News and Reviews > Mini-Reviews by Members

OpenDNS + DNSCrypt - Mini-Review

<< < (3/3)

IainB:
That is odd.
I have used OpenDNSCrypt for a couple of years now, on several laptops and from 3 different locations, and it always works a treat.
From experience, if the installation is correctly set up, then it should/will run like clockwork.
I was getting a spotty connection (the OpenDNSCrypt bulb in the Systray kept going red) on this laptop I am using at present. I put it down to the fact that there was so much change going on (upgrading from Win8-64 to Win8.1-64 and lost of migration and program installs happening) that I should do a clean reinstall of OpenDNSCrypt. So I uninstalled it and reinstalled it and the problems immediately went away.

IainB:
2016-03-20 2109hrs: Major update to opening post, including basic steps for installing and using OpenDNS-DNSCrypt.
Hope it all makes sense and is of use.
I had been meaning to do this update for a long time. Apologies for not having done it sooner, but better late than never!

f0dder:
DNSCrypt isn't foolproof.

A couple of notes:

* It obviously only encrypts DNS requests, so it doesn't add security to non-HTTPS sites.
* For hosts running one single site, it's usually trivial to find a hostname from the IP, and a MiTM obviously can see IPs of hosts you communicate with.
* For multi-site hosts you'll either have wildcard certs, which gives some possibilities of what you're visiting, or,
* SNI, which shows which site you're requesting, in unencrypted form. TLS handshake sucks.
* You're placing all your DNS eggs in OpenDNS's basket. I'd be very surprised if at least the NSA doesn't have a tap.
I do use DNSCrypt myself, since Danish ISPs have stupid censored DNS servers, and I'd rather have NSA tap my activites than giving Google more information through their (otherwise pretty excellent) servers. You just have to know what security you're getting, and what you certainly aren't.

Also, VPNs do not give you any form of anonymity - the only thing they should ever be used for is getting authenticated and encrypted access to a remote network, never as a form of surveillance protection. If you do stuff that's questionable in the eyes of your government, you need TOR, and you need to be running off somebody else's wifi. (Oh, and you need to know what you're doing - there's a hell of a lot of ways to screw up using TOR and leak private information all over the place.)

IainB:
@f0dder: Yes, I'm inclined to agree with what you wrote there - though I don't have your level of knowledge, I'm sure.

As I understand it, the improved security from using DNSCrypt is in the path between the PC and the OpenDNS node(s), with the ISP's node acting as a blind, passive pass-through in the middle. That potentially avoids a lot of government snooping which could take place (per statute) at that point, and avoids potential man-in-the-middle attacks and DNS leakage.
Whilst your transactions are outbound from and responses are inbound to the OpenDNS node(s), I guess they are anybody's game.
Post-SnowdenGate, and now that Cisco is owner of OpenDNS, then I presume that the supposition of NSA surveillance could likely be fairly accurate - even if it wasn't before.
Deceit seems to be the norm in the area of surveillance and espionage, and that means you can't tell whose lying about what. Even Snowden could be a plant to put the targets of surveillance off the scent. How would we be able to know?

f0dder:
@f0dder: Yes, I'm inclined to agree with what you wrote there - though I don't have your level of knowledge, I'm sure.-IainB (March 22, 2016, 12:46 PM)
--- End quote ---
Keep in mind that I'm just a (somewhat informed) layman - I am by no means an expert in these things, and haven't studied everything in detail :)

As I understand it, the improved security from using DNSCrypt is in the path between the PC and the OpenDNS node(s), with the ISP's node acting as a blind, passive pass-through in the middle. That potentially avoids a lot of government snooping which could take place (per statute) at that point, and avoids potential man-in-the-middle attacks and DNS leakage.-IainB (March 22, 2016, 12:46 PM)
--- End quote ---
Well, yes, except the information leakage I mentioned in my post above.

A thing I forgot to mention, though, and a big advantage of DNSCrypt is that it prevent DNS forgery, because crypto. Given the leakage problems mentioned above, I'd say this is a bigger advantage than the privacy aspects, and it protects against very real and actually-happening attacks if you're out and about and connect to untrusted WiFi networks. (That's also one of the places a - trusted - VPN helps, since even plain HTTP will go through the encrypted VPN tunnel).

Deceit seems to be the norm in the area of surveillance and espionage, and that means you can't tell whose lying about what. Even Snowden could be a plant to put the targets of surveillance off the scent. How would we be able to know?-IainB (March 22, 2016, 12:46 PM)
--- End quote ---
We can't know much for sure, especially considering that stuff that 5-10 years ago was labeled tinfoil-hat has been shown to be true. We know that NSA has tried to introduce backdoored crypto (Dual_EC_DRBGw), that unknown adversaries managed to insert a Linux kernel backdoor for a brief moment, that NSAs snooping and capabilities are worse than what people called tinfoil-hat when rumors of Carnivore (software)w first appeared.

The trick is to question everything, but keep a balance where you don't end up as a paranoid tinfoil-hat - which is easier said than done. Also, consider which threats you want to defend against (hint: even if current crypto algorithms are safe and NSA can't bruteforce or otherwise break AES256, none of us has a chance against nation-state adversaries). If you're doing illegal stuff, do educate yourself.

Note: I don't condone immoral behavior, but things that are indeed very moral (like, freedom fighting) are very illegal in some countries. Leaving the pure technological stuff and straying into ethics and politics is probably best done elsewhere, though, even if it's a very interesting discussion :-)

Navigation

[0] Message Index

[*] Previous page