[Nottingham] Dnscrypt: bleeding edge privacy - HowTo

Mike Cardwell nlug at lists.grepular.com
Mon May 28 17:45:32 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/05/12 18:21, Martin wrote:
> Folks,
> 
> There is:
> 
> Dnscrypt: bleeding edge privacy - HowTo 
> http://forum.mandriva.com/en/viewtopic.php?f=86&t=137598
> 
> ... which relies upon OpenDns: http://www.opendns.com/
> 
> Alternatively...
> 
> Anyone know of any trickery whereby you can set up your own
> Dnscrypt proxy that gathers and cross-checks DNS from a number of
> sources?
> 
> For example... To unbreak the recent penchant for abusing/breaking
> DNS for the sake of 'politics'...

The problem with DNSCrypt is that nobody uses it. Except for OpenDNS.
And it doesn't guarantee you that you're getting the correct results
either. It only guarantees you that you're getting the results that
OpenDNS wants you to get.

DNSSEC on the other hand guarantees you that you're getting the
results that the person managing the DNS for a domain, wanted you to
receive. DNSSEC is much more widely adopted (although adoption is
still low). The root zone is now signed. All of the major TLDs are now
signed. My own domain "grepular.com" is signed ;) If you install and
configure up a validating DNS resolver on your local machine (like
Unbound or Bind), and then do a DNS lookup on the domain
"grepular.com", you can be certain that the results you receive are
the ones that *I* intended you to receive. Even if you query them from
one of the slave DNS servers that do backup DNS for my domain but I
don't control. If one of the slaves or a MITM tries to give you a fake
result, the validation will fail and the response will SERVFAIL.

The reason that OpenDNS is supporting DNSCrypt rather than DNSSEC is
because their business model relies on being able to modify DNS
responses to replace NXDOMAINs with their own advertising funded
pages. DNSSEC wouldn't allow them to do this. DNSCrypt does.

> (And how long before we suffer the rise of a Mad Max of
> darknets?... :-( )

Well, we already have Tor and I2P. The technology behind those two
networks is improving all the time.

- -- 
Mike Cardwell  https://grepular.com/     http://cardwellit.com/
OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3  B0CF 70A5 F512 0018 461F
XMPP OTR Key   8924 B06A 7917 AAF3 DBB1  BF1B 295C 3C78 3EF1 46B4
-----BEGIN PGP SIGNATURE-----

iQGGBAEBAgBwBQJPw7n/MBSAAAAAACAAB3ByZWZlcnJlZC1lbWFpbC1lbmNvZGlu
Z0BwZ3AuY29tcGdwbWltZTgUgAAAAAAVABpwa2EtYWRkcmVzc0BnbnVwZy5vcmdt
aWtlLmNhcmR3ZWxsQGdyZXB1bGFyLmNvbQAKCRCdJiMBwdHnBA8vCAC0iBp2iZPO
dVhyzxDbo7kf99H0dseuf43UHHxKcQN5s7lQiZfmxJ4MKhT8Ch48gf3a2uW8OOLq
Z99LYp64FTufnIWsgIlc9aQeZbnDYRGQ5cHBnMK8lae4gTA8xXhmGTjnhD4Zm3p9
m+ohF7K2GlRqSoc6Hd6nwHv08VtcAKLyi7S3xM5LSr9oZTZgsD5cEcmhYu4qsat9
+wYcaZLuZNYpeqDG4e2RuJP9Oq6kj5BJeVOElILsQ/GbqdJj23ogqIAEIDcC8xRT
lLiDW9FhjfDAkGugLB2sW3KsZeuHhMdoM0NgBpPXI3X2k5SlS4tMTYkxyKCBuvmU
tY1ua0Yn4u97
=cTbz
-----END PGP SIGNATURE-----



More information about the Nottingham mailing list