Forums/OpenDNS Community/DNSCrypt

Answered

DNSCRYPT

dogman514
asked this on June 7, 2013, 21:41

is there going to be a dnscrypt for android tablets if so when i hate going on the net without it.

 

Comments

User photo
treyarch

They have not updated the Computer version so it may be awhile before we see it on mobile.  You should open a support ticket to know for sure. 

June 9, 2013, 10:46
User photo
jedisct1
Check Answer

dnscrypt has been available for Android for a long time.

Just like the iOS version requires a jailbroken device, a rooted device is required for Android.

Pre-packaged binaries are available for download here: http://dnscrypt.org

If your device is rooted and you're familiar with adb, give it a spin.

Opening an opendns support ticket doesn't help. I don't receive these tickets, neither do people having developed user interfaces, servers or packages for dnscrypt.

 

June 9, 2013, 13:48
User photo
stephenbush

the dnscrypt-proxy for linux stopped working for me, it apparently runs but all queries fail to work, version 1.2.1 and now 1.3.1 

June 11, 2013, 16:39
User photo
stephenbush

Perfect timing.. right after posting it is working again.. I going to blame the work done on the Chicago node (closest).

June 11, 2013, 16:48
User photo
myodns120222

Is there a way to install DNSCrypt for Ubuntu 13.04?

 

August 24, 2013, 08:57
User photo
rotblitz

Yes, sure, there's a Linux version. http://dnscrypt.org/

August 24, 2013, 14:42
User photo
jedisct1
August 24, 2013, 18:32
User photo
myodns120222

@rotblitz I have checked that already, but for some reason I could not complete "make" with error: make: *** No targets specified and no makefile found.  Stop.

I'll see that again. Thank you.

August 24, 2013, 23:59
User photo
myodns120222

@jedisct1 I'll check that also - Thank you very much.

 

August 25, 2013, 00:01
User photo
vance
DNSCrypt for iOS? Is it available for not jail broken iPad/iPhone?
May 21, 2014, 09:04
User photo
jedisct1

Jailbreak is required.

May 21, 2014, 09:09
User photo
happeness

Warning :

The Site ( http://dnscrypt.org ) is a suspicious one, it doesn’t use a prefix (https) in his major  pageWhich means that the connection is encrypted with the site , the surfer with https,  the site ( http://dnscrypt.org ) doesn’t  used also the (https) that meain in the download page (http://download.dnscrypt.org/dnscrypt-proxy/) :

DNScrypt-proxy.exe contain threat WS.Reputation .1

libosdium-4.dll          contain threat WS.Reputation .1

libldns-1.dll               contain threat WS.Reputation .1

hostip.exe                  contain threat WS.Reputation .1

 and the file’s DNS encryption are unknown creator, unidentified certificate,No digital signature, as well as the files encryption alleged that the downloaded.

My computer defenses  Norton 360, Bit Defender Total Security 2014, Kaspersky Internet Security 2014 are   protection I have Norton 360, Kaspersky Internet Security 2014, Bit Defender Internet Security 2014, they are  all Exposedness  and deleted that files immediately.
How it could be a Site offering security, encryption  and it is a threat!
That site and his encrypted DNS files They are a trap for whom locking for securing and encrypt there important information away from ISP Monitoring, man in the middle, snooping, hackers, digital Criminals, and government  information collecting agencies.

June 7, 2014, 02:56
User photo
happeness

WARNING:


The Site ( http://dnscrypt.org ) is a suspicious one, it doesn’t use a prefix (https) in his major which means that the connection is encrypted with the site , the surfer with https,  the site ( http://dnscrypt.org ) doesn’t  used also the (https) in the download page (http://download.dnscrypt.org/dnscrypt-proxy/) :

DNScrypt-proxy.exe contain threat WS.Reputation .1

libosdium-4.dll          contain threat WS.Reputation .1

libldns-1.dll               contain threat WS.Reputation .1

hostip.exe                  contain threat WS.Reputation .1

 and the file’s DNS encryption are unknown creator, unidentified certificate,No digital signature, as well as the files encryption alleged that the downloaded.

My computer defenses  Norton 360, Bit Defender Total Security 2014, Kaspersky Internet Security 2014 are   protection I have Norton 360, Kaspersky Internet Security 2014, Bit Defender Internet Security 2014, they are  all Exposedness  and deleted that files immediately.
How it could be a Site offering security, encryption  and it is a threat!
That site and his encrypted DNS files They are a trap for whom locking for securing and encrypt there important information away from ISP Monitoring, man in the middle, snooping, hackers, digital Criminals, and government  information collecting agencies.

