Thoughts on this? Its upgrade to already existing tools such is dnscrypt-proxy and it enables anonymization of DNS to upstream providers using other provider as relay, but relay also doesn’t see DNS queries.
Yeah, i’m using it right now actualy…
Me too. Just wondering what people think of it.
Really neat! Gonna try this out myself soon.
I find it interesting, but I am not going to try it anytime soon.
My main issue is that Debian is stuck on old version of dnscrypt-proxy, so keeping it up-to-date would be a pain and another issue is dnscrypt-proxy not validating DNSSEC by itself (having only an option to require servers to support DNSSEC).
Currently I am using Unbound with DNS-over-TLS and DNSSEC validation, while it’s possible that a server violates it’s privacy statement, the server cannot lie to me on DNS records of DNSSEC signed domains. I am using SSHFP records with SSH.
If I was using DNSCrypt-proxy and anonymized DNS, the server wouldn’t know it’s me making the query, but it could still lie to everyone about the DNS records, unless I was running Unbound behind DNSCrypt-proxy, which I find somewhat useless as Unbound can also encrypt DNS with the beforementioned DoT. There are multiple servers on our DNS page of which 3 also support DoT on port 443.
There is easy way to keep it updated, there is script here for that, you just need to replace linux_x86_64 with whatever OS you are using it with (I’m using it with raspbian) and make cronjob with root permission. Glad that PTIO team finds it interesting, it might be way to have really trustless use of DNS resolvers.
Some first glance concerns of that script:
- it works outside of package manager
- it has no randomized time in the cron example and with enough users may look like a DDoS attack
- if I understand it correctly, it doesn’t verify the signatures of the binary
- runs as root (which may be unavoidable or could it use a creative sudoers rule?)
- it works outside package manager
- you can set cronjob however you want, thats up to you
- it doesn’t verify signatures, but I might contact developer to do signing so they can be verified
- you can use sudoers rule, I run it without root just to check if there is update then run script with sudo when there is update
You’re right (https://launchpad.net/~shevchuk/+archive/ubuntu/dnscrypt-proxy). I reached out to the maintainer, @shevchuk, over Keybase to see if they have intention to update the package version.
I don’t know about Launchpad/Ubuntu, but Debian’s issue is in Debian 10 release notes (I wish it had a link to bugs.debian.org to subscribe what needs to be done or is it’s status).
The Debian infrastructure currently doesn’t properly enable rebuilding packages that statically link parts of other packages on a large scale. Until buster that hasn’t been a problem in practice, but with the growth of the Go ecosystem it means that Go based packages won’t be covered by regular security support until the infrastructure is improved to deal with them maintainably.
If updates are warranted, they can only come via regular point releases, which may be slow in arriving.
for me, i think its best thing happened in DNS servers so you not only hide your traffic from ISP by dnscrypt but also you hide it from DNS server itself so yeah its really good thing
Never got a reply but it looks like it’s been updated to the latest (v2.0.31): https://launchpad.net/~shevchuk/+archive/ubuntu/dnscrypt-proxy