OpenDNS DNS Crypt

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Thu Dec 15, 2011 16:54    Post subject: OpenDNS DNS Crypt Reply with quote
Source has been released to github (https://github.com/opendns/dnscrypt-proxy)

Has anyone here managed to build a version for DD-WRT? (WRT54GS for me) Smile

I'm rebuilding PCs so have no buildchain.
Sponsor
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Mon Feb 13, 2012 16:51    Post subject: Reply with quote
As far as I know, the software they are using/developing is still beta. While I would like to see it implemented on DD-WRT, it may take a while before the software stabilizes.
_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
jedisct1
DD-WRT Novice


Joined: 16 Feb 2012
Posts: 2

PostPosted: Thu Feb 16, 2012 23:22    Post subject: Reply with quote
dnscrypt itself (the DNS proxy) is stable, and it hasn't changed since the first public release. Version 0.9 has just been released, but all it brings is an updated libuv library.

The only missing changes before the version becomes 1.0 are changes to make it compile with MingW instead of Cygwin on Windows.

What is really in beta is an optional GUI for Mac to change the DNS settings to 127.0.0.1 just by checking a box.
Changing the DNS settings on all interfaces on OSX is straightforward, but reverting them to the state they would have been in if they hadn't been changed happens to be super complicated. Having to cope with VPNs, firewalls, multiple interfaces and network locations makes it even worse. And at this point, the GUI is only able to (badly) cope with a subset of these, so it's definitely in beta. But the GUI for OSX and the proxy are different pieces of software.

A lot of people are asking for a dnscrypt-proxy package for DD-WRT. Unfortunately I don't have a compatible router.
Mangix
DD-WRT User


Joined: 04 Aug 2011
Posts: 375

PostPosted: Fri Feb 17, 2012 1:11    Post subject: Reply with quote
won't this be pointless once DNSSEC gains ground?
jedisct1
DD-WRT Novice


Joined: 16 Feb 2012
Posts: 2

PostPosted: Fri Feb 17, 2012 9:03    Post subject: Reply with quote
IPv4 will be pointless once IPv6 gains ground, too. But we're not there yet.

DNSSec is a huge step forward and being able to securely publish data (not only domain records) through DNS is exciting.

Unfortunately, DNSSec requires that TLDs are signed, that routers are supporting it (or, at least, that they allow client-side validation), that registrars support it, that operating systems provide validating stub resolvers, that libraries providing async lookups also support it, that other pieces of software reinventing the wheel also support it, that fucked up firewalls that don't even let UDP packets > 512 bytes go through get fixed and that domain owners and sysadmins give a shit about it.

This is sad, but we're not there yet. Not even close. Even Google and Youporn don't sign their records.

Meanwhile, the best we can do, in addition to client-side DNSSec validation for the few domains that are actually signed, is to provide a secure channel between clients and upstream resolvers. It doesn't make upstream resolvers more secure, but the weakest link of the chain is often the LAN.
OpenBSD provides a way to force all DNS queries to be performed using TCP, so that you can easily tunnel them over SSH. Unbound can use a SSL tunnel to communicate with upstream resolvers. DNSCrypt is a lightweight alternative for people using OpenDNS.

All these mechanisms may be pointless once everybody uses DNSSec everywhere (although DNSSec doesn't provide any confidentiality, but these mechanisms do, to some extent). But until ALL domains are signed and every piece of hardware and software fully supports DNSSec, any effort to make the DNS protocol suck less security-wise, is worth it.
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sat Feb 18, 2012 17:39    Post subject: Reply with quote
Mangix wrote:
won't this be pointless once DNSSEC gains ground?

If you had actually read any of the information on DNSCrypt, you would not ask that question. It is apparent that you do not understand what DNSCrypt does. A quote from their page: http://www.opendns.com/technology/dnscrypt/

Quote:
3. What about DNSSEC? Does this eliminate the need for DNSSEC?

