Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Mon Feb 13, 2012 16:51 Post subject:
As far as I know, the software they are using/developing is still beta. While I would like to see it implemented on DD-WRT, it may take a while before the software stabilizes. _________________ E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]
Try Dropbox for syncing files - get 2.5gb online for free by signing up.
Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
dnscrypt itself (the DNS proxy) is stable, and it hasn't changed since the first public release. Version 0.9 has just been released, but all it brings is an updated libuv library.
The only missing changes before the version becomes 1.0 are changes to make it compile with MingW instead of Cygwin on Windows.
What is really in beta is an optional GUI for Mac to change the DNS settings to 127.0.0.1 just by checking a box.
Changing the DNS settings on all interfaces on OSX is straightforward, but reverting them to the state they would have been in if they hadn't been changed happens to be super complicated. Having to cope with VPNs, firewalls, multiple interfaces and network locations makes it even worse. And at this point, the GUI is only able to (badly) cope with a subset of these, so it's definitely in beta. But the GUI for OSX and the proxy are different pieces of software.
A lot of people are asking for a dnscrypt-proxy package for DD-WRT. Unfortunately I don't have a compatible router.
IPv4 will be pointless once IPv6 gains ground, too. But we're not there yet.
DNSSec is a huge step forward and being able to securely publish data (not only domain records) through DNS is exciting.
Unfortunately, DNSSec requires that TLDs are signed, that routers are supporting it (or, at least, that they allow client-side validation), that registrars support it, that operating systems provide validating stub resolvers, that libraries providing async lookups also support it, that other pieces of software reinventing the wheel also support it, that fucked up firewalls that don't even let UDP packets > 512 bytes go through get fixed and that domain owners and sysadmins give a shit about it.
This is sad, but we're not there yet. Not even close. Even Google and Youporn don't sign their records.
Meanwhile, the best we can do, in addition to client-side DNSSec validation for the few domains that are actually signed, is to provide a secure channel between clients and upstream resolvers. It doesn't make upstream resolvers more secure, but the weakest link of the chain is often the LAN.
OpenBSD provides a way to force all DNS queries to be performed using TCP, so that you can easily tunnel them over SSH. Unbound can use a SSL tunnel to communicate with upstream resolvers. DNSCrypt is a lightweight alternative for people using OpenDNS.
All these mechanisms may be pointless once everybody uses DNSSec everywhere (although DNSSec doesn't provide any confidentiality, but these mechanisms do, to some extent). But until ALL domains are signed and every piece of hardware and software fully supports DNSSec, any effort to make the DNS protocol suck less security-wise, is worth it.
Joined: 24 Feb 2009 Posts: 2026 Location: Sol System > Earth > USA > Arkansas
Posted: Sat Feb 18, 2012 17:39 Post subject:
Mangix wrote:
won't this be pointless once DNSSEC gains ground?
If you had actually read any of the information on DNSCrypt, you would not ask that question. It is apparent that you do not understand what DNSCrypt does. A quote from their page: http://www.opendns.com/technology/dnscrypt/
Quote:
3. What about DNSSEC? Does this eliminate the need for DNSSEC?
No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I'm getting a response for coming from the owner of the domain name I'm asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you're getting are verifiable. But unfortunately, DNSSEC doesn't actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.
That said, DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.