[lugm.org] Encrypting DNS

Loganaden Velvindron gnukid1 at yahoo.co.uk
Thu Nov 12 19:41:47 UTC 2015 

[Can someone please fix LUGM mailing list so that nishal can post to lugm mailing list]

Here's my new configuration for dnscrypt-proxy on the OpenWRT box:
config dnscrypt-proxy
    option address '127.0.0.1'
    option port '5353'
    option resolver 'dnscrypt.eu-nl'

I am no longer relying on OpenDNS after reading their terms of service. I was planning on checking out OpenNIC. 

I chose this DNS server instead:
DNScrypt.eu. It  is committed to providing a Free, uncensored, and unlogged DNS service. Upon reading Orange's Term of Service: http://myt.orange.mu/pdf/my_account/conditions_generale.pdf. I see no mention of it providing a Free & unlogged policy for subscriber traffic. Then again, I do not see any mention that the Internet Traffic is filtered & logged [ http://www.icta.mu/market/CSA_charts.html ] . I don't know what else they are hiding from me.  

Nishal, Are you aware of the letsencrypt initiative ? HTTPS will become more ubiquitous :)
So nishal, what's the problem now that I've switched to an unlogged DNS provider. If Orange updates its policy to state clearly that they will not log my internet traffic & will provide DNScurve as part of their service, then I will consider switching back to their servers.

 
 
 


     On Wednesday, 11 November 2015, 13:06, Nishal Goburdhan <nishal at controlfreak.co.za> wrote:
   

 On 11 Nov 2015, at 14:22, Loganaden Velvindron wrote:

> Sorry. I should have drawn a diagram.
> OpenDNS encrypts the traffic between its public resolvers and the 
> authoritative DNS servers on the Internet. Of course, this requires 
> the Authoritative DNS servers to implement DNSCurve.
> DNScrypt solves the last mile problem. It operates between your home 
> connection And the OpenDNS public servers.
> Hope that makes things clear.

yes, thanks.

it looks, to me, like you have traded against the possibility of your 
local ISP not knowing what your DNS habits are like, against the very 
real chance of OpenDNS (now cisco) knowing this.  unless you have reason 
to live in fear of your local ISP/ICT authorities, i do not see the 
real, actual, win here.

let’s be honest;  the odds of your ISP tracking you, as an individual 
user today, are, very, very low.  frankly speaking, they have other 
things to do, and it’s not likely that your ISP will be able to 
monetise this information from you.  they’re already selling you 
internet bandwidth and they aren’t in the business of doing much else 
(yet).

however, the odds that OpenDNS (or any DNS provider that’s just giving 
you free service)  can track you are considerably higher.  this is - 
after all - their purpose.  DNS is their business.

if you didn’t want your ISP to know about your DNS habits, for the 
price of a small raspberry PI you could run your own caching server at 
home.  that’s trivial to do.
but wait, you say, my ISP can still sniff my traffic to find my DNS 
packets, and ….
well, they can do that to your http anyway.  and do you think that your 
https to youtube is any safer?  as your clueful ISP, if i wanted to, 
then perhaps i could not tell what was in your DNS packet, but i sure as 
heck can act against the tcp-flow it creates…

and you get to validate.  so you know if your DNS server’s being 
redirected.

your case is worse, still.
* opendns does not have an nodes in mauritius (or anywhere else in 
africa).  so your dns performance is now worse off.  even for resolution 
to local sites, that are in MU.
* because your resolver isn’t seen as a “local mauritian” IP 
address, you lose the benefit of local CDNs and other locally routed 
resources, like a local DNS root/.MU mirror.
* your reliance on an external system, means, that should there ever be 
a catastrophic internet event where you island is isolated from the 
internet, your dns system *simply won’t work*

there are still fundamental DNS issues that should be fixed - crypt, 
bortzmeyer’s privacy draft…all good stuff.  but what you’ve done, 
is not fix the root cause;  you’ve just obfuscated the issue.  and, in 
the process, given away your query habits (which, btw, is what you were 
worried about), to an agency that is not subject to your local laws.  
so, well done on that  :-)

<tl;dr>  using a large dns operator is dumb if you can avoid it, and if 
you care about your privacy.  regardless of how you get to it.

—n.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://discuss.lugm.org/pipermail/discuss_discuss.lugm.org/attachments/20151112/06b3c1b6/attachment.html>

More information about the Discuss mailing list