DNSCrypt / DNSCurve will be great for security of DNS and the internet in general. I hope this helps it reaches wide deployment.
For background, it is the first implementation of DNSCurve designed by DJB (qmail, tinydns, daemontools, etc). See http://dnscurve.org/ or the excerpt below.
DNSCurve uses high-speed high-security elliptic-curve cryptography to drastically improve every dimension of DNS security:
Confidentiality: DNS requests and responses today are completely unencrypted and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS packets.
Integrity: DNS today uses "UDP source-port randomization" and "TXID randomization" to create some speed bumps for blind attackers, but patient attackers and sniffing attackers can easily forge DNS records. DNSCurve cryptographically authenticates all DNS responses, eliminating forged DNS packets.
Availability: DNS today has no protection against denial of service. A sniffing attacker can disable all of your DNS lookups by sending just a few forged packets per second. DNSCurve very quickly recognizes and discards forged packets, so attackers have much more trouble preventing DNS data from getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but protecting DNS is the first step.
Despite its extremely high level of security, DNSCurve is very easy for software authors to implement, and very easy for administrators to deploy.
DNSCurve is part of a larger project to encrypt and authenticate all Internet packets. The techniques used in DNSCurve are easily adapted to other Internet protocols.
A summary of the summary is that it encrypts and authenticates all communication with DNS servers that support the protocol, and does so with very little overhead, in a way that can be rolled out incrementally.
I wrapped the CurveDNS binaries with fpm, which made installing it on all the servers very easy. For the DNS server I used the djbdns stack (already in debian experimental, patched with IPv6 support). The big advantage of this is that tinydns's data format is atomic on a line level, so you just cat all the zone files together and build the data.cdb file. I do this with Rake and and push the zone all over SSH to the servers - making an internet facing change is usually as trivial as adding a single line in a text file and running rake.
Glad to see the client side of things is becoming as easy to set up as the server side.
Aren't they supposed to be saying "ninja" now? Though, I guess even that word is getting long in the tooth. I wonder what the next hyperbolic word for "expert" will be?
Personally I've alway felt more like a plumber or carpenter than a rockstar or ninja.
It doesn't seem to work for me. I am on a network where all web proxies are blocked. I tried accessing anonymouse.org and I got the default page which is used to inform blocked domains on my network. I can ping to the ip of anonymouse.org. I tested whether I have setup dnscrypt correctly with: "sudo tcpdump udp port dns" it showed very long unreadable lines which I have not seen before using dnscrypt. For anonymouse.org this was the tcp dump output:
There should have been a third line with the encrypted lines, but it doean't show up for anonymouse.org. Where as the third line with encrypted payload gets shown to the domains that are whitelisted in my network.
This is what I was wondering as well. Is there a way to deploy DNSCrypt into our own servers (Bind9, tinydns, MS DNS, etc). Any information would be welcomed if somebody knows.
Can someone explain to me how this is working? It seems like the equivlanet stunnel for DNS: I still have to trust my provider's (here: OpenDNS) DNS servers, they have control over the encryption, not the owner of the DNS records?
[+] [-] onedognight|14 years ago|reply
For background, it is the first implementation of DNSCurve designed by DJB (qmail, tinydns, daemontools, etc). See http://dnscurve.org/ or the excerpt below.
DNSCurve uses high-speed high-security elliptic-curve cryptography to drastically improve every dimension of DNS security:
Confidentiality: DNS requests and responses today are completely unencrypted and are broadcast to any attacker who cares to look. DNSCurve encrypts all DNS packets.
Integrity: DNS today uses "UDP source-port randomization" and "TXID randomization" to create some speed bumps for blind attackers, but patient attackers and sniffing attackers can easily forge DNS records. DNSCurve cryptographically authenticates all DNS responses, eliminating forged DNS packets.
Availability: DNS today has no protection against denial of service. A sniffing attacker can disable all of your DNS lookups by sending just a few forged packets per second. DNSCurve very quickly recognizes and discards forged packets, so attackers have much more trouble preventing DNS data from getting through. Protection is also needed for SMTP, HTTP, HTTPS, etc., but protecting DNS is the first step.
Despite its extremely high level of security, DNSCurve is very easy for software authors to implement, and very easy for administrators to deploy.
DNSCurve is part of a larger project to encrypt and authenticate all Internet packets. The techniques used in DNSCurve are easily adapted to other Internet protocols.
[+] [-] pjscott|14 years ago|reply
[+] [-] alwillis|14 years ago|reply
[+] [-] zdw|14 years ago|reply
http://curvedns.on2it.net/docs
I wrapped the CurveDNS binaries with fpm, which made installing it on all the servers very easy. For the DNS server I used the djbdns stack (already in debian experimental, patched with IPv6 support). The big advantage of this is that tinydns's data format is atomic on a line level, so you just cat all the zone files together and build the data.cdb file. I do this with Rake and and push the zone all over SSH to the servers - making an internet facing change is usually as trivial as adding a single line in a text file and running rake.
Glad to see the client side of things is becoming as easy to set up as the server side.
[+] [-] kleiba|14 years ago|reply
Cool, just noticed that I haven't seen the term "rockstar hacker" in job ads in a long time. Can't say I miss it.
[+] [-] fletchowns|14 years ago|reply
[+] [-] gaoshan|14 years ago|reply
Personally I've alway felt more like a plumber or carpenter than a rockstar or ninja.
[+] [-] happyman|14 years ago|reply
12:57:43.523694 IP mypc-ubuntu.local.38481 > resolver2.opendns.com.domain: 28982 updateM [b2&3=0x666e] [27192a] [30295q] [20660n] [52086au][|domain]
12:57:43.801981 IP resolver2.opendns.com.domain > mypc-ubuntu.local.38481: 29238 updateM [b2&3=0x666e] [27192a] [30295q] [414n] [12287au] Type65535 (Class 13704)? [|domain]
There should have been a third line with the encrypted lines, but it doean't show up for anonymouse.org. Where as the third line with encrypted payload gets shown to the domains that are whitelisted in my network.
[+] [-] mike-cardwell|14 years ago|reply
I'm currently running my own recursive resolver. I would like to add DNSCrypt support, but I'm not handing over my DNS queries to somebody else.
[+] [-] geekbri|14 years ago|reply
[+] [-] nodata|14 years ago|reply