News and Reviews > Mini-Reviews by Members

OpenDNS + DNSCrypt - Mini-Review

(1/3) > >>

IainB:
Original post:2013-06-08Last updated:2016-03-20
Basic Info
App NameOpenDNS + DNSCrypt - Mini-Review + DNSCryptThumbs-Up Rating :Thmbsup: :Thmbsup: :Thmbsup: :Thmbsup: :Thmbsup:App URLOpenDNS home page
DNSCrypt download page
Lifehacker overview of DNSCrypt
App Version ReviewedCurrent stable DNSCrypt client v1.6.1
This is the current version as at the "Last updated" date at the top of this post.Test System SpecsWindows 10-64 PRO (also used on earlier Windows versions from Win7-64 to Win8.1-64 PRO)Supported OSesDNSCrypt runs on:
 - Windows
 - Mac.Support Methods (see also updated links and references in the post below)
* Online Forums
* Set up your OpenDNS account
* Video tutorial - OpenDNS BasicUpgrade PolicyDNSCrypt - FREE - as and when available.Trial Version Available?FREE - NO limitations.Pricing SchemeOpenDNS + DNSCrypt are both FREE.
About using OpenDNS+DNSCrypt:
(The text from the image below has been pasted into the spoiler underneath the image.)



Spoiler   DNSCrypt was developed/supported by the OpenDNS organisation up until:
           • OpenDNS - DNSCryptWin-v0.0.6 Beta Upgrade 2 (2012-09-01) - this was the last version from OpenDNS.
   
   DNSCrypt was subsequently placed into open source:
           • Website: https://dnscrypt.org/
           • The latest version of DNSCrypt for your particular OS is to be found at:
                   ○ https://download.dnscrypt.org/dnscrypt-proxy/
   
   ServiceManager: DNSCrypt GUI applications have been developed: (DNSCrypt is used with a command-line tool and needs some kind of an interface for most users)
           • Try this (is the only one I have used - it is one of the more simple GUIs recommended):
                   ○ https://github.com/simonclausen/dnscrypt-winservicemgr
                   ○ This is a Client program to manage service and network adapter settings.
   
   To learn more: (useful links)
           • https://support.opendns.com/categories/20060683-OpenDNS-Community
           • https://support.opendns.com/entries/70529140-What-is-DNSCrypt-
           • https://support.opendns.com/forums/21675554-DNSCrypt-Knowledgebase
           • https://support.opendns.com/entries/37597264-Tutorial-how-to-install-dnscrypt-on-Windows
           • https://dominustemporis.com/2014/05/dnscrypt-on-windows-update/
   To install and run Windows version DNSCrypt + ServiceManager:
           • Download file of latest DNSCrypt version - e.g., dnscrypt-proxy-win32-full-1.6.1.zip
                   ○ From https://download.dnscrypt.org/dnscrypt-proxy/
           • Create (or clear existing files from) directory: C:\Program Files (x86)\OpenDNS\DNSCrypt
           • Copy all files from the .ZIP file to that directory.
           • Download file of latest ServiceManager version - e.g., DNSCrypt Windows Service Manager v0.2.0.0.zip
                   ○ From: https://github.com/simonclausen/dnscrypt-winservicemgr
           • Copy the single file dnscrypt-winservicemgr.exe from the .ZIP file to:
                   ○ Directory: C:\Program Files (x86)\OpenDNS\DNSCrypt
           • Run dnscrypt-winservicemgr.exe - this will start the DNSCrypt service:
                   Play with the settings to suit your needs. Note that Cisco now owns OpenDNS per the Select Provider drop-down menu:
                  
                   Screen clipping taken: 2016-03-20 20:31
                  
           • You can view Cisco-OpenDNS network details here:
                   ○ https://system.opendns.com/
   


_________________________________

Background:
I had been meaning to pull together a mini-review of this for some time, but after (a) some then recent events and (b)some discussion about DNSCrypt and VPNGate on the DC Forum, I figured the mini-review was probably now overdue.
(a) The then recent events were:

* 1. Guardian report: the published details of a leaked secret court order, as first reported in the gurdian.uco.uk on 2013-06-06: NSA collecting phone records of millions of Verizon customers daily


* 2. DemandProgress email: An email sent on 2013-06-08 to subscribers, from demandprogress.org:
The revelations of spying on telephone customers are extraordinary -- but it gets even worse.  The government is spying, in real time, on all Internet users. From the Guardian:
(Referring to: NSA Prism program taps in to user data of Apple, Google and others)
The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

--- End quote ---

--- End quote ---
(b) The DC Forum discussions were:

* Encrypted DNS queries via OpenDNS dnscrypt for Windows / linux / BSD / iOS / OSX
* VPN Gate - Univ. of Tsukuba launches Academic Experimental [Crowd] Project.
What this is all about is personal privacy and security: we now know that different governments - for a variety of reasons - are spying on their citizens, tapping into their Internet, telephone and general communications traffic. As well as that, there may be criminal operations with sophisticated equipment, tapping into the same communications, for multifarious criminal purposes. I'll leave it up to you, the reader, to figure out which of these two is probably the greater threat, or which countries' governments are not spying on their citizens in this manner.

