XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Wed Apr 24, 2019 2:25 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 20 posts ] 
Author Message
PostPosted: Sun Apr 14, 2019 7:58 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
I'm seeing that a number of the available DNSCrypt servers (via Tomato router firmware) are maintained by individuals (suppose question is much the same whether maintained by a single individual or a larger entity, such as Google, OpenDNS/Cisco (logging as an upfront policy), etc., but thinking that if maintained by a single individual, rather than by some large, amorphous outfit, some kind of direct snooping might occur.

The several servers I've tried over time are offered as non-logging (suppose this means only the IP is not logged, as all the lookups incoming and outgoing would be encrypted), but I have no way of knowing if this is actually the case. Probably no way to answer this definitively, but how can one decide (similar to choosing a VPN), whether to trust one of these or not?

https://dnscrypt.info/public-servers/

This is the one I've started using most recently: https://www.fr.dnscrypt.info/

Everything sounds quite good privacy related, but no way of knowing if all this is really true. Lacking any independent corroboration, seems it all boils down to having to take their word for it.


Last edited by WZZZ on Mon Apr 15, 2019 3:12 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Apr 14, 2019 3:55 pm 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15695
Good questions.


Top
 Profile  
 
PostPosted: Mon Apr 15, 2019 7:40 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
To be clear, no reason to think the admin for this isn't on the up and up. Seeing elsewhere that this particular DNSCrypt resolver is being used with no issues.


Top
 Profile  
 
PostPosted: Mon Apr 15, 2019 3:34 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
To a large extent this is partially why people all over the place are setting up their own personal pihole/dnscrypt servers on their own virtual server (amazon cloud, etc.) instance. At a certain point you either trust someone to do the right thing or you don't. Or you don't trust them to not get compromised or infiltrated by a nation state.


Top
 Profile  
 
PostPosted: Mon Apr 15, 2019 9:41 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
Well, looks like a leap of faith is in order, won't be setting up my own DNS, or designing a 3 stage liquid fuel rocket, any time soon.

In the meantime, have just started receiving spam directly to Mac mail client from the AOL mail account. Since I was forced over to AOL by VZ, at least one good thing about that move, never got any spam directly. It always went right into the ocasionally visited AOL webmail spam folder, from where I would trash it. Have to figure out what's happening now with this. And not your usual generic spam, just got one for saddlery and horse riding apparel. How I ended up being profiled as some kind of horse riding country gentleman I'll never know. If they can be that far off, next thing I'll be getting ads for ballet lessons.


Top
 Profile  
 
PostPosted: Tue Apr 16, 2019 8:48 am 
Offline
Benevolent Dictator
User avatar

Joined: Mon Apr 21, 2008 2:03 am
Posts: 15695
:lol:


Top
 Profile  
 
PostPosted: Tue Apr 16, 2019 5:07 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
PiHoles aren't crazy hard to get going.

https://pi-hole.net/

Though use of Terminal is required. Getting it into a hosting service (aka "the cloud") is harder and comes with recurring hosting costs.

The reason it's called PiHole is because this started out on Raspberry Pi hardware, which is a very low cost very low powered system suitable for simple projects. I've always wanted to kind of muck with them but the lack of power has always steered me away... the stuff I'd want to do would be better suited to an x86 box. Or simply run it in the router.


Top
 Profile  
 
PostPosted: Wed Apr 17, 2019 11:57 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
Seems easy enough to install, they do all the heavy lifting. Don't think the Asus (been using the even smaller N-10P, in fact) has enough free NVRAM to put it directly there -- no idea if that would work even if it were possible) and no clue what all the cloud server stuff would entail, so most unlikely I'll take that route.

Wondering now if I might be better off in the end just abandoning the DNSCrypt and simply use a well known secure DNS, like the cloudflare 1.1.1.1 or the 9.9.9.9. Or, even more likely, keep the DNSCrypt, and just stop bothering about any of this.

EDIT: been testing Quad9. Doesn't look half bad. Seems quite fast, since it's not making the round trip to Paris. Shows as available for DNSCrypt, but unfortunately not listed in freshtomato DNSCrypt servers. Anyway maybe good enough. Like what it's supposed to do.

https://quad9.net/faq/

Unfortunately, logs not showing its going out on 443 (DoH) Wonder how big a drawback that is?


Top
 Profile  
 
PostPosted: Wed Apr 17, 2019 4:10 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
Tomato doesn't support DoH for DNS resolution, that's a very recent development, so recent that most DNS providers don't support it yet.

Personally I use quad9 for DNS and for things I'm paranoid about (cough, tpb, cough) I connect via VPN and other obfuscations on individual systems. If your ISP is intercepting DNS and redirecting it to their servers you've got bigger problems because what you really need is a new ISP.


Top
 Profile  
 
PostPosted: Wed Apr 17, 2019 5:10 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
EDIT: Wasn't understanding DoH correctly. With DNSCrypt see #443 next to the resolver IP in the log, so assumed it was connecting over https. But understanding now that 443 may be used for some form of secure connection, but not necessarily https.