June 7, 2014, 02:57
User photo
trininox

I understand you're using windows, so I can't speak toward the presence of any of these "threats" by various "security" software.  I only use DNSCrypt with Linux.
Are you familiar with GitHub and Opensource software?  You can feel free to look at the source and even go the next step to compile it for yourself if you suspect the provided Win32 binaries.    https://github.com/jedisct1/dnscrypt-proxy    https://github.com/opendns   

As for the error you get, they are not based on fact, but assumption and/or reputation. 
http://community.norton.com/t5/Norton-Internet-Security-Norton/Clar...

"WS.Reputation.1 is a reputation-based detection. When our reputation technology encounters a brand-new file (including items you might create on your own), it relies on a number of factors to determine reputation. We use all of these factors to ensure we can provide the maximum protection for users while preventing false positives. "Newness" is only one factor we use."

Just because the file creator is "unknown" fairly "new" if its a recent version, etc, these facts make it suspect by this reputation judgement, and provides a false-positive..  I repeat. false-positive. 

Thanks,

June 30, 2014, 11:40
User photo
viking60

Dnscrypt does not encrypt on Linux! I have it on Manjaro and Arch and every check indicates a working install. 

~/ drill txt debug.opendns.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 37057
;; flags: qr rd ra ; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; debug.opendns.com. IN TXT

;; ANSWER SECTION:
debug.opendns.com. 0 IN TXT "server 11.lon"
debug.opendns.com. 0 IN TXT "flags 20 0 2F6 1950000000000000000"
debug.opendns.com. 0 IN TXT "originid 8211015"
debug.opendns.com. 0 IN TXT "actype 2"
debug.opendns.com. 0 IN TXT "bundle 3094915"
debug.opendns.com. 0 IN TXT "source 80.203.39.216:62968"
debug.opendns.com. 0 IN TXT "dnscrypt enabled (71447764594D3377)"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 54 msec
;; EDNS: version 0; flags: ; udp: 4096
;; SERVER: 127.0.0.1
;; WHEN: Wed Feb 25 12:35:03 2015
;; MSG SIZE rcvd: 283

When I check the connection with Wireshark it turns out that I can read the content of the sites I am surfing,  

Details here:

http://bjoernvold.com/forum/viewtopic.php?f=11&t=1921#p19958

 

So I am not sure what Dnscrypt is good for at this point?

February 25, 2015, 03:52
User photo
Alexander Harrison
OpenDNS

viking60, note that DNSCrypt is a DNS encryption tool and will encrypt only DNS. If you're looking for a full tunnel encryption tool, consider using a VPN service. 

February 25, 2015, 06:17
User photo
viking60

Hm I do have some problems here. What exactly does:

"...to prevent DNS snooping, spoofing, and other man-in-the-middle attacks. It does this by completely encrypting the DNS traffic to and from a user's computer and the OpenDNS servers"

mean?

What is "DNS traffic" in this context?

I filtered "dns" in wireshark and could see the content I was surfing - so that apparently is not encrypted. I could also see the web address I was surfing.so that is not encrypted either.

So I simply thought DnsCrypt did more than it actually does I guess. 

 "...preventing any spying, spoofing or man-in-the-middle attacks."  made me think that the data would be encrypted in wireshark.

 

February 25, 2015, 07:08
User photo
trininox

I can't be entirely sure how your DNSCrypt is setup or how your examining your network traffic, but if you run wireshark on the same machine as dnscrypt and have it setup in such a way it could be that you see the unencrypted request going to the DNSCrypt proxy before it's encrypted and sent across the wire. I haven't tested it but I imagine I could probably see this because I use a local copy of unbound as my DNS server and it forwards uncached requests to the proxy client.  It could also be, can't speak to how your distro works, but on Ubuntu which comes with DNSmasq you could be inadvertently bypassing DNScrypt's proxy. 

That said DNSCrypt, as stated, only is meant to protect and hide your DNS request, once your requesting data from a website, that traffic source would be apparent, although possibly encrypted also if its HTTPS.  DNSCrypt would only be a safeguard as part of a VPN solution, as a preventative measure to leaking your real IP via DNS requests outside the VPN. 