Description of OpenDNS + DNSCrypt:

* 1. DNS:
DNS stands for "Domain Name Server". Here is a somewhat over-simplification of what this server does:

* When you set your browser to go to a URL (Universal Resource Locator) address - e.g., (say) google.com - your browser passes the request to your ISP (Internet Service Provider) connection node.
* That node is usually the Primary DNS for you, and there will be a Secondary one also, as backup.
* The IP (Internet Protocol) addresses - which are strings of numbers - of the 2 DNSes are set up in your broadband router.
* The DNS takes the URL your browser sends it, and looks it up in a huge conversion table of all available IP addresses.
* The DNS then finds the IP address for that URL, and sends off  a request to connect to that IP address.
* This begins your Internet communication/transaction with (say) google.com.

* 2. OpenDNS:
This essentially is a FREE service that you access by setting two OpenDNS IP addresses as your Primary and Secondary DNSes in your broadband router, replacing those of your ISP's:

* First you could set up (it's not mandatory) your OpenDNS Premium account here.
* Then you set up these two IP addresses as your Primary and Secondary DNS in your broadband router:

* 208.67.222.222
* 208.67.220.220
Once you have set up the OpenDNS IP addresses in your broadband router, the ISP becomes a passive "pass-through" node, with the OpenDNSes taking over the role of serving your request to (say) google.com, and the handling of the communications between google.com and you from that point on.

The benefits of doing this are several, and include: (from the OpenDNS website)

* Speed up your Internet experience.
OpenDNS’s 12 global data centers are strategically located at the most well-connected intersections of the Internet. Unlike other providers, OpenDNS’s network uses sophisticated Anycast routing technology, which means no matter where you are in the world, your DNS requests are answered by the datacenter closest to you. Combined with the largest DNS caches in the industry, OpenDNS provides you with DNS responses faster than anyone else.


* Make your Internet more reliable.
With our extensive data center footprint and use of Anycast technology, the OpenDNS network has built-in redundancy ensuring zero downtime. SmartCache technology, an OpenDNS innovation, enables you to access sites that may otherwise be inaccessible due to authoritative DNS outages, providing you with the most reliable Internet possible.


* Phishing protection.
OpenDNS blocks phishing websites that try to steal your identity and login information by pretending to be a legitimate website. Surf the Web with confidence.


* Gain visibility into your network usage.
OpenDNS’s reports provide you with visibility on your networks' Internet activity, giving you needed insight into how your Internet resources are being used.


* Easy to set up and it’s free.
Getting started on OpenDNS Premium DNS takes minutes; there are no downloads or additional software required and it’s completely FREE

* 3. DNSCrypt:
DNSCrypt is a tool for securing communications between a client and a DNS resolver.
dnscrypt-proxy provides local service which can be used directly as your local resolver or as a DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol and passing them to an upstream server - by default OpenDNS, who run this on their resolvers.
The DNSCrypt protocol uses high-speed high-security elliptic-curve cryptography and is very similar to DNSCurve, but focuses on securing communications between a client and its first-level resolver.
While not providing end-to-end security, it protects the local network, which is often the weakest point of the chain, against man-in-the-middle attacks. It also provides some confidentiality to DNS queries.
You can download and install the DNSCrypt application from the link given in the table at the top of this review.
_____________________________________

Who this app is designed for:
The combination of OpenDNS + DNSCrypt will appeal to those who wish to improve their personal privacy and security on the Internet.

The Good:
The combination of OpenDNS + DNSCrypt works in this regard - i.e., the improvement of your personal privacy and security on the Internet.
The privacy/security could be further improved with the use of VPN (Virtual Private Network) services.

The needs improvement section:
Not so much needs improvement, but caveats to bear in mind:

* Though you can set your OpenDNS Premium account to not maintain your traffic logs, a government authority could oblige the OpenDNS operator to maintain logs, regardless of users' wishes, and these logs could be used for surveillance (spying).
* DNSCrypt only encrypts traffic between your PC and your OpenDNS server(s). The traffic between those DNSes and the Cloud is unencrypted, and compulsory government access and surveillance could still monitor that traffic at some point.However, on balance, it would seem that the chances of improved personal privacy and security would be better with using the combination of OpenDNS + DNSCrypt than without it.
Further privacy/security and also anonymity could be gained through the use of a VPN (Virtual Private Network), in addition to OpenDNS + DNSCrypt.