Btw, looks like Quad9 does have a DoH option. Available with DNScrypt proxy (but not on my FT list) and Firefox.

https://quad9.net/doh-quad9-dns-servers/


Looks like Quad9 may be the way to go. Faster and implicitly more worthy of trust than some DNS run by some individual as a sideline. Glad to hear you use it. Good recommendation.


Top
 Profile  
 
PostPosted: Fri Apr 19, 2019 1:43 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
It looks like the latest version of DNSCrypt support DoH but unless you upgraded since the last time I remember you upgrading, you're still on a fairly old build of DNSCrypt (not as old as the original one but in the scheme of things its old) so I'm not sure if it supports DoH. A lot of daemons can listen on 80 and 443 not just HTTP and HTTPS because firewalls typically let those connections out unmolested, but it's possible it's DoH. Sorry but I actually didn't realize that DNSCrypt had added support for DoH.

I'm still kind of in denial that DoH exists because DNS filtering is how my workplace controls student access to objectionable materials, like porn. We were supposed to move to a firewall that can do HTTPS inspection but of course that got pushed back and then the fire/rain/move clusterfuck started.


Top
 Profile  
 
PostPosted: Fri Apr 19, 2019 3:49 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
Well, with your endorsement, I think I'll keep using Quad9 (9.9.9.9/149.112.112.112) as it is, and not get too bothered about DNSCrypt or DoH (unaware if there's a newer version of FT with a newer DNSCrypt, but not ready anyway to start in again on all the upgrading involved, even if there is).

EDIT: except compared to DNSCrypt, my only remaining concern would be how vulnerable Quad9 is to MITM? Never see ISP's DNS in dnsleaktest with DNSCrypt or Quad9, so I'm probably good on that front.


Top
 Profile  
 
PostPosted: Sat Apr 20, 2019 4:34 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
Yes, normal DNS is vulnerable to a MITM attack, but for that to work your ISP has to be compromised. Doesn't happen very often except by nation state actors and they're typically targetting specific people not random acts of damage.


Top
 Profile  
 
PostPosted: Sun Apr 21, 2019 2:57 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
MonkeyBoy wrote:
Yes, normal DNS is vulnerable to a MITM attack, but for that to work your ISP has to be compromised.

Is that the only way this can occur, the usual way, or are there other means, even if ISP not compromised ? Have been reading up on this issue, including DNSSEC, very technical and complicated, hard for me to understand all that much. I do see that there have been some very major attacks from nation state actors with specific targets.

The ideal would be to get Quad9 DNSCrypt up and running manually on FTomato -- the best of both worlds. Think my FT might be running the necessary version.
Quote:
from the log:
...Using version 2.0 of the DNSCrypt protocol

Will have to contact Quad9 support to see if they can tell me what to enter in these fields:

Attachment:
dnscrypt proxy manual entry.png
dnscrypt proxy manual entry.png [ 27.12 KiB | Viewed 40 times ]


Top
 Profile  
 
PostPosted: Mon Apr 22, 2019 3:30 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
Someone has to compromise your ISP or one of the hops in-between you and 9.9.9.9 for the traffic to get redirected to another location. They could also compromise your router at home (which is normally much easier than attacking ISP equipment).

In theory they could also compromise the 9.9.9.9 subnet range but that would be noticed by, well, everyone and fairly quickly. They would take ownership of 9.9.9.0 or whatever subnet block it belongs to and start spreading that ownership information from ISP to ISP. As it percolates around less traffic would go the the correct source and more would go to their source but it percolates pretty quickly so it would be noticed fairly fast.

Nation state actors are certainly being a problem on the internet although as I said they tend to go for specific people and not widespread chaos in part because widespread chaos is easy to notice and revert. If its only one particular customer and that customer doesn't catch on, then who's going to notice?


Top
 Profile  
 
PostPosted: Tue Apr 23, 2019 7:42 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
Thanks, and re. DNSSEC, reading that it's still not that widely or very well implemented, so simply having a DNSSEC aware DNS resolver (both Quad9 and Scaleway-fr are) may lead to a false sense of security. Plus, no way to know if any DNS lookup is DNSSEC enabled. No lock, nothing like "HTTPS" to see if DNSSEC is being utilized for any given lookup. Maybe DoH more important?

Btw, have contacted Quad9 support for the FT manual entry fields. We'll see.


Top
 Profile  
 
PostPosted: Tue Apr 23, 2019 2:17 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
In theory DNSCrypt is a better option for security since if the encryption isn't working then DNSCrypt will stop working.

