or both of the two executables, then, fingers crossed, this password check should do the trick.

[Deozaan]

Select the Log On tab and ensure that the correct user account Password and corresponding Confirm Password have been entered, thus: (click the Apply button after making any necessary changes)

-IainB (June 07, 2013, 08:01 PM)

Um... I'm pretty sure my account doesn't have a password. I never have to type one in to login to windows, anyway. Maybe that's why?

[IainB]

^^ Then you could try checking the Local System Account instead. That might do it.

[40hz]

I wonder if it may be all moot at this point? Especially considering all the revelations in the news last week about various service providers "cooperating" with government blanket internet usage monitoring.

I'd guess anybody offering "anonymous," "encrypted" or "secure" anything would have been among the first to receive a FISA order.

[Tinman57]

I wonder if it may be all moot at this point? Especially considering all the revelations in the news last week about various service providers "cooperating" with government blanket internet usage monitoring.

I'd guess anybody offering "anonymous," "encrypted" or "secure" anything would have been among the first to receive a FISA order.

-40hz (June 08, 2013, 01:30 PM)

  They probably have, and all sworn to secrecy along with it.... 

[IainB]

^^ Yes, you could be right about that.
Maybe it'll be only  a matter of time now before the **AA are tapping into all that data too - if they aren't already, that is.
I had a genuine LOL moment this morning, when I read the HuffingtonPost article Obama Defends NSA, Says America Has To Make Choices Between Privacy And Security

WASHINGTON — President Barack Obama declared Friday that America is "going to have to make some choices" balancing privacy and security, launching a vigorous defense of formerly secret programs that sweep up an estimated 3 billion phone calls a day and amass Internet data from U.S. providers in an attempt to thwart terror attacks. ...

Apparently somebody already made that decision for all Americans quite some time ago.
I'm not sure whether it was an intentional joke, but I found it amusing anyway.

Happy days.

[Tinman57]

Apparently somebody already made that decision for all Americans quite some time ago.
I'm not sure whether it was an intentional joke, but I found it amusing anyway.

-IainB (June 08, 2013, 07:36 PM)

  Isn't it funny how the government made this decision for us, and against the Constitution as well?  We already know how two-faced Obooboo is, before his 2nd election he was all pro-privacy saying he would veto this and veto that if it didn't have privacy protections included in the bills.  He had us pro-privacy buffs cheering him on.  Now he don't have to worry about getting re-elected and he can do what he's wanted to do for 4 years.

  And gosh, how did this get so far off-topic?  First we're talking about encrypted DNS queries and now privacy protection!   

[40hz]

 And gosh, how did this get so far off-topic?  First we're talking about encrypted DNS queries and now privacy protection!  

-Tinman57 (June 09, 2013, 05:05 PM)

It's not really OT when you think about it. Because, in the end, if you don't know what the real rules are, who you can believe - and what to reasonably expect - all topics become a single topic centered on the issue of trust. And its betrayal.

Anything other than that (when those significant questions remain unanswered) is what is really irrelevant.
 

[IainB]

...And gosh, how did this get so far off-topic?  First we're talking about encrypted DNS queries and now privacy protection!

-Tinman57 (June 09, 2013, 05:05 PM)

Not so off-topic as you'd think. It would seem that encrypted DNS and personal security/privacy are inextricably intertwined. That's why I belatedly got around to doing the OpenDNS + DNSCrypt - Mini-Review

And I wouldn't call this "political" either, though politically-inclined bigots of any persuasion could no doubt try to use it as such. There's a very level-headed point made in the middle of a post on HotAir about this, referring to a post by Charles M. Blow in the Opinion Pages of the NY Times (entitled Of Slippery Slopes): (my emphasis)

Quotes of the day
posted at 8:31 pm on June 8, 2013 by Allahpundit
...
This is a “Papa knows best” approach to security policy.

We are told that this has helped to keep us safe, and that any loss of civil liberties and sense of privacy is but collateral damage, inconsequential in the grand sweep of things. Many innocents must be violated so that a few guilty people can be stopped. It’s a digital stop-and-frisk, using data trends and a few successes to do huge damage…

This is not a right-left thing. This is a right-wrong thing. This is not about short-term damage to political prospects but about long-term damage to democratic ideals. This is not about any particular person or president or party but about principles and limits.
...

Insofar as it is (or might be) construed as being "political", I gather that the point being made is that this business would seem to run contrary to the American Constitution. There seems to be a unique and rather valuable set of humanitarian principles of freedom and democracy enshrined in the latter  - a set of principles that all humanity could well rue the death of.
However, what I find amazing is that the American political "leaders" and the people seem to be the ones doing their level best to kill it in a sort of slow dance of death, or they are apparently standing idly on the sidelines discussing it as observers, whilst it happens in front of them.
That it is allowed to happen at all seems to signify a general ignorance, a malaise. Maybe it is perhaps coupled with a lack of moral fibre and a lack of backbone to stand up for the principles involved, I don't know - but that might explain it.

