Dashboard and DNSCrypt: Show whether server responses were encrypted

Comments

8 comments

  • Avatar
    rotblitz (Edited )

    "This feature should not be made available only to enterprise customers"

    This is not available to enterprise (Umbrella) customers.  I'll tell you why:

    You can easily prove if a certain device on a specific network is using DNSCrypt with OpenDNS or Umbrella by raising this diagnostic command on the device:

    nslookup -type=txt debug.opendns.com.

    or

    dig debug.opendns.com txt

    (There are free apps available doing the same on smartdevices.)

    Further, if one DNS lookup uses DNSCrypt, then all others on this device or in this network use DNSCrypt too.  I do not want to see the same thing for all listed domains on the stats pages.  Do you?

  • Avatar
    hp551

    "You can easily prove if a certain device on a specific network is using DNSCrypt..."

    While this is certainly nice and one of many ways to confirm that DNScrypt is running on your client, it is no solid prove that the traffic is actually encrypted or that the receiving server will use DNSCrypt for the response.

    Normally DNSCrypt-proxy and the server should encrypt the traffic, of course, but unless you are trying to sniff the traffic with let's say Wireshark and analyse it, you can't really tell.

    I realize that one will have exactly the same problem on the server, so actually there will be no prove of encryption, but only prove that the server was using DNSCrypt for the response, however, I would find it reassuring if the dashboard would show for the server (not the client!)

    a) "encrypted" responses with a green lock symbol

    b) "non-encrypted" responses with a red open lock symbol

    Okay, there are many alternative ways how to mark the responses. I am thinking of small modification in the dashboard not a complete redesign.

    By the way, it is absolutely possible that people make mistakes when they configure DNSCrypt in their routers, pi-holes, devices etc... and that they think DNScrypt is running for all devices, but it's not.

    If I see in my dashboard that some or all responses were not encrypted by the server, I will know that I have to take action, even without any diagnostic commands.

    It's important information that one can catch with a short glance at the dashboard.

  • Avatar
    rotblitz (Edited )

    "it is no solid prove that the traffic is actually encrypted or that the receiving server will use DNSCrypt for the response."

    Did you know that the name DNSCrypt does not mean that something is encrypted?  Especially, it is about the DNS traffic only, not about all traffic.  And you can be sure, if the DNS request is sent via DNSCrypt, the OpenDNS response is too, else the DNSCrypt proxy would reject the response.

    "Normally DNSCrypt-proxy and the server should encrypt the traffic, of course"

    Oh no, not of course!  There is not really encryption with DNSCrypt, but encoding.  You need to read and understand the concept.  It is about authentication with encoding, not really about encryption.

    https://dnscrypt.info/protocol/

    a) "encrypted" responses with a green lock symbol

    b) "non-encrypted" responses with a red open lock symbol


    Beside the fact that there is not really encryption, all symbols would look the same for your network, either green or red.  This is not "important information that one can catch with a short glance at the dashboard".

  • Avatar
    hp551

    "Did you know that the name DNSCrypt does not mean that something is encrypted?  Especially, it is about the DNS traffic only, ..."

     

    I think, it is pretty clear that we are talking only about DNS traffic. To your comment that this DNS traffic is actually not encrypted by DNScrypt, I would like challenge your opinion with a quote from OpenDNS:

    "In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks."

    Source: https://www.opendns.com/about/innovations/dnscrypt/

     

    If all symbols look red or green, that would be very important information for me.

    Maybe you don't care when some or all symbols would look red, that is entirely your personal decision, but I care.

    And I think any administrator of any organisation and literally every other user of DNScrypt would care, if the symbols would turn red.

     

    More important: I visit the dashboard more often than I check the DNSCrypt client in my home network. One nice feature of OpenDNS is the logs.

    You don't have to check the logs every week or every month, but maybe 1-2 times in half a year. When everything was green you can tick that (concern) off in a second.

     

     

  • Avatar
    rotblitz (Edited )

    Well, the guy who has texted this may have mixed up encryption with encoding, probably you too.

    Ok, I'm just a user and don't need to deal with ideas submitted here.  But I can comment on them which I did.  So let's leave this with Cisco/OpenDNS.

    But still one thing, my domain stats look like this:

    Where is the place to put your symbols/icons?  Let's assume 60% of the queries for g.whatsapp.net have been through DNSCrypt, 40% not.  How would they be able to display this fact?

    Or are you talking about the Umbrella activity search?

    The symbols would be possible here, separate for each single DNS query, but this dashboard is not available for OpenDNS users (free or VIP).  And they will not make it available, because they will not give away such enterprise features for free or less.

  • Avatar
    hp551

    To your first comment: "Well, the guy who has texted this may have mixed up encryption with encoding, probably you too."

    I am not confusing anything here. The statement from OpenDNS is so clear and plain English that there cannot be any misunderstanding.

     

    I recommend you to read another statement from OpenDNS which is dated 19th October 2018: https://support.umbrella.com/hc/en-us/articles/230564647-Umbrella-Roaming-Client-Encryption-and-Authentication

    Quote: "DNS packets are encrypted; therefore, the packet data won't be viewable if sniffed/captured between the endpoint computer and the recursive DNS server."

     

    This is in no way ambiguous language from OpenDNS. This is clear plain English confirming that the dns traffic is encrypted, period.

    You can also check this source: https://dnscrypt.info/faq/

    Scroll down to "Why use DNSCrypt".and literally the first point is "Encrypts and authenticates the DNS traffic."

     

    To you second comment:

    "Where is the place to put your symbols/icons?  Let's assume 60% of the queries for g.whatsapp.net have been through DNSCrypt, 40% not.  How would they be able to display this fact?"

     

    That's a good question, because I am actually thinking about the consumers with a free plan or OpenDNS VIP.

    I would mark these entries with a yellow lock symbol, perhaps to the left of the ranking number, so that the user immediately sees that there is something *maybe* going wrong.

    If only 1-2 devices in your network are using DNSCrypt and the others don't, then there is nothing to worry.

    However, if you use DNSCrypt to protect the whole network, then you will want to look into this.

    And I would offer a category "non-encrypted domains", where only responses are listed which were not encrypted...because if blablabla.icloud.com is red, you know that something on your iPhone doesn't work as intended.

    By the way, the red, yellow, green would also support security awareness of the users, similarily to what Google is doing with http sites in Chrome.

     

  • Avatar
    rotblitz

    Ok, after having discussed this, it looks clearer now.  I have voted up your idea.  Btw, you forgot to vote up your idea.  Then you have to wait for votes from other people, because votes is all which counts to attract attention from staff.

  • Avatar
    hp551

    Thank you very much for your support! I keep my fingers crossed. ;-)

Please sign in to leave a comment.