Why I think you should use this product:

* Because your personal privacy and security would likely be improved with using the combination of OpenDNS + DNSCrypt.
* Because if you are using a VPN, then DNSCrypt could help avoid the risk of "DNS leak" (refer the Lifehacker review for explanation of this).
How does it compare to similar apps.:
I am not aware of any closely similar current services/applications.
Some paid-for (not FREE) VPN service providers might offer some form of PC-to-DNS encryption, but I do not know.

Conclusions:

* 1. Objective achieved: Using OpenDNS should improve on the Internet service experience that you might normally expect to receive from your ISP.
* 2. Objective achieved: Combining that with the use of DNSCrypt should improve your levels of personal privacy and security on the Internet, even if you are already using a VPN.
* 3. Experience indicates that OpenDNSCrypt is very stable: I started using OpenDNSCrypt in May 2012 on a laptop running Win7-64 Home Premium, and in May 2015 migrated with it to Win8.1. OpenDNSCrypt has run flawlessly at all times, but it will always be dependent on the underlying network infrastructure being in a robust state.
________________________________________________
Links to other reviews of this application:
OLDER Links:

* Lifehacker: How to Boost Your Internet Security with DNSCrypt
* OpenDNS: Introducing DNSCrypt (Preview Release)
* Wikipedia: OpenDNS
* OpenDNS website overview: OpenDNS - A Technical Overview
* Bearware.info DNS review - here.
* Various other Internet references (google "OpenDNS" and DNSCrypt".[/list[/list][/list]

mouser:
I overlooked this post originally -- just wanted to say thanks for taking the time to post it.  Much appreciated  :up:

IainB:
@mouser: Thanks for your appreciation. Always nice to have.
I am no expert on TCP/IP telecommunications, but I like to know how things work and why I should probably be using them, so using OpenDNS and later DNSCrypt was an educational voyage of discovery for me. Hopefully, posting the mini-review will help others take a shorter learning curve for DIY in this. The Lifehacker post I linked to was especially informative.

Having used OpenDNS + DNSCrypt for a while now with no issues, I have been trialling VPN gate for greater security/privacy, and have found it pretty good.

Coincidentally, I read this rather relevant post in LewRockwell.com today: Want to Defend Your Privacy?

In the post, he discusses using VPN (Virtual Private Network) services, refers to various links (some offshore to the US) for improved security/privacy, and recommends consideration be given to the use of the likes of:

* Tor
* Cryptohippie

TRDaggett:
I recently started using DNSCrypt after seeing it listed in the latest SnapFiles freeware updates. I've been using OpenDNS (and the OpenDNS Updater) for years and when I saw how long DNSCrypt has been available I had to wonder how I'd missed it (although with my leaky memory I might find it on an old 'To Do' list that's been buried by others..).

One thing I've noticed (in System Explorer's 'Connections' tab) are continuous UDP connections by OpenDNSInterface.exe that are constantly varying in number. There's always at least one, then two, three, four and sometimes five entries, then it will drop back to one, then the process repeats, 24/7. Any idea what is going on with that?
It's not using a huge amount of memory and the "dnscryptproxy.exe" uses even less.

- Other observations:
I don't know if it's related to DNSCrypt, but since I've been running it the OpenDNS Updater message window (and the on & off again "Using OpenDNS?" "No" alerts) has stopped popping up.

IainB:
You may have missed the advent of DNSCrypt because, almost immediately after it was announced/released, OpenDNS seemed to stop talking about it. It was kinda buried away. I suspect that they may have been asked to do that, as the implications of using DNSCrypt are that government snooping (NSA) is frustrated to some extent...

I can't answer "What is going on with that?", but here is a screenshot capture of the relevant OpenDNSCrypt connections on a laptop, as viewed in Process Hacker:



It rather looks as though DNSCrypt may be automatically dynamically making as many connections - and polling the relevant ports - as it needs at any given point.

I was not sure what the OpenDNS Updater was as I don't use it and I don't get any messages from anything by that name.
I looked it up and found it referred to at https://www.opendns.com/support/dynamic_ip_tech/
Windows IP Updater
This is the officially supported OpenDNS Windows client, which sends your network's new IP Address to OpenDNS whenever it should change.

--- End quote ---
I have the Primary and Secondary DNS nodes (IP addresses) set in my router as being the OpenDNS addresses, so when I restart the router or my ISP assigns a new dynamically allocated IP address, it doesn't stop the connection going to the OpenDNS nodes.

Navigation

[0] Message Index

[#] Next page