• Avatar

    I haven't seen any mention of it, but OpenDNS already supports DNSCrypt, which does the exact same thing, and has supported it for years.

    DNSCrypt can be configured so that it supports every device on your network, not just Android phones.

    I see no mention of other DNS providers who use this protocol, which may be proprietary to Google, It didn't say, but certainly those other ISP's would either need to write their own DNS stack or create specialized software to do this for them. It certainly doesn't appear to be ratified by one of the standards bodies, such as IEEE.

    Frankly, this sounds like just one more way for Google to get people to use their servers so that they can further monitor what people or doing on the internet, and then sell that data for advertising purposes.

    Bottom line, if you want encrypted DNS queries today, use DNSCrypt.

  • Avatar

    From what I've read since posting that question, it looks like DNSCrypt is a little better.  But this new thing is supposedly supported by default by OpenDNS already due to using TCP on port 53.  Dunno if that's true, but random internet guy said so.

  • Avatar

    Well, I don't take the word of random internet guys unless they can refer me to something that backs up their claims.

    It's entirely possible that Google's protocol incorporates DNSCrypt or is compatible with it, but I can't see OpenDNS (or Cisco) explicitly supporting it or changing things to support it while it remains a Google only protocol.

    Frankly, this is the first I've ever heard of this protocol, and I can't see the point in it if it's only for Android. I have many other types of devices I need to support, and I'm not going to use a different one for each type of device.

  • Avatar

    "using TCP on port 53"

    Every DNS service in the world supports TCP (and UDP) over port 53.  They must, because a UDP packet could not hold the complete message, so a "fall-back" to TCP is needed.  OpenDNS supports also UDP and TCP over ports 443 and 5353.  And it supports DNSCrypt which can be used for UDP and TCP and for all ports, 53, 443 and 5353.

  • Avatar

    A follow up to this. I was just listening to this weeks episode of Steve Gibson's Security Now Webcast (#634) when he talked about this for a few minutes.

    It turns out this was ratified by the IETF as an RFC in May of 2016. The default protocol is 853, but it doesn't sound like anyone has released DNS servers or clients that can make use of it. Apparently Google's version is only in beta code for inclusion into a future Android release.

    Essentially the same functionality as DNSCrypt, though it sounds like it might be suscpetible to Man In the Middle attacks if the client has not previously communicated with the server in question. I don't know how that compares to DNSCrypt.

    In the future I suspect OpenDNS might add support for this, or potentially DNSCrypt will be updated by to incorporate or be compatible with this protocol. Or perhaps even deprecated in favor of the RFC standard. If DNSCrypt is changed I'm sure that at some point OpenDNS will support the newer version.

    Basically, nothing to be concerned about right now. If you want privacy (encryption) of your DNS traffic today, you should use DNSCrypt.

  • Avatar
    jedisct1 (Edited )

    Implementations didn't wait for an RFC to implement DNS-over-TLS. Unbound supports it since 2011.

    There is also a great multi-platform user interface that supports DNS-over-TLS, and local DNSSEC validation: dnssec-trigger -- It's been available since 2011 as well.

    The only thing that changed with the RFC is the port number, that was changed from 443 to 853.

    DNS-over-TLS is not "suscpetible to Man In the Middle attacks". Stubby ( ) , the modern reference implementation, requires a hash of the certificate in the configuration file to "pin" it. So, middleboxes cannot eavesdrop the traffic by serving their own certificate.

    Tenta DNS supports DNS-over-TLS:

    Quad9 supports DNS-over-TLS:

    Verisign supports it. And the list goes on.

    None of these new players support DNSCrypt. Meanwhile, big names like Yandex abandoned it. It's pretty obvious that DNS-over-TLS is what everybody should use now, even though DNS-over-QUIC may eventually supersede it.

Please sign in to leave a comment.