Forums/OpenDNS Community/DNSCrypt

Answered

DNSCRYPT

dogman514
asked this on June 7, 2013, 21:41

is there going to be a dnscrypt for android tablets if so when i hate going on the net without it.

 

Comments

User photo
treyarch

They have not updated the Computer version so it may be awhile before we see it on mobile.  You should open a support ticket to know for sure. 

June 9, 2013, 10:46
User photo
jedisct1
Check Answer

dnscrypt has been available for Android for a long time.

Just like the iOS version requires a jailbroken device, a rooted device is required for Android.

Pre-packaged binaries are available for download here: http://dnscrypt.org

If your device is rooted and you're familiar with adb, give it a spin.

Opening an opendns support ticket doesn't help. I don't receive these tickets, neither do people having developed user interfaces, servers or packages for dnscrypt.

 

June 9, 2013, 13:48
User photo
stephenbush

the dnscrypt-proxy for linux stopped working for me, it apparently runs but all queries fail to work, version 1.2.1 and now 1.3.1 

June 11, 2013, 16:39
User photo
stephenbush

Perfect timing.. right after posting it is working again.. I going to blame the work done on the Chicago node (closest).

June 11, 2013, 16:48
User photo
myodns120222

Is there a way to install DNSCrypt for Ubuntu 13.04?

 

August 24, 2013, 08:57
User photo
rotblitz

Yes, sure, there's a Linux version. http://dnscrypt.org/

August 24, 2013, 14:42
User photo
jedisct1
August 24, 2013, 18:32
User photo
myodns120222

@rotblitz I have checked that already, but for some reason I could not complete "make" with error: make: *** No targets specified and no makefile found.  Stop.

I'll see that again. Thank you.

August 24, 2013, 23:59
User photo
myodns120222

@jedisct1 I'll check that also - Thank you very much.

 

August 25, 2013, 00:01
User photo
vance
DNSCrypt for iOS? Is it available for not jail broken iPad/iPhone?
May 21, 2014, 09:04
User photo
jedisct1

Jailbreak is required.

May 21, 2014, 09:09
User photo
happeness

Warning :

The Site ( http://dnscrypt.org ) is a suspicious one, it doesn’t use a prefix (https) in his major  pageWhich means that the connection is encrypted with the site , the surfer with https,  the site ( http://dnscrypt.org ) doesn’t  used also the (https) that meain in the download page (http://download.dnscrypt.org/dnscrypt-proxy/) :

DNScrypt-proxy.exe contain threat WS.Reputation .1

libosdium-4.dll          contain threat WS.Reputation .1

libldns-1.dll               contain threat WS.Reputation .1

hostip.exe                  contain threat WS.Reputation .1

 and the file’s DNS encryption are unknown creator, unidentified certificate,No digital signature, as well as the files encryption alleged that the downloaded.

My computer defenses  Norton 360, Bit Defender Total Security 2014, Kaspersky Internet Security 2014 are   protection I have Norton 360, Kaspersky Internet Security 2014, Bit Defender Internet Security 2014, they are  all Exposedness  and deleted that files immediately.
How it could be a Site offering security, encryption  and it is a threat!
That site and his encrypted DNS files They are a trap for whom locking for securing and encrypt there important information away from ISP Monitoring, man in the middle, snooping, hackers, digital Criminals, and government  information collecting agencies.

June 7, 2014, 02:56
User photo
happeness

WARNING:


The Site ( http://dnscrypt.org ) is a suspicious one, it doesn’t use a prefix (https) in his major which means that the connection is encrypted with the site , the surfer with https,  the site ( http://dnscrypt.org ) doesn’t  used also the (https) in the download page (http://download.dnscrypt.org/dnscrypt-proxy/) :

DNScrypt-proxy.exe contain threat WS.Reputation .1

libosdium-4.dll          contain threat WS.Reputation .1

libldns-1.dll               contain threat WS.Reputation .1

hostip.exe                  contain threat WS.Reputation .1

 and the file’s DNS encryption are unknown creator, unidentified certificate,No digital signature, as well as the files encryption alleged that the downloaded.

