Hi David, With the "dnscrypt-proxy" running on AstLinux, rather than dnsmasq directly forwarding unknown DNS queries, dnsmasq locally queries "dnscrypt-proxy" which then make DNS queries over an encrypted tunnel to a trusted DNS server.
So for most, all the local networks' DNS queries would be done unencrypted using UDP 53 via AstLinux's (dnsmasq) cacheing nameserver, and then at the public edge the DNS queries are forwarded via an encrypted tunnel. BTW, we have this all working in our tests. :-) Personally the encryption is not as important as mitigating DNS man-in-the-middle attacks, which some ISP's actually do from what I read :-( . Is seems DNSCrypt is a useful security tool, optional of course. I read that some use dnscrypt-wrapper on their own cloud server to run a DNS server/forwarder, which "dnscrypt-proxy" is required to access. Lonnie On Feb 8, 2014, at 10:59 AM, David Kerr wrote: > Can you explain where encryption would occur? Today I have... > > Local system ---> DNS query to Astlinux ---> Forward DNS query to OpenDNS (if > not cached at AstLinux I assume) > > With DNSCrypt would this whole path be encrypted. > I think today I could install DNSCrypt on local systems and then DNS queries > would bypass Astlinux, going straight to OpenDNS. > If Astlinux added DNSCrypt then would it encrypt both incoming requests from > clients, and outbound requests to OpenDNS? > This would presumably require a decryption/encryption step on the Astlinux > box if Astlinux DNS server supported DNSCrypt. > > Thanks for any clarification. > > David > > > On Wed, Feb 5, 2014 at 2:19 PM, Lonnie Abelbeck <[email protected]> > wrote: > Please comment, > > Is there any interest in AstLinux supporting DNSCrypt ? > > As you may or may not know, DNSCrypt offers encrypted privacy for DNS, while > DNSSEC provides zone authentication. Complimentary, each solving different > issues. > > More Info: > -- > DNSCrypt | OpenDNS > http://www.opendns.com/about/innovations/dnscrypt/ > > DNSCrypt > http://dnscrypt.org/ > -- > > At this point we are just looking into it, the dnscrypt-proxy 1.3.3 and > libsodium 0.4.5 packages would need to be added to our Buildroot which could > be a problem until it is tried. > > Would you use DNSCrypt ? Do we / customers really care ? > > Is DNSCrypt the longterm standard for encrypted privacy for DNS ? > > This is mostly an OpenDNS thing now, though a few other DNS prividers around > the world also support DNSCrypt. > > The dnscrypt-proxy package seems fairly lightweight, implementation would be > a simple checkbox and automatically configuring dnsmasq to use the defined > static DNS entries directly or via dnscrypt-proxy listening on 127.0.0.2 . > > Thanks for any feedback. > > Lonnie > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk_______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
