Secure your DNS lookups with DNSCrypt
-
Using a DNS with DNSSec for privacy is important, but does not prevent man in the middle attacks.
NOTE: All the official Cisco Open DNS revolvers log traffic so may not be wanted if privacy is also an issue.
See here https://dnscrypt.info/public-servers
You will also notice Cloudflare DNS in the list and that they do not keep logs.DNSCrypt adds encryption and validation to your DNS lookups, thus helping to protect against man in the middle attacks.
It also supports the unique identifier keys used by the Cisco Umbrella DNS, should you want or need to use it.
https://dnscrypt.info/faqFrom the full list of supported Open DNS (including official Cisco DNS), you can filter by DNSSec, logging and filtering.
Many of the resolvers also use Quad9, and SimpleDNSCrypt will fallback to regular Quad9 to fetch the resolver list if it cannot use its own.You can select your preferred DNS by country or filters.
By default it will automatically use the fastest from the list.
Disable automatic mode to select as many specific resolvers as you prefer.Block lists can be imported into the SimpleDNSCrypt client, and it recognises standard ad-block HOSTS files such as MVPS and hpHosts
If you prefer to manage your own block lists, you can opt to use this instead of a HOSTS file or a resolver with filtersQuad9 Note:
Recent tests showed that the site blocking provided by Quad9 is not good.
https://medium.com/@nykolas.z/dns-security-filters-compared-quad9-x-opendns-x-comodo-secure-x-norton-connectsafe-x-yandex-safe-a00ace3bf21f
It clearly shows that DNS filters are no where near as good as AV or manual HOSTS management.DNSCrypt
https://dnscrypt.info
NOTE:
Having a secure connection between you and your DNS is only half of the picture.
You may stop a man in the middle between you and the DNS, but is there a MITM between the site and the DNS it uses ?
If you would like to see if the site you are connected to is using DNSSec, and can actually be properly validated (separate to cert validation) you can use this site
https://dnssec-name-and-shame.comTo add DNSSec/DANE validation to your browser you have to use an extension, but it will make you very unhappy as you browse, because you will quickly see how few sites are configured to use DNSSec or configured properly.
https://www.dnssec-validator.cz -
This post is deleted! -
The day needs to come when all this can be handled at the router level.
As for Cloudflare's new DNS service, I was all set to move to it until I read the wiki article on the company. Then I wondered why I would want to do that. 1.1.1.1 is faster than openDNS here, but barely.
-
@paul1149 Agreed.
The previous version of DNSCrypt was also available for programmable routers.
Hopefully v2 will also get round to making router builds.v2 is still not complete, so priorities may be focused on the features first.
-
@Dr-Flay said in Secure your DNS lookups with DNSCrypt:
It clearly shows that DNS filters are no where near as good as AV or manual HOSTS management.
I just wanted to provide a bit of feedback here - we have a Cisco MSSP (Managed Security Services Provider) agreement to sell Cisco Umbrella.
Actually, while Google's safe browsing functionality is very useful the article in question compares free Open DNS filtering with several commercial AV vendors e.g. Sophos, Fortinet, Kaspersky.
It is important to stress that many protection mechanisms - including selective proxying for risky domains to identify advanced threats and malware - and IP layer protection - are not included in OpenDNS home and are only available with Umbrella professional / business plans.
Therefore this advice above is a bit misleading. Yes, DNS filtering is not a replacement for AV as it tackles a very different function.
However there is a world apart from 'free' content filtering solutions and a proper DNS / Web security solution. If you don't believe me - ask OpenDNS.
This makes sense if you understand the most common attack vectors with 90% of cyber attacks beginning with phishing and 80% of malware attacks using DNS at some point of the kill chain - commercial DNS filtering solutions certainly do have a lot ofbolded text value.
Your information about DNSCrypt is great, so thank you for that. However, you strayed beyond that so I wanted to add some clarification for anyone reading the comments.
-
Wow old post.
BTW. DNSCrypt 2 now does indeed have builds for routers and Raspberry Pi etc.My point about the AV wasn't explained properly really, as it relates to some users believing they can go without an AV if they use a DNS that blocks malware domains and IPs.
I should have pointed out blocking the end points is no protection against malware itself, only the places malware is known to come from or talk to.
Hence a multi-layered approach is needed.Something else I could have notes relating to blocklists.
The big difference between local block lists and remote, is that you get to add or remove any entries you disagree with, or for some reason need to override.
AV blocklists are generally like a filtered DNS, and to bypass an entry requires submitting a ticket for the entry to be re-evaluated.
That is apart from the in-browser blocking any AV add via an extension.
These tend to just pull down a regular adblock type list which you can edit if you find the folder.Good places to find malware focused blocklists:
https://github.com/StevenBlack/hosts
https://www.malwaredomainlist.com
and a couple by Disconnect for their free level service.
https://s3.amazonaws.com/lists.disconnect.me/simple_malware.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt -
This post is deleted! -