DNSCrypt - OpenDNS - securing DNS communication

[Oceanwatcher]

Has anyone looked into the possibility of adding DNSCrypt to pfSense? This would encrypt all the DNS information going between the firewall and OpenDNS.

As far as I know, OpenDNS is the only DNS offering this right now, and there are clients for Windows and Mac for those individuals that want to use it. But it would be nice to see this for the firewall so the whole house would benefit from it.

As far as I know, it is open source, so it should be useable.

Does anyone know if anyone has started this already?

[yon]

me too. I want to get this.

http://forum.pfsense.org/index.php/topic,48520.0.html

[johnpoz]

Not really seeing the point to this?  So you feel your ISP is sniffing in on your traffic for what domains you query? 

Are you tunneling past them with a vpn for all your other traffic?  If not they can watch where you go that way.  If you are using a tunnel to past them - then why would your dns not go thru this same tunnel?

So who exactly are you securing your dns queries from?

[yon]

The more data during transmission hijacking and tampering. This situation is more the behavior of some governments.

And even violations of google and root dns server.

[johnpoz]

What?  And again if you were using say a vpn tunnel - even if the guys in black helicopters were watching the dns queries to googledns or roots - they would just see the vpn endpoint IP doing the queries, going to the sites.

If your not using a vpn to have some other IP go to the sites your going to, then even if your dns traffic is encrypted.  The government could still see where your going without the dns info.

Just really at a loss to understand the need for encryption of your dns traffic, without hiding your actual endpoint traffic completely - if your hiding your endpoint traffic completely then there is no reason to encrypt your dns traffic that I can see.

As to someone forging dns, etc. which from my understandings is the main reason for dnscurve - prevention of such attacks.  Again even if a government was going it - if you move your vpn endpoint outside the control of whoever (isp/black helicopters) then how would they forge dns packets to you?

[yon]

The government blocked network involves many techniques and different ways.

We want to gradually resolve a problem.  We need an easy way to get the real DNS data.

We can't always use VPN.

[Oceanwatcher]

Johnpoz - I did not bring up any government action at all, Yon did.

As the OP, my request stands. I would like to see this, as it is yet another way of securing - not the traffic itself, but in this case, the DNS communication. Does it need it? There has already been attacks that has targeted DNS. And if this gives us one more tool to protect ourselves against problems, is it not a good thing?

No matter what - with a setting in pfSense for this, you could decide yourself if you want to use it. The same way you do with everything else in pfSense :-)

[johnpoz]

"There has already been attacks that has targeted DNS"

And how does encrypting your traffic to a public server stop said attacks?

[NOYB]

 

"There has already been attacks that has targeted DNS"

And how does encrypting your traffic to a public server stop said attacks?

Perhaps the objective is to assure the DNS queries/responses cannot be tampered with in transit between server and client.  Not necessarily to obscure ones activity.  Isn't that what DNS Sec is all about too?
 

[johnpoz]

exactly - but dnssec tells you the records are from the owning server and have not been tampered with.  dnscrypt only tells you that the data was not tampered with from the server you asked it for, does not mean the record is valid or has not been tampered before it got to the server you asked.

that is why I asked how it prevents attacks.  If I attack a domain dns, dnscrypt does nothing to prevent me from impersonating the owning server of said domain.  Just because the response from opendns is signed/encrypted does not mean what opendns is giving me is good info.

[Oceanwatcher]

Just because the response from opendns is signed/encrypted does not mean what opendns is giving me is good info.

I think we are now into the academic area. At some point you have to trust someone. Yes, OpenDNS can serve bad data sometimes as bad data can propagate through the system.

A couple of questions: What exactly does DNSSEC do? Does it encrypt the traffic between the DNS and yourself? Or is it merely a way to say "OpenDNS is actually OpenDNS"? If is the latter, then I actually would prefer BOTH - a verification that the DNS actually is the real one, and encrypted traffic so no others can tamper with the data between the DNS and me.

But in both these scenarios are there any way to secure that the data OpenDNS has received is actually good. That is something that will have to rely on the communication they receive. What is important to me, and the only thing I can do anything about, is to ensure that the data gets from OpenDNS to me without going through a man in the middle or in any other way gets tampered with.

The DNS I use will have to take the necessary steps to ensure the data they receive is good. I can only trust that they do it, not do anything about it.