To summarize for any lay person coming across this, when a website is requested "google.com" your browser requests the IP address of the web server, this request and response is "DNS traffic" (standard unecrypted port 53). Once the browser has the IP address it switches to HTTP (standard unencrypted port 80) and requests data from the webserver. That's the simplest version of it.  So DNScrypt is meant to ensure the IP you get back from a trusted DNS server is the correct IP for the website your requesting, keeping anyone from intercepting and replying a bogus IP (Man-in-the-middle, spoofing) as a side effect it also stops anyone from knowing what website your requested solely on DNS traffic (snooping) however, only a VPN will hide the traffic from the website portion of the communication.

Also the content filtering portion of OpenDNS has nothing to do with DNScrypt, you don't need to signup for their service or run a ip-updating client to let them know what your dynamic external IP is, that is completely separate. Also the "Welcome to OpenDNS" page only lets you know your DNS requests are going to OpenDNS's servers, it doesn't indicate if it was an encrypted or unencrypted request. The response "Welcome" would be the same.

Hope that clears it up.

February 25, 2015, 07:30
User photo
Alexander Harrison
OpenDNS

In the context of DNSCrypt, Wireshark locally is a poor testing mechanism since you'd be able to see your DNS requests unencrypted as they are sent to the DNSCrypt proxy. Wireshark would be able to see the first local DNS request to the localhost; however, this information is not available to any other machine. 

DNS Request -> Open request to 127.0.0.1 -> Encrypted with DNSCrypt -> The Internet to OpenDNS: Encrypted:. 

DNS Reply -> Encrypted from OpenDNS -> DNSCrypt -> reply to browser -> URL is requested from the IP of the website that was returned from the DNS request. 

You've left out a word from the quote which I will reinsert: "...preventing any ^DNS^ spying, spoofing or man-in-the-middle attacks." Since DNS determines which server you're querying, having these requests encrypted prevents the wrong server from being contacted as a result of DNS spoofing. 

trininox's reply summarizes this quite well as well. 

February 25, 2015, 08:12
User photo
jedisct1

The purpose of DNSCrypt is to *authenticate* your DNS queries, i.e. a 3rd party service such as Open DNS can verify that a query comes from you before decrypting it, and you can verify that a response actually comes from this service. "crypt" stands for "crypto", not "encryption".

It would take more to make your DNS confidential. And in any case, this is not a VPN; it doesn't add any security or confidentiality to other protocols, such as the ones used by your web browser to load wen pages. This includes HTTPS, which still has the name of the web site you are trying to reach unencrypted.

DNSCrypt doesn't do anything to prevent VPN services from leaking. When used in conjunction with a VPN service, you're now sharing what you do with your computer with two companies instead of one. If privacy is a concern, this is a pretty terrible idea.  From a usability point of view, this is also terrible since it can significantly slow down your connection, in addition to introducing an additional point of failure.

When using a VPN, use the DNS servers provided by your VPN provider (and check that these aren't servers operated by another company beforehand). That's the way to avoid leaks.

 

February 25, 2015, 08:21
User photo
rotblitz

@viking60
From what I read from you, I would think you're a pretty layman when it comes to DNS.

Here are two good starter articles to understand the role of DNS in the context of internet connectivity, especially of web browsing:
http://igoro.com/archive/what-really-happens-when-you-navigate-to-a...
http://edusagar.com/articles/view/70/What-happens-when-you-type-a-U...

February 25, 2015, 09:14
User photo
cypher42

Hi there. Pardon my noob question, but I just downloaded the DNSCrypt for Mac OS X (I have Lion 10.7.5 btw), and I am not sure which file to run, or how to install it. The installer folder has mostly a bunch of plists, a scripts folder, and an executable file that is giving me this error message "There is no application set to open the document “DNSCrypt-OSX-Installer.pkgproj”. Not sure what any of those files are, what they do, or why the executable won't run. Should I be using the Meta installer version instead ? Halps ! Cool thanks ;)

March 13, 2015, 01:18
User photo
cypher42

Ok really quick: I tried the executable file in the Meta Installer folder, and got the same error. Not sure how to install this on my machine ! :/

March 13, 2015, 01:19
User photo
jedisct1

The documentation at https://github.com/alterstep/dnscrypt-osxclient says:

Download dnscrypt-osxclient-1.0.5.dmg for OSX 10.8 (Snow Leopard), OSX 10.9 (Mavericks) and OSX 10.10 (Yosemite).

 

This is the link to the installer (what you downloaded is the source code of a user interface). But OSX Lion is not supported.