Whatever the cause, it makes me sad to see this. Maybe history will show that it is just time for the change/fall of Empire, and so this is how it happens. There are arguably, and have been, other signs of this.

Maybe you should look to your poets for answers. There is something almost prophetic in the apparently allegorical lyrics in the superb song "Real Gone" sung by Sheryl Crow:

I'm American made, Bud Light, Chevrolet
My momma taught me wrong from right
I was born in the South, sometimes I have a big mouth
When I see something that I don't like
I gotta say it

Well we been driving this road for a mighty long time
Payin' no mind to the signs
Well, well this neighbourhood's changed, it's all been rearranged
We left that change somewhere behind

Slow down, you're gonna crash
Baby you were screamin', it's a blast, blast, blast
Look out babe you got your blinders on
Everybody's lookin' for a way to get real gone
Real gone, real gone

But there's a new cat in town, he's got high paid friends
Thinks he's gonna change history
You think you know him so well
Yeah you think he's so swell
But he's just perpetuatin' prophecy
Come on now

Slow down, you're gonna crash
Baby, you were screamin', it's a blast, blast, blast
Look out, you got your blinders on
Everybody's lookin' for a way
To get real gone, real gone
Real gone, real gone, uhhh

Well, you can say what you want but you can't say it 'round here
'Cause they'll catch you and give you a whippin'
Well, I believe I was right when I said you were wrong
You didn't like the sound of that
Now did ya?

Slow down, you're gonna crash
Baby, you were screamin', it's a blast, blast, blast
Look out, you got your blinders on
Everybody's lookin' for a way to get real gone

Well, here I come and I'm so not scared
Got my pedal to the metal, got my hands in the air
Well, look out, you take your blinders off
Everybody's lookin' for a way to get real gone
Real gone, real gone, ooh!
Real gone, real gone

(Written by Sheryl Crow and John Shanks for the 2006 Disney-Pixar film, Cars.)
From <http://www.metrolyrics.com/real-gone-lyrics-sheryl-crow.html>

[IainB]

^^ I said above:

...However, what I find amazing is that the American political "leaders" and the people seem to be the ones doing their level best to kill it in a sort of slow dance of death, or they are apparently standing idly on the sidelines discussing it as observers, whilst it happens in front of them.
That it is allowed to happen at all seems to signify a general ignorance, a malaise. Maybe it is perhaps coupled with a lack of moral fibre and a lack of backbone to stand up for the principles involved, I don't know - but that might explain it. ...

-IainB (June 09, 2013, 10:03 PM)

However, I have just posted in the DCF thread Re: Internet freedoms restrained - SOPA/PIPA/OPEN/ACTA/CETA/PrECISE-related updates that:
NSA surveillance - Edward Snowden's Motivation: Internet Freedom
- where I wrote:

"Snowden is one American who apparently has a massive amount of spine."

[IainB]

Select the Log On tab and ensure that the correct user account Password and corresponding Confirm Password have been entered, thus: (click the Apply button after making any necessary changes)

-IainB (June 07, 2013, 08:01 PM)

Um... I'm pretty sure my account doesn't have a password. I never have to type one in to login to windows, anyway. Maybe that's why?

-Deozaan (June 08, 2013, 01:50 AM)

^^ Then you could try checking the Local System Account instead. That might do it.

-IainB (June 08, 2013, 07:03 AM)

@Deozaan: Did you try ticking the Local System Account - if so, then what was the outcome?
If that didn't do the trick, then I would suggest you post it as a problem/incident to OpenDNS DNSCrypt support. You could do that in the Preview Feedback in the DNSCrypt GUI. They always seem to reply to any feedback placed there.

[Deozaan]

It didn't work. It still pops up the UAC thing and makes me click to get it to work.

[IainB]

It didn't work. It still pops up the UAC thing and makes me click to get it to work.

-Deozaan (June 14, 2013, 01:00 AM)

Then like I said, send them some feedback via the Preview Feedback in the DNSCrypt GUI. When you do that, it sends an email and attaches details of your system and DNSCrypt configuration. They should be able to spot the problem right away from that.

[Deozaan]

OK. I've done that.

Just out of curiosity, did you install the client from the earliest version? Or did you install it later on? I kind of wonder if my UAC problem is due to having it installed since the first beta was available. . . Maybe they didn't know how to properly request permissions, or not require certain permissions or something. I don't know. Just a guess/wonder.

[Deozaan]

They replied to me:

Hi,

Thank you for your feedback. At this time the DNSCrypt client can only be run as an administrator. Our engineers are aware of the behavior with the UAC prompt and hope to have it resolved in future releases. Thanks for your patience while we continue to improve this service.

Daniel Gifford
Customer Support Manager
OpenDNS.com