from Hacker News

Introducing DNSCrypt (Preview Release)

by timw6n on 1/13/14, 12:07 AM with 38 comments

  • by navyrain on 1/13/14, 1:28 AM

    DNSCrypt is a cool utility, but somewhat of a mixed bag, since OpenDNS serves up responses for invalid DNS records, in an effort to send you to website-unavailable.com

    This hijacking (I am blanking on the technical term for it) really rubs me the wrong way. Is there a way to get around it?

  • by dmunoz on 1/13/14, 1:26 AM

    Is there anything new here? DNSCrypt as a preview has been available for a good while now. Clicking through to their GitHub, I see that dnscrypt-proxy was last updated 4 days ago, and then the two clients: dnscrypt-osx-client 11 days ago yet dnscrypt-win-client more than a year ago, with various issues that have not been responded to, oldest being a year old as well.

    I point this out mainly because I gave dnscrypt a shot more than a year ago on windows and it severely borked my internet in a non-obvious way which had nothing to do with DNS. For days I was limited to ~25kbps speeds. I had disable dnscrypt at this point, and was on the verge of phoning my ISP to report a problem when I finally fully removed the windows client and the problem resolved itself. Playing with preview release software can seriously suck sometimes.

  • by crator on 1/13/14, 3:26 AM

    DNS privacy and signature verification is a good thing, but what about combatting random domain name confiscations?

    The attackers already do it for so-called copyright infringement, but they could do it for any reason, if they wanted to. So, what about thoroughly decentralizing the DNS system and getting rid of the centralization of corruption at ICANN? Isn't that more urgent nowadays?

  • by xxdesmus on 1/13/14, 1:24 AM

    This was released ....at least a year ago. Am I missing something? The newest code/content is at http://dnscrypt.org/

  • by mike-cardwell on 1/13/14, 10:47 AM

    Bare in mind, when using DNSCrypt with OpenDNS you're actually reducing your overall level of privacy. Now two companies can see what sites you're visiting: your ISP and OpenDNS.

    Your ISP doesn't need to see your DNS queries in order to know what sites you're visiting. They can see the IP's that you're sending packets to. They can see the HTTP "Host" header for HTTP. They can even see the hostname for HTTPS because of SNI.

  • by gararapa on 1/13/14, 1:41 AM

    These versions are really old. For the latest version, go to http://dnscrypt.org/.

  • by zaroth on 1/13/14, 1:20 AM

    I was thinking about tunneling all UDP coming out of my servers to a disposable address, with the intent of drop all inbound/outbound UDP, or even seeing if I could get my upstream to always drop all inbound UDP, in order to mitigate DDoS.

    Perhaps this is an easy way to achieve that for DNS at least. Not sure how many other protocols are necessary to tunnel from a server which is only responding to HTTPS, and installing security updates.

  • by Nux on 1/13/14, 7:42 AM

    This seems to be a DNSCurve implementation.