I'm sure you stumbled across this page already. Quad9's toml file includes the following info:
Code:
[sources.quad9-resolvers]
urls = ["https://www.quad9.net/quad9-resolvers.md"]
minisign_key = "RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN"
cache_file = "quad9-resolvers.md"
refresh_delay = 72
prefix = "quad9-"


and their md file is:
Code:
# quad9-resolvers
This is a list of all of the Quad9 dns stamps available for filtered/unfiltered dnssec/doh services.
--
## dnscrypt-ip4-filter-pri
Quad9 (anycast) dnssec/no-log/filter 9.9.9.9
sdns://AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
## dnscrypt-ip4-filter-alt
Quad9 (anycast) dnssec/no-log/filter 149.112.112.9
sdns://AQMAAAAAAAAAEjE0OS4xMTIuMTEyLjk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
## dnscrypt-ip4-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10
sdns://AQYAAAAAAAAADTkuOS45LjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
## dnscrypt-ip4-nofilter-alt
Quad9 (anycast) no-dnssec/no-log/no-filter 149.112.112.10
sdns://AQYAAAAAAAAAEzE0OS4xMTIuMTEyLjEwOjg0NDMgZ8hHuMh1jNEgJFVDvnVnRt803x2EwAuMRwNo34Idhj4ZMi5kbnNjcnlwdC1jZXJ0LnF1YWQ5Lm5ldA
## dnscrypt-ip6-filter-alt
Quad9 (anycast) dnssec/no-log/filter 2620:fe::9
sdns://AQMAAAAAAAAAEVsyNjIwOmZlOjo5XTo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ
## dnscrypt-ip6-filter-pri
Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe:9
sdns://AQMAAAAAAAAAFFsyNjIwOmZlOjpmZTo5XTo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ
## dnscrypt-ip6-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10
sdns://AQYAAAAAAAAAElsyNjIwOmZlOjoxMF06ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
## dnscrypt-ip6-nofilter-alt
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::fe:10
sdns://AQYAAAAAAAAAFVsyNjIwOmZlOjpmZToxMF06ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0
## doh-ip4-filter-pri
Quad9 (anycast) dnssec/no-log/filter 9.9.9.9
sdns://AgMAAAAAAAAABzkuOS45LjmAABJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## doh-ip4-filter-alt
Quad9 (anycast) dnssec/no-log/filter 149.112.112.9
sdns://AgMAAAAAAAAADTE0OS4xMTIuMTEyLjmAABJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## doh-ip4-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 9.9.9.10
sdns://AgYAAAAAAAAACDkuOS45LjEwgAASZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
## doh-ip4-nofilter-alt
Quad9 (anycast) no-dnssec/no-log/no-filter 149.112.112.10
sdns://AgYAAAAAAAAADjE0OS4xMTIuMTEyLjEwgAASZG5zOS5xdWFkOS5uZXQ6NDQzCi9kbnMtcXVlcnk
## doh-ip6-filter-pri
Quad9 (anycast) dnssec/no-log/filter 2620:fe::9
sdns://AgMAAAAAAAAADFsyNjIwOmZlOjo5XYAAEmRuczkucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## doh-ip6-filter-alt
Quad9 (anycast) dnssec/no-log/filter 2620:fe::fe:9
sdns://AgMAAAAAAAAAD1syNjIwOmZlOjpmZTo5XYAAEmRuczkucXVhZDkubmV0OjQ0MwovZG5zLXF1ZXJ5
## doh-ip6-nofilter-pri
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::10
sdns://AgYAAAAAAAAADVsyNjIwOmZlOjoxMF2AABJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ
## doh-ip6-nofilter-alt
Quad9 (anycast) no-dnssec/no-log/no-filter 2620:fe::fe:10
sdns://AgYAAAAAAAAAEFsyNjIwOmZlOjpmZToxMF2AABJkbnM5LnF1YWQ5Lm5ldDo0NDMKL2Rucy1xdWVyeQ


Sorry if thats not particularly helpful info, at work and just taking a break from walking the football field (my office is at one end of the building, most of the office workers are at the other end).


Top
 Profile  
 
PostPosted: Tue Apr 23, 2019 2:49 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6462
Location: NYC
Yeah, did come across that, downloaded it, can see the desired resolver. But beyond that no idea how to use it to fill the manual entry fields.


Top
 Profile  
 
PostPosted: Tue Apr 23, 2019 4:27 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
Resolver address: 9.9.9.9
Provider Name: Quad9
Provider Public Key: AQMAAAAAAAAADDkuOS45Ljk6ODQ0MyBnyEe4yHWM0SAkVUO-dWdG3zTfHYTAC4xHA2jfgh2GPhkyLmRuc2NyeXB0LWNlcnQucXVhZDkubmV0

Its the first group in the .md so maybe?

Edit: Public key might be RWQBphd2+f6eiAqBsvDZEBXBGHQBJfeG6G+wJPPKxCZMoEQYpmoysKUN instead


Top
 Profile  
 
PostPosted: Tue Apr 23, 2019 4:38 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10429
Location: Caught between the moon and NYC
Okay so sdns:// is a base64 encoded value, so that first public key string I provided is most certainly wrong.

Decoding it returns something that might be useful if I can wrap my brain around it. Every time I start making progress on something tonight I keep getting interrupted and start over at square one...

Server address (again from the first group in .md) is 9.9.9.9:8443
Public key seems to be gGu $UCYŃ·7a0 but that looks wrong to me.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group