DNSCrypt

Last updated

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.

Contents

Multiple free and open source software implementations exist. It is available for a variety of operating systems, including Unix, Apple iOS, Linux, Android, and Microsoft Windows.

DNSCrypt wraps unmodified DNS traffic between a client and a DNS resolver in a cryptographic construction in order to detect forgery. Though it doesn't provide end-to-end security, it protects the local network against man-in-the-middle attacks. [1] The free and open source software implementation dnscrypt-proxy additionally integrates ODoH. [1] [2]

It also mitigates UDP-based amplification attacks by requiring a question to be at least as large as the corresponding response. Thus, DNSCrypt helps to prevent DNS amplification attacks.

Deployment

dnscrypt-proxy, a DNSCrypt client running on Linux Dnscrypt-proxy as systemd service screenshot.png
dnscrypt-proxy, a DNSCrypt client running on Linux

In addition to private deployments, the DNSCrypt protocol has been adopted by several public DNS resolvers, the vast majority being members of the OpenNIC network, as well as virtual private network (VPN) services.

OpenDNS (now a part of Cisco) announced the first public DNS service supporting DNSCrypt on 6 December 2011, shortly followed by CloudNS Australia. [3]

On 29 March 2016, Yandex announced support for the DNSCrypt protocol on their public DNS servers, as well as in Yandex Browser.[ citation needed ]

On 14 October 2016, AdGuard added DNSCrypt to their DNS filtering module so that users could move from their ISPs to custom or AdGuard's own DNS servers for online privacy and ad blocking. [4] [5]

On 10 September 2018, the Quad9 nonprofit public recursive resolver service announced support for DNSCrypt. [6]

Other servers that support secure protocol are mentioned in the DNSCrypt creators’ list. [7]

Protocol

DNSCrypt can be used either over UDP or over TCP. In both cases, its default port is 443. Even though the protocol radically differs from HTTPS, both service types utilize the same port. However, even though DNS over HTTPS and DNSCrypt are possible on the same port, they must still run separately on different servers. Two server applications cannot run simultaneously on the same server if both utilize the same port for communication; though a multiplexing approach is theoretically possible.

Instead of relying on trusted certificate authorities commonly found in web browsers, the client has to explicitly trust the public signing key of the chosen provider. This public key is used to verify a set of certificates, retrieved using conventional DNS queries. These certificates contain short-term public keys used for key exchange, as well as an identifier of the cipher suite to use. Clients are encouraged to generate a new key for every query, while servers are encouraged to rotate short-