March 13, 2015, 01:25
User photo
cypher42

Also, one last question I promise ! I am having the same problem with being unsure of how to install/run the DNSCrypt diagnostic app on my machine (OSX Lion 10.7.5) either. (from this link: https://github.com/opendns/diagnosticapp/tree/master/mac ) I am a noob that just started school as a securities analyst, but I am VERY new, and am still used to just clicking on executables and having them just download and run on their own. This download process seems more involved than I am used to, and I am not sure if I need a compiler? or something else to install/run this app. If someone can just tell me which files to open/install and how to run both DNSCrypt and the diagnostic app (as OpenDNS doesn't explain much), I would be very grateful ;) thx again - Petra

March 13, 2015, 01:31
User photo
cypher42

@jedisct1 - Rats. Of course it has to be my version that isn't supported too. I don't think I can upgrade anymore on my 2010 machine, but I might try. Thanks so much for answering my question either way ;) Cheers - P

March 13, 2015, 02:48
User photo
cypher42

@jedisct1 - AH ! I just thought of something…. Can you suggest another encryption client that I can use to encrypt the traffic from my IP to OpenDNS server ? Or in other words, a suitable replacement for DNSCrypt for Mac ? I am not even sure what to call it in order to search Google for other options….Awesome, thanks again ;) - Petra

March 13, 2015, 03:18
User photo
rotblitz

"as OpenDNS doesn't explain much"

Sure, this DNSCrypt client side program is not from OpenDNS.  OpenDNS just supports the server side.

"Can you suggest another encryption client that I can use to encrypt the traffic from my IP to OpenDNS server ?"

I'm not aware of an alternative current DNSCrypt client program.  The others are early outdated preview versions.

"Or in other words, a suitable replacement for DNSCrypt for Mac ?"

Yes, the dnscrypt-proxy for Linux, Windows, iOS, Android or OSX 10.8+.  If your router runs under one of those OSes, then even there.

"I am not even sure what to call it in order to search Google for other options…"

https://startpage.com/do/search?q=%2Bdnscrypt+proxy+client+program

March 13, 2015, 03:55
User photo
jedisct1

Keep in mind that DNSCrypt is not a privacy tool.

Your DNS traffic is still identifiable. Your IP is still the same. If used with Open DNS, all your queries are still being logged. Your real IP will still be leaked to common authoritative servers. "Crypt" in DNSCrypt stands for "Crypto", not encryption.

The main purpose of DNSCrypt is to *authenticate* the traffic, i.e. Open DNS can check that a query actually came from you and you can check that responses actually came from Open DNS (or whatever DNSCrypt-enabled provider you chose).

March 13, 2015, 04:18
User photo
Alexander Harrison
OpenDNS

While it is a 3rd party download at this time, the older version 0.19 would be compatible with 10.7 Lion (the Alterstep fork of DNS incorrectly reports 10.8 as snow leopard when it's really Mountain Lion). This version would work on your version and it's the original OpenDNS Technical Preview of DNSCrypt. It can be found from the link at the bottom of https://www.privateinternetaccess.com/forum/discussion/4061/how-to-... on the 3rd party source. 

March 13, 2015, 05:44
User photo
opendns

How does one secure IPv6 DNS requests on Windows 7? I have installed the latest DNSCrypt (1.4.3) from Github. I tested then installed it as a service, and confirmed that LocalAddress is set to the localhost address:port (127.0.0.1:53), ResolverName to opendns-ipv6. I set the Windows IPv4 adapter preferred dns setting to the IPv4 address 127.0.0.1, and confirmed that setting with ipconfig /all. So far, so good.

However, setting the IPv6 adapter preferred dns setting to the IPv6 localhost address of ::1 (as described in various how-to articles on the web) fails. In a command prompt window "nslookup google.com" returns "Server UnKnown  Address ::1".  It won't even fall back to IPv4.

The only way I can get a result is to set the IPv6 adapter preferred dns setting to "fec0:0:0:ffff::1%1". nslookup then uses 1.0.0.127.in-addr.arpa at 127.0.0.1 rather than a real IPv6 address.

 

March 16, 2015, 07:59
User photo
rotblitz

Setting the local address to 127.0.0.1:53 for the dnscrypt-proxy and configuring ::1 as the adapter DNS address cannot work.  These must be consistent.

Therefore as from http://dnscrypt.org/

dnscrypt-proxy --local-address='[::1]:53'

Consequently, you must set the local adapter address to [::1] as well then.

As you run dnscrypt-proxy as service, you must configure the parameters in the registry, as explained at
https://github.com/jedisct1/dnscrypt-proxy/blob/master/README-WINDO...