No. DNSCrypt and DNSSEC are complementary. DNSSEC does a number of things. First, it provides authentication. (Is the DNS record I'm getting a response for coming from the owner of the domain name I'm asking about or has it been tampered with?) Second, DNSSEC provides a chain of trust to help establish confidence that the answers you're getting are verifiable. But unfortunately, DNSSEC doesn't actually provide encryption for DNS records, even those signed by DNSSEC. Even if everyone in the world used DNSSEC, the need to encrypt all DNS traffic would not go away. Moreover, DNSSEC today represents a near-zero percentage of overall domain names and an increasingly smaller percentage of DNS records each day as the Internet grows.

That said, DNSSEC and DNSCrypt can work perfectly together. They aren't conflicting in any way. Think of DNSCrypt as a wrapper around all DNS traffic and DNSSEC as a way of signing and providing validation for a subset of those records. There are benefits to DNSSEC that DNSCrypt isn't trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Mon Mar 12, 2012 15:45    Post subject: Reply with quote
Have a look here: http://lancethepants.com/files/

That binary runs on my WRT54GS V1.1

I am NOT the author of that file, I found it linked from here : http://www.linksysinfo.org/index.php?threads/dnscrypt-preview.37031/
strfr
DD-WRT User


Joined: 21 Jan 2008
Posts: 192

PostPosted: Tue Mar 13, 2012 12:50    Post subject: Reply with quote
interesting ptruman, are you running the dnscrypt-proxy at standard port or at the port 40 too? Can you please post more details of your setup?

thanks!
ptruman
DD-WRT User


Joined: 14 May 2008
Posts: 155

PostPosted: Tue Mar 13, 2012 13:12    Post subject: Reply with quote
No problem : http://www.dd-wrt.com/phpBB2/viewtopic.php?t=151293#674370

Smile

I'm running it on port 53, but "upstream" of DNSMasq via 127.0.0.2 Smile
strfr
DD-WRT User


Joined: 21 Jan 2008
Posts: 192

PostPosted: Wed Mar 14, 2012 20:08    Post subject: Reply with quote
great, thanks man!
redhat27
DD-WRT Novice


Joined: 20 Jan 2010
Posts: 41

PostPosted: Mon May 21, 2012 23:04    Post subject: Reply with quote
ptruman wrote:
Have a look here: http://lancethepants.com/files/

That binary runs on my WRT54GS V1.1

I am NOT the author of that file, I found it linked from here : http://www.linksysinfo.org/index.php?threads/dnscrypt-preview.37031/


Hi there,
I failed to get it to load on my WRT54GS v1.1
./dnscrypt-proxy: can't resolve symbol 'syscall'

Which binary did you download? Would you be so kind as to link to the actual file (or attach one) that works on k24 routers?
slobodan
DD-WRT Guru


Joined: 03 Nov 2011
Posts: 1555
Location: Zwolle

PostPosted: Tue May 22, 2012 16:12    Post subject: Reply with quote
http://lancethepants.com/files/index.php?dir=Binaries%20%28DNSCrypt%29/DNSCrypt-Proxy/0.9.3%20%28K2.4%20toolchain%29/
_________________
2 times APU2 Opnsense 21.1 with Sensei

2 times RT-AC56U running DD-WRT 45493 (one as Gateway, the other as AP, both bridged with LAN cable)

3 times Asus RT-N16 shelved

E4200 V1 running freshtomato 2020.8 (bridged with LAN cable)

3 times Linksys WRT610N V2 converted to E3000 and 1 original E3000 running freshtomato 2020.8 (bridged with LAN cable)


redhat27
DD-WRT Novice


Joined: 20 Jan 2010
Posts: 41

PostPosted: Tue May 22, 2012 18:43    Post subject: Reply with quote
slobodan wrote:
http://lancethepants.com/files/index.php?dir=Binaries%20%28DNSCrypt%29/DNSCrypt-Proxy/0.9.3%20%28K2.4%20toolchain%29/


Thanks.. This was not there yesterday. lancethepants created it (when I requested it on the linksysinfo forum)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum