Secure your DNS lookups with DNSCrypt


  • Vivaldi Translator

    Using a DNS with DNSSec for privacy is important, but does not prevent man in the middle attacks.

    NOTE: All the official Cisco Open DNS revolvers log traffic so may not be wanted if privacy is also an issue.
    See here https://dnscrypt.info/public-servers
    You will also notice Cloudflare DNS in the list and that they do not keep logs.

    DNSCrypt adds encryption and validation to your DNS lookups, thus helping to protect against man in the middle attacks.
    It also supports the unique identifier keys used by the Cisco Umbrella DNS, should you want or need to use it.
    https://dnscrypt.info/faq

    From the full list of supported Open DNS (including official Cisco DNS), you can filter by DNSSec, logging and filtering.
    Many of the resolvers also use Quad9, and SimpleDNSCrypt will fallback to regular Quad9 to fetch the resolver list if it cannot use its own.

    You can select your preferred DNS by country or filters.
    By default it will automatically use the fastest from the list.
    Disable automatic mode to select as many specific resolvers as you prefer.

    Block lists can be imported into the SimpleDNSCrypt client, and it recognises standard ad-block HOSTS files such as MVPS and hpHosts
    If you prefer to manage your own block lists, you can opt to use this instead of a HOSTS file or a resolver with filters

    Quad9 Note:
    Recent tests showed that the site blocking provided by Quad9 is not good.
    https://medium.com/@nykolas.z/dns-security-filters-compared-quad9-x-opendns-x-comodo-secure-x-norton-connectsafe-x-yandex-safe-a00ace3bf21f
    It clearly shows that DNS filters are no where near as good as AV or manual HOSTS management.

    DNSCrypt
    https://dnscrypt.info

    alt text
    NOTE:
    Having a secure connection between you and your DNS is only half of the picture.
    You may stop a man in the middle between you and the DNS, but is there a MITM between the site and the DNS it uses ?
    If you would like to see if the site you are connected to is using DNSSec, and can actually be properly validated (separate to cert validation) you can use this site
    https://dnssec-name-and-shame.com

    To add DNSSec/DANE validation to your browser you have to use an extension, but it will make you very unhappy as you browse, because you will quickly see how few sites are configured to use DNSSec or configured properly.
    https://www.dnssec-validator.cz



  • This post is deleted!


  • The day needs to come when all this can be handled at the router level.

    As for Cloudflare's new DNS service, I was all set to move to it until I read the wiki article on the company. Then I wondered why I would want to do that. 1.1.1.1 is faster than openDNS here, but barely.


  • Vivaldi Translator

    @paul1149 Agreed.
    The previous version of DNSCrypt was also available for programmable routers.
    Hopefully v2 will also get round to making router builds.

    v2 is still not complete, so priorities may be focused on the features first.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.