Comments

9 comments

  • Avatar
    mattwilson9090

    I haven't seen any mention of it, but OpenDNS already supports DNSCrypt, which does the exact same thing, and has supported it for years.

    DNSCrypt can be configured so that it supports every device on your network, not just Android phones.

    I see no mention of other DNS providers who use this protocol, which may be proprietary to Google, It didn't say, but certainly those other ISP's would either need to write their own DNS stack or create specialized software to do this for them. It certainly doesn't appear to be ratified by one of the standards bodies, such as IEEE.

    Frankly, this sounds like just one more way for Google to get people to use their servers so that they can further monitor what people or doing on the internet, and then sell that data for advertising purposes.

    Bottom line, if you want encrypted DNS queries today, use DNSCrypt.

  • Avatar
    barbaric.eric

    From what I've read since posting that question, it looks like DNSCrypt is a little better.  But this new thing is supposedly supported by default by OpenDNS already due to using TCP on port 53.  Dunno if that's true, but random internet guy said so.

  • Avatar
    mattwilson9090

    Well, I don't take the word of random internet guys unless they can refer me to something that backs up their claims.

    It's entirely possible that Google's protocol incorporates DNSCrypt or is compatible with it, but I can't see OpenDNS (or Cisco) explicitly supporting it or changing things to support it while it remains a Google only protocol.

    Frankly, this is the first I've ever heard of this protocol, and I can't see the point in it if it's only for Android. I have many other types of devices I need to support, and I'm not going to use a different one for each type of device.

  • Avatar
    rotblitz

    "using TCP on port 53"

    Every DNS service in the world supports TCP (and UDP) over port 53.  They must, because a UDP packet could not hold the complete message, so a "fall-back" to TCP is needed.  OpenDNS supports also UDP and TCP over ports 443 and 5353.  And it supports DNSCrypt which can be used for UDP and TCP and for all ports, 53, 443 and 5353.

  • Avatar
    mattwilson9090

    A follow up to this. I was just listening to this weeks episode of Steve Gibson's Security Now Webcast (#634) when he talked about this for a few minutes.

    It turns out this was ratified by the IETF as an RFC in May of 2016. The default protocol is 853, but it doesn't sound like anyone has released DNS servers or clients that can make use of it. Apparently Google's version is only in beta code for inclusion into a future Android release.

    Essentially the same functionality as DNSCrypt, though it sounds like it might be suscpetible to Man In the Middle attacks if the client has not previously communicated with the server in question. I don't know how that compares to DNSCrypt.

    In the future I suspect OpenDNS might add support for this, or potentially DNSCrypt will be updated by dnscrypt.org to incorporate or be compatible with this protocol. Or perhaps even deprecated in favor of the RFC standard. If DNSCrypt is changed I'm sure that at some point OpenDNS will support the newer version.

    Basically, nothing to be concerned about right now. If you want privacy (encryption) of your DNS traffic today, you should use DNSCrypt.

  • Avatar
    aurator (Edited )

    It is unclear if DNSCrypt actually encrypts the DNS traffic or just prevents MITM. I'm afraid only the latter may be true. If so, it demonstrates the need for something better which does both.

    From https://en.wikipedia.org/wiki/DNSCrypt :

    > DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks.

    From https://dnscrypt.info/ :

    > DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing.

    There is no mention of any encryption! Now it could be that version 2 of the DNSCrypt protocol implemented encryption, but I'm not sure. I need to also prevent my ISP or a MITM from reading my queries, not just from modifying them.

  • Avatar
    jedisct1

    Like other solutions, it just prevents MITM. A VPN is safer.

  • Avatar
    aurator (Edited )
    > Like other solutions
     
    The other solutions are not quite like DNSCrypt. According to an informal 2017 comparison by Tenta of DNSCrypt vs DNS over TLS, DNSCrypt does use partial but not sufficient encryption. Basically it is still determinable that the client is performing a DNS resolution. In contrast, with DNS over TLS, the entire connection is intended to be encrypted using TLS. Both protocols, however, would guard against MITM. For now I'd be happy with the partial encryption that DNSCrypt v2 might offer.
  • Avatar
    d.roy

    I waited long enough already for DNS over TLS... I moved to Quad9's today at last: I am at least retaining malicious domains blocking....

    PFSense's DNS resolver is actually using Unbound, so it was ridiculously easy to configure in my case (src: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html ). 

    I would have probably stayed with OpenDNS, if native support for DNSCrypt had been possible with PFSense... I'll revisit OpenDNS from time to time, see if they have finally embraced an IETF proposed standard. PFSense dev team will probably never offer DNSCrypt-Proxy has a supported package.

Please sign in to leave a comment.