Dashboard and DNSCrypt: Show whether server responses were encrypted
The DNSCrypt-proxy has seen some significant improvements lately and client implementations are now availabe for all platforms.
As a direct consequence, everybody can encrypt the individual traffic from each of their smartphones and computers or alternatively from all devices in their local network, e.g. by using DNSCrypt on a pi-hole or pfsense etc, and also because there is a number of complementary DNS servers which support DNSCrypt.
As a customer of OpenDNS, I would like to see some new developments from OpenDNS as well, and I am actually willed to pay for it.
When I look into my dashboard stats, I would like to see not only whether domains resolved normally or whether some responses have been blocked, but also whether the server response was encrypted, because I am actually using DNSCrypt and I want to see if the whole thing is really working.
This feature should not be made available only to enterprise customers, but also to subscribers of OpenDNS VIP.
I believe this could be a win-win for both sides.
OpenDNS can attract more users with a feature that is useful and complementary to DNSCrypt, while it has never been easier to implement DNSCrypt on your network at home or your individual devices. Users will be encouraged to start using DNSCrypt when there is a service that shows them that the traffic is indeed encrypted and that the whole thing is working...and in the end, everybody is using it.
I never fully understood why OpenDNS doesn't offer DNSSEC, but perhaps there are some technical reasons for this, however, as a pioneer of DNSCrypt this should be a slam dunk.
-
"This feature should not be made available only to enterprise customers"
This is not available to enterprise (Umbrella) customers. I'll tell you why:
You can easily prove if a certain device on a specific network is using DNSCrypt with OpenDNS or Umbrella by raising this diagnostic command on the device:
nslookup -type=txt debug.opendns.com.
or
dig debug.opendns.com txt
(There are free apps available doing the same on smartdevices.)
Further, if one DNS lookup uses DNSCrypt, then all others on this device or in this network use DNSCrypt too. I do not want to see the same thing for all listed domains on the stats pages. Do you?
-
"You can easily prove if a certain device on a specific network is using DNSCrypt..."
While this is certainly nice and one of many ways to confirm that DNScrypt is running on your client, it is no solid prove that the traffic is actually encrypted or that the receiving server will use DNSCrypt for the response.
Normally DNSCrypt-proxy and the server should encrypt the traffic, of course, but unless you are trying to sniff the traffic with let's say Wireshark and analyse it, you can't really tell.
I realize that one will have exactly the same problem on the server, so actually there will be no prove of encryption, but only prove that the server was using DNSCrypt for the response, however, I would find it reassuring if the dashboard would show for the server (not the client!)
a) "encrypted" responses with a green lock symbol
b) "non-encrypted" responses with a red open lock symbol
Okay, there are many alternative ways how to mark the responses. I am thinking of small modification in the dashboard not a complete redesign.
By the way, it is absolutely possible that people make mistakes when they configure DNSCrypt in their routers, pi-holes, devices etc... and that they think DNScrypt is running for all devices, but it's not.
If I see in my dashboard that some or all responses were not encrypted by the server, I will know that I have to take action, even without any diagnostic commands.
It's important information that one can catch with a short glance at the dashboard.
-
"it is no solid prove that the traffic is actually encrypted or that the receiving server will use DNSCrypt for the response."
Did you know that the name DNSCrypt does not mean that something is encrypted? Especially, it is about the DNS traffic only, not about all traffic. And you can be sure, if the DNS request is sent via DNSCrypt, the OpenDNS response is too, else the DNSCrypt proxy would reject the response.
"Normally DNSCrypt-proxy and the server should encrypt the traffic, of course"
Oh no, not of course! There is not really encryption with DNSCrypt, but encoding. You need to read and understand the concept. It is about authentication with encoding, not really about encryption.
https://dnscrypt.info/protocol/
a) "encrypted" responses with a green lock symbol
b) "non-encrypted" responses with a red open lock symbol
Beside the fact that there is not really encryption, all symbols would look the same for your network, either green or red. This is not "important information that one can catch with a short glance at the dashboard". -
"Did you know that the name DNSCrypt does not mean that something is encrypted? Especially, it is about the DNS traffic only, ..."
I think, it is pretty clear that we are talking only about DNS traffic. To your comment that this DNS traffic is actually not encrypted by DNScrypt, I would like challenge your opinion with a quote from OpenDNS:
"In the same way the SSL turns HTTP web traffic into HTTPS encrypted Web traffic, DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks."
Source: https://www.opendns.com/about/innovations/dnscrypt/
If all symbols look red or green, that would be very important information for me.
Maybe you don't care when some or all symbols would look red, that is entirely your personal decision, but I care.
And I think any administrator of any organisation and literally every other user of DNScrypt would care, if the symbols would turn red.
More important: I visit the dashboard more often than I check the DNSCrypt client in my home network. One nice feature of OpenDNS is the logs.
You don't have to check the logs every week or every month, but maybe 1-2 times in half a year. When everything was green you can tick that (concern) off in a second.
-
Well, the guy who has texted this may have mixed up encryption with encoding, probably you too.
Ok, I'm just a user and don't need to deal with ideas submitted here. But I can comment on them which I did. So let's leave this with Cisco/OpenDNS.
But still one thing, my domain stats look like this:
Where is the place to put your symbols/icons? Let's assume 60% of the queries for g.whatsapp.net have been through DNSCrypt, 40% not. How would they be able to display this fact?
Or are you talking about the Umbrella activity search?
The symbols would be possible here, separate for each single DNS query, but this dashboard is not available for OpenDNS users (free or VIP). And they will not make it available, because they will not give away such enterprise features for free or less.
-
To your first comment: "Well, the guy who has texted this may have mixed up encryption with encoding, probably you too."
I am not confusing anything here. The statement from OpenDNS is so clear and plain English that there cannot be any misunderstanding.
I recommend you to read another statement from OpenDNS which is dated 19th October 2018: https://support.umbrella.com/hc/en-us/articles/230564647-Umbrella-Roaming-Client-Encryption-and-Authentication
Quote: "DNS packets are encrypted; therefore, the packet data won't be viewable if sniffed/captured between the endpoint computer and the recursive DNS server."
This is in no way ambiguous language from OpenDNS. This is clear plain English confirming that the dns traffic is encrypted, period.
You can also check this source: https://dnscrypt.info/faq/
Scroll down to "Why use DNSCrypt".and literally the first point is "Encrypts and authenticates the DNS traffic."
To you second comment:
"Where is the place to put your symbols/icons? Let's assume 60% of the queries for g.whatsapp.net have been through DNSCrypt, 40% not. How would they be able to display this fact?"
That's a good question, because I am actually thinking about the consumers with a free plan or OpenDNS VIP.
I would mark these entries with a yellow lock symbol, perhaps to the left of the ranking number, so that the user immediately sees that there is something *maybe* going wrong.
If only 1-2 devices in your network are using DNSCrypt and the others don't, then there is nothing to worry.
However, if you use DNSCrypt to protect the whole network, then you will want to look into this.
And I would offer a category "non-encrypted domains", where only responses are listed which were not encrypted...because if blablabla.icloud.com is red, you know that something on your iPhone doesn't work as intended.
By the way, the red, yellow, green would also support security awareness of the users, similarily to what Google is doing with http sites in Chrome.
Please sign in to leave a comment.
Comments
8 comments