March 16, 2015, 10:19
User photo
opendns

So it is not possible to protect both IPv4 and IPv6 simultaneously?

There are any number of tutorials that direct one to change both IPv4 and IPv6 adapter settings to their respective localhost addresses with no mention of changing the registry to suit, which led me to believe dnscrypt was capable of handling both. EG:

http://thepileof.blogspot.ca/2012/03/using-encrypted-dns-with-windo...

http://www.maketecheasier.com/encrypt-dns-traffic-windows/

http://blog.qresolve.com/blog/2014/12/31/all-you-need-to-do-to-encr...

March 16, 2015, 16:09
User photo
rotblitz

"So it is not possible to protect both IPv4 and IPv6 simultaneously?"

It is easily possible.  Did I say it was not?  No!

If you want to use the dnscrypt-proxy for both, IPv4 and IPv6, then you must run two instances of it, one handling IPv4 and one handling IPv6.  For example:

dnscrypt-proxy --local-address=127.0.0.1:53 --resolver-name=opendns
dnscrypt-proxy --local-address=[::1]:53 --resolver-name=opendns-ipv6


"There are any number of tutorials that direct one to change both IPv4 and IPv6 adapter settings to their respective localhost addresses with no mention of changing the registry to suit, which led me to believe dnscrypt was capable of handling both."

What, the dnscrypt-proxy handling your adapter settings?  In no way!  This would be a bad idea and took away any flexibility for doing what you want to do.  For example, I use my computer's internal IP address 192.168.2.11 as the local address, not localhost 127.0.0.1.  This allows me to use my computer as DNS server for the whole network which again allows to use the dnscrypt-proxy for all devices via my computer.

If you run the dnscrypt-proxy as a Windows service, you must specify the command line parameters in the registry instead, because with a Windows service you don't have a command line to specify parameters.  And dnscrypt-proxy cannot handle these parameters automatically, because it cannot know what you want.  So if you don't specify anything, it takes its defaults.

Also, if you want to cover both, IPv4 and IPv6, and you run two instances of dnscrypt-proxy therefore, only one instance can run as Windows service.  The other instance must be started by other means, e.g. by the Task Scheduler, from the Startup folder, or from a Run registry entry.

March 17, 2015, 04:07
User photo
opendns

Thanks for the information. Hopefully a future version will be capable of listening to both stacks. For now, I may just leave this laptop configured as it is (which is kludgy but works) and see if I can get 2 instances of dnscrypt running on my router at home.

March 17, 2015, 17:23
User photo
opendns

I'm still beating myself about the head with this. I did successfully install DNSCrypt on my home router -- but it breaks IPv6 connectivity. I uninstalled it for now and went back to trying to install a second instance on this laptop.

I created a .bat file in Startup consisting of the line

[code]C:\Progra~1\DNSCrypt\dnscrypt-proxy --local-address=[::1]:53 --resolver-name=opendns-ipv6[/code]

That fails, the error being that it cannot find the .csv file. However, I can run the command from a command prompt from within the DNSCrypt directory. When I do, it seems to work, in that it generates a new key pair, gets a valid certificate and announces that it is proxying from [::1]:53.

Ok, time to set the adapter dns settings in properties. However, if I attempt to change the IPv6 DNS setting to [::1]:53, I get an error message that "The network address entered is invalid", and it refuses to accept it. I also tried [::1]#53, 0:0:0:0:0:0:0:0:1:53, ::1#53, and 0:0:0:0:0:0:0:0:1#53. It will accept any variation of [::1] -- ie: no port specified. However, when I do that, Windows ignores the running proxy and uses the router's IP for DNS (according to ipconfig/all).

Any more suggestions? Apparently you should use small words and short sentences 'cause I'm just not getting this at all! :(

March 24, 2015, 15:19
User photo
rotblitz

"That fails, the error being that it cannot find the .csv file."

I do not know what the dnscrypt-proxy default is for searching the .csv file, but it is the program directory and/or the current directory.  You may try it out.

If the program cannot find this file, you add the parameter

--resolvers-list=<file>

where you specify the path to and name of the .csv file, as documented at http://dnscrypt.org/ too.

"Ok, time to set the adapter dns settings in properties."

Port settings in the adapter?  Never ever, for nothing!  You do not and cannot specify a port.  Port 53 is default for DNS anyway. 
And brackets are not to be used here either.
You simply enter:  ::1

March 25, 2015, 03:42
User photo
opendns

Ok, I'll try that, thanks!

March 25, 2015, 07:50