My computer defenses  Norton 360, Bit Defender Total Security 2014, Kaspersky Internet Security 2014 are   protection I have Norton 360, Kaspersky Internet Security 2014, Bit Defender Internet Security 2014, they are  all Exposedness  and deleted that files immediately.
How it could be a Site offering security, encryption  and it is a threat!
That site and his encrypted DNS files They are a trap for whom locking for securing and encrypt there important information away from ISP Monitoring, man in the middle, snooping, hackers, digital Criminals, and government  information collecting agencies.

June 7, 2014, 02:57
User photo
trininox

I understand you're using windows, so I can't speak toward the presence of any of these "threats" by various "security" software.  I only use DNSCrypt with Linux.
Are you familiar with GitHub and Opensource software?  You can feel free to look at the source and even go the next step to compile it for yourself if you suspect the provided Win32 binaries.    https://github.com/jedisct1/dnscrypt-proxy    https://github.com/opendns   

As for the error you get, they are not based on fact, but assumption and/or reputation. 
http://community.norton.com/t5/Norton-Internet-Security-Norton/Clar...

"WS.Reputation.1 is a reputation-based detection. When our reputation technology encounters a brand-new file (including items you might create on your own), it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use."

Just because the file creator is "unknown" fairly "new" if its a recent version, etc, these facts make it suspect by this reputation judgement, and provides a false-positive..  I repeat. false-positive. 

Thanks,

June 30, 2014, 11:40
User photo
viking60

Dnscrypt does not encrypt on Linux! I have it on Manjaro and Arch and every check indicates a working install. 

~/ drill txt debug.opendns.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37057
;; flags: qr rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 11.lon"
debug.opendns.com. 0 IN TXT "flags 20 0 2F6 1950000000000000000"
debug.opendns.com. 0 IN TXT "originid 8211015"
debug.opendns.com. 0 IN TXT "actype 2"
debug.opendns.com. 0 IN TXT "bundle 3094915"
debug.opendns.com. 0 IN TXT "source 80.203.39.216:62968"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 54 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 127.0.0.1
;; WHEN: Wed Feb 25 12:35:03 2015
;; MSG SIZE rcvd: 283

When I check the connection with Wireshark it turns out that I can read the content of the sites I am surfing,  

Details here:

http://bjoernvold.com/forum/viewtopic.php?f=11&t=1921#p19958

 

So I am not sure what Dnscrypt is good for at this point?

February 25, 2015, 03:52
User photo
Alexander Harrison
OpenDNS

viking60, note that DNSCrypt is a DNS encryption tool and will encrypt only DNS. If you're looking for a full tunnel encryption tool, consider using a VPN service. 

February 25, 2015, 06:17
User photo
viking60

Hm I do have some problems here. What exactly does:

"...to prevent DNS snooping, spoofing, and other man-in-the-middle attacks. It does this by completely encrypting the DNS traffic to and from a user's computer and the OpenDNS servers"

mean?

What is "DNS traffic" in this context?

I filtered "dns" in wireshark and could see the content I was surfing - so that apparently is not encrypted. I could also see the web address I was surfing.so that is not encrypted either.

So I simply thought DnsCrypt did more than it actually does I guess. 

 "...preventing any spying, spoofing or man-in-the-middle attacks."  made me think that the data would be encrypted in wireshark.

 

February 25, 2015, 07:08
User photo
trininox

I can't be entirely sure how your DNSCrypt is setup or how your examining your network traffic, but if you run wireshark on the same machine as dnscrypt and have it setup in such a way it could be that you see the unencrypted request going to the DNSCrypt proxy before it's encrypted and sent across the wire. I haven't tested it but I imagine I could probably see this because I use a local copy of unbound as my DNS server and it forwards uncached requests to the proxy client.  It could also be, can't speak to how your distro works, but on Ubuntu which comes with DNSmasq you could be inadvertently bypassing DNScrypt's proxy. 

That said DNSCrypt, as stated, only is meant to protect and hide your DNS request, once your requesting data from a website, that traffic source would be apparent, although possibly encrypted also if its HTTPS.  DNSCrypt would only be a safeguard as part of a VPN solution, as a preventative measure to leaking your real IP via DNS requests outside the VPN. 

To summarize for any lay person coming across this, when a website is requested "google.com" your browser requests the IP address of the web server, this request and response is "DNS traffic" (standard unecrypted port 53). Once the browser has the IP address it switches to HTTP (standard unencrypted port 80) and requests data from the webserver. That's the simplest version of it.  So DNScrypt is meant to ensure the IP you get back from a trusted DNS server is the correct IP for the website your requesting, keeping anyone from intercepting and replying a bogus IP (Man-in-the-middle, spoofing) as a side effect it also stops anyone from knowing what website your requested solely on DNS traffic (snooping) however, only a VPN will hide the traffic from the website portion of the communication.

Also the content filtering portion of OpenDNS has nothing to do with DNScrypt, you don't need to signup for their service or run a ip-updating client to let them know what your dynamic external IP is, that is completely separate. Also the "Welcome to OpenDNS" page only lets you know your DNS requests are going to OpenDNS's servers, it doesn't indicate if it was an encrypted or unencrypted request. The response "Welcome" would be the same.

Hope that clears it up.

February 25, 2015, 07:30
User photo
Alexander Harrison
OpenDNS

In the context of DNSCrypt, Wireshark locally is a poor testing mechanism since you'd be able to see your DNS requests unencrypted as they are sent to the DNSCrypt proxy. Wireshark would be able to see the first local DNS request to the localhost; however, this information is not available to any other machine. 

DNS Request -> Open request to 127.0.0.1 -> Encrypted with DNSCrypt -> The Internet to OpenDNS: Encrypted:. 

DNS Reply -> Encrypted from OpenDNS -> DNSCrypt -> reply to browser -> URL is requested from the IP of the website that was returned from the DNS request. 

You've left out a word from the quote which I will reinsert: "...preventing any ^DNS^ spying, spoofing or man-in-the-middle attacks." Since DNS determines which server you're querying, having these requests encrypted prevents the wrong server from being contacted as a result of DNS spoofing. 

trininox's reply summarizes this quite well as well. 

February 25, 2015, 08:12
User photo
jedisct1

The purpose of DNSCrypt is to *authenticate* your DNS queries, i.e. a 3rd party service such as Open DNS can verify that a query comes from you before decrypting it, and you can verify that a response actually comes from this service. "crypt" stands for "crypto", not "encryption".

It would take more to make your DNS confidential. And in any case, this is not a VPN; it doesn't add any security or confidentiality to other protocols, such as the ones used by your web browser to load wen pages. This includes HTTPS, which still has the name of the web site you are trying to reach unencrypted.

DNSCrypt doesn't do anything to prevent VPN services from leaking. When used in conjunction with a VPN service, you're now sharing what you do with your computer with two companies instead of one. If privacy is a concern, this is a pretty terrible idea.  From a usability point of view, this is also terrible since it can significantly slow down your connection, in addition to introducing an additional point of failure.

When using a VPN, use the DNS servers provided by your VPN provider (and check that these aren't servers operated by another company beforehand). That's the way to avoid leaks.

 

February 25, 2015, 08:21
User photo
rotblitz

@viking60
From what I read from you, I would think you're a pretty layman when it comes to DNS.

Here are two good starter articles to understand the role of DNS in the context of internet connectivity, especially of web browsing:
http://igoro.com/archive/what-really-happens-when-you-navigate-to-a...
http://edusagar.com/articles/view/70/What-happens-when-you-type-a-U...

February 25, 2015, 09:14