DNSCrypt

Last updated

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction, preventing eavesdropping and forgery by a man-in-the-middle. [1]

Contents

It also mitigates UDP-based amplification attacks by requiring a question to be at least as large as the corresponding response. Thus, DNSCrypt helps to prevent DNS amplification attacks. [2] :§9

DNSCrypt was originally designed by Frank Denis and Yecheng Fu. Multiple free and open source software implementations exist. It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and Microsoft Windows. [3] The free and open source software implementation dnscrypt-proxy [4] additionally integrates ODoH. [5]

Deployment

dnscrypt-proxy, a DNSCrypt client running on Linux Dnscrypt-proxy as systemd service screenshot.png
dnscrypt-proxy, a DNSCrypt client running on Linux

In addition to private deployments, the DNSCrypt protocol has been adopted by several public DNS resolvers, the vast majority being members of the OpenNIC network, as well as virtual private network (VPN) services.

OpenDNS (now a part of Cisco) announced the first public DNS service supporting DNSCrypt on 6 December 2011, shortly followed by CloudNS Australia. [6]

On 29 March 2016, Yandex announced support for the DNSCrypt protocol on their public DNS servers, as well as in Yandex Browser.[ citation needed ]

On 14 October 2016, AdGuard added DNSCrypt to their DNS filtering module so that users could move from their ISPs to custom or AdGuard's own DNS servers for online privacy and ad blocking. [7] [8]

On 10 September 2018, the Quad9 nonprofit public recursive resolver service announced support for DNSCrypt. [9]

Other servers that support secure protocol are mentioned in the DNSCrypt creators' list. [10]

Protocol

DNSCrypt can be used either over UDP or over TCP. In both cases, its default port is 443. [2] Even though the protocol radically differs from HTTPS, both service types utilize the same port. However, even though DNS over HTTPS and DNSCrypt are possible on the same port, they must still run separately on different servers. Two server applications cannot run simultaneously on the same server if both utilize the same port for communication; though a multiplexing approach is theoretically possible.

Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider. This public key is used to verify a set of certificates, retrieved using conventional DNS queries. [2] :§1 These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours. [2] :§13

The DNSCrypt protocol can also be used for access control or accounting, by accepting only a predefined set of public keys. This can be used by commercial DNS services to identify customers without having to rely on IP addresses. [2] :§13

Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes. Over UDP, when a response would be larger than the question leading to it, a server can respond with a short packet whose TC (truncated) bit has been set. The client should then retry using TCP and increase the padding of subsequent queries. [2] :§9

Versions 1 and 2 of the protocol use the X25519 algorithm for key exchange, EdDSA for signatures, as well as XSalsa20-Poly1305 or XChaCha20-Poly1305 for authenticated encryption. [2] :§11

As of 2023, there are no known vulnerabilities in the DNSCrypt protocol nor practical attacks against its underlying cryptographic constructions.

Anonymized DNSCrypt

Anonymized DNSCrypt is a protocol extension proposed in 2019 to further improve DNS privacy. [11]

Instead of directly responding to clients, a resolver can act as a transparent proxy to another resolver, hiding the real client IP to the latter. Anonymized DNSCrypt, specifically designed for DNS traffic, is a lightweight alternative to running DNSCrypt through Tor and SOCKS proxies. [11]

Deployment of Anonymized DNSCrypt started in October 2019, and the protocol adoption was fast, with 40 DNS relays being set up only two weeks after the public availability of client and server implementations. [12]

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The Invisible Internet Project (I2P) is an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. Anonymous connections are achieved by encrypting the user's traffic, and sending it through a volunteer-run network of roughly 55,000 computers distributed around the world. Given the high number of possible paths the traffic can transit, a third party watching a full connection is unlikely. The software that implements this layer is called an "I2P router", and a computer running I2P is called an "I2P node". I2P is free and open sourced, and is published under multiple licenses.

PowerDNS is a DNS server program, written in C++ and licensed under the GPL. It runs on most Unix derivatives. PowerDNS features a large number of different backends ranging from simple BIND style zonefiles to relational databases and load balancing/failover algorithms. A DNS recursor is provided as a separate program.

In computer networking, the multicast DNS (mDNS) protocol resolves hostnames to IP addresses within small networks that do not include a local name server. It is a zero-configuration service, using essentially the same programming interfaces, packet formats and operating semantics as unicast Domain Name System (DNS). It was designed to work as either a stand-alone protocol or compatible with standard DNS servers. It uses IP multicast User Datagram Protocol (UDP) packets and is implemented by the Apple Bonjour and open-source Avahi software packages, included in most Linux distributions. Although the Windows 10 implementation was limited to discovering networked printers, subsequent releases resolved hostnames as well. mDNS can work in conjunction with DNS Service Discovery (DNS-SD), a companion zero-configuration networking technique specified separately in RFC 6763.

This article presents a comparison of the features, platform support, and packaging of many independent implementations of Domain Name System (DNS) name server software.

TSIG is a computer-networking protocol defined in RFC 2845. Primarily it enables the Domain Name System (DNS) to authenticate updates to a DNS database. It is most commonly used to update Dynamic DNS or a secondary/slave DNS server. TSIG uses shared secret keys and one-way hashing to provide a cryptographically secure means of authenticating each endpoint of a connection as being allowed to make or respond to a DNS update.

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge, Firefox, and Safari support it.

A public recursive name server is a name server service that networked computers may use to query the Domain Name System (DNS), the decentralized Internet naming system, in place of name servers operated by the local Internet service provider (ISP) to which the devices are connected. Reasons for using these services include:

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States. In May 2020, Chrome switched to DNS over HTTPS by default.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

<span class="mw-page-title-main">Quad9</span> Global public recursive DNS resolver based in Switzerland

Quad9 is a global public recursive DNS resolver that aims to protect users from malware and phishing. Quad9 is operated by the Quad9 Foundation, a Swiss public-benefit, not-for-profit foundation with the purpose of improving the privacy and cybersecurity of Internet users, headquartered in Zürich. Quad9 is entirely subject to Swiss privacy law, and the Swiss government extends that protection of the law to Quad9's users throughout the world, regardless of citizenship or country of residence.

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims to be smaller and better performing than IPsec and OpenVPN, two common tunneling protocols. The WireGuard protocol passes traffic over UDP.

Outline VPN is a free and open-source tool that deploys Shadowsocks servers on multiple cloud service providers. The software suite also includes client software for multiple platforms. Outline was developed by Jigsaw, a technology incubator created by Google.[3]

<span class="mw-page-title-main">ZeroTier</span> Software company based in California

ZeroTier, Inc. is a software company with a freemium business model based in Irvine, California. ZeroTier provides proprietary software, SDKs and commercial products and services to create and manage virtual software-defined networks. The company's flagship end-user product ZeroTier One is a client application that enables devices such as PCs, phones, servers and embedded devices to securely connect to peer-to-peer virtual networks.

References

  1. Biggs, John (6 December 2011). "DNSCrypt Encrypts Your DNS Traffic Because There's Always Someone Out To Get You". TechCrunch.
  2. 1 2 3 4 5 6 7 "DNSCrypt version 2 protocol specification (DNSCRYPT-V2-PROTOCOL.txt)". GitHub/DNSCrypt. (UDP) The response length should always be equal to or shorter than the initial client query length.
  3. "DNSCrypt - Implementations". dnscrypt.info.
  4. "DNSCrypt/dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols". GitHub . DNSCrypt. Archived from the original on 20 January 2016. Retrieved 29 January 2016.
  5. "Oblivious DoH · DNSCrypt/dnscrypt-proxy Wiki". GitHub. DNSCrypt project. Retrieved 28 July 2022.
  6. Ulevitch, David (6 December 2011). "DNSCrypt – Critical, fundamental, and about time". Cisco Umbrella. Archived from the original on 1 July 2020. Retrieved 1 July 2020.
  7. "AdGuard DNS Now Supports DNSCrypt". AdGuard Blog. Archived from the original on 12 September 2017. Retrieved 11 September 2017.
  8. "DNS filtering". AdGuard Knowledgebase. Archived from the original on 11 September 2017. Retrieved 11 September 2017.
  9. "DNSCrypt Now in Testing". Quad9 Blog. 30 August 2018. Archived from the original on 28 December 2019. Retrieved 1 July 2020.
  10. "DNSCrypt - List of public DoH and DNSCrypt servers". DNSCrypt. Archived from the original on 19 June 2020. Retrieved 1 July 2020.
  11. 1 2 "Anonymized DNSCrypt specification". GitHub . DNSCrypt. Archived from the original on 25 October 2019. Retrieved 1 July 2020.
  12. "Anonymized DNS relays". GitHub . DNSCrypt. 1 November 2019. Archived from the original on 1 July 2020. Retrieved 1 July 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.