dnscrypt.ca ... encrypted public resolver.

home · news · more info · contact

DNS

Every time you access anything on the Internet, you almost certainly use DNS. It is the service that converts names like dnscrypt.ca in to IP addresses like 149.56.217.218. Unfortunately, DNS was originally developed in a time when people had not really anticipated a need for better security. As a result, when you use your ISP's DNS servers it means they could be recording all the names of all the servers you access. And when you are using the free wifi at that sleazy adult bookstore, they can probably see the names of all the servers you access. And if you use Google's free public servers, well... of course they would never disrespect your privacy. <wink>

The good news is that along the way, DNS has had a few features added that are supposed to make it a little more secure. The bad news is that they are often a pain to setup, and are not widely used. This web site (and associated services) will hopefully help improve your DNS related security.

DNSCrypt

DNSCrypt is a software package that encrypts DNS queries. I run the dnscrypt-wrapper on my server here, and you run the dnscrypt-proxy on your end to connect to my server. It acts as a sort of "encryption envelope" to send your DNS queries. I am not affiliated with the folks at dnscrypt.org, I just like their software and want to help spread better DNS. You can also choose from a number of other DNSCrypt resolvers if you don't like mine for whatever reason. I have personally tried okturtles and dnscrypt.eu-nl with good results. It is important to note that not all DNSCrypt resolvers are the same. Some may claim that they do not log queries, some may offer anti-malware services by blocking bad names. Look at the list and see who is offering the resolver service and see what their policies are, and whether or not you think they fit the reasons you wish to use a DNSCrypt resolver.

DNSSEC

Another security feature of modern DNS is DNSSEC. It basically uses public key encryption to sign DNS entries, so that you can be sure that you are getting the correct responses to your DNS queries. This Cloudflare article is pretty good at describing how DNSSEC works... but for those who don't want ot read all that, the idea is that I [domain owner] create some encryption keys which have a public half and a private half. I keep the private half secret of course and publish the public half in my domain's DNS records. I also use my keys to add a signature to all of my existing DNS records. I then add a record that "chains" my keys to the upstream registry (the .ca registry in this case). Now when you use a DNSSEC validating resolver (like dnscrypt.ca) it will check with those keys and make sure that the signatures match. If the keys don't match, it is assumed that the DNS records may have been tampered with, and you are not directed to the site.

DANE/TLSA

DANE is basically an addition to DNSSEC that lets domain owners publish a TLSA record which tells the user that they are using the correct TLS certificate. The idea is that your browser has a list of companies it trusts, and when you visit a web site that uses a certificate authorized by any one of these companies, your browser shows you a cute little "lock icon" of some kind. Well, how do you know that the certificate you are using is the one the web site owner intends for you to use? Maybe a network device is silently sitting between you and the secure web site, and is essentially proxying the certificate. If it is doing that, then it can also see all the traffic you are sending to that remote server. Well, if a TLSA records is published (and signed like your other DNSSEC'ed records) it will tell your browser that it is using the correct and intended certificate.

The Bad News

Unfortunately, not very many people are using DNSCrypt, DNSSEC, or TLSA. Lots of people are using Google's free public DNS servers because they simply assume that Google's massive infrastrusture must be the fastest way to get DNS replies. Lots of people have never even heard of DNSSEC. And almost nobody publishes TLSA records for their certificates. Well, now is your chance to kick it up a notch. dnscrypt.ca will let you encrypt your DNS queries, will use DNSSEC to validate your queries, and well... I encourage people to setup TLSA on their sites. If your browser has the ability to check DNSSEC and TLSA you should see a green key (or whatever) right now.

Using an encrypted, DNSSEC validating DNS resolver is also probably going to be slower than using Google's free public resolvers. There is overhead in checking the signatures, and most people running DNSCrypt servers can't afford the hardware and bandwidth that Google can. if you value speed over privacy, just stop reading now, this is not for you. Having said that, the difference in speed is so small (and so dependednt on cache hits) that I have a really hard time believing that a normal human could detect the difference.

The Good News

The good news is that if you are still reading, then you are a good candidate for using a kickass resolver. As mentioned earlier, you can use whichever DNSCrypt resolver you like best. This resolver does not censor or block any domains, it does not log any queries, it rotates new encryption keys every six hours, and is hosted in Canada. It is also a caching and recursive resolver, which means if it does not have the answer to your query cached already, it will start at the root servers rather than pass the request to another upstream resolver. If you decide to try dnscrypt.ca here's the information you'll need:

  • IP Address: 149.56.217.218:5353
  • Provider Name: 2.dnscrypt-cert.dnscrypt.ca
  • Provider Key: 8464:8707:4715:3801:A368:6237:9A7E:703A:ABE6:D071:859E:AD75:0D92:011A:543B:0A6A

And after downloading the DNSCrypt proxy, you would connect with a command like this (all on one line of course):

dnscrypt-proxy --local-address=127.0.0.1:53
   --resolver-address=149.56.217.218:5353
   --provider-name=2.dnscrypt-cert.dnscrypt.ca
   --provider-key=8464:8707:4715:3801:A368:6237:9A7E:703A:ABE6:D071:859E:AD75:0D92:011A:543B:0A6A

This essentially sets up a listener on 127.0.0.1 (your local machine) that will forward DNS queries to my server (149.56.217.218:5353) which is named 2.dnscrypt-cert.dnscrypt.ca, and checks to make sure it uses the correct key. If you monitor the output of the proxy you should notice that every six hours it will download the new query keys. Now all you have to do is tell your operating system to use 127.0.0.1 as your DNS server and all your queries will go through the proxy. Check out the "more info" page if you'd like to see how to use the proxy in combination with dnsmasq to force all your network devices to go through the encrypted proxy.

Javascript-free, cookie-free, TLS encrypted, DNSSEC signed, and TLSA signed for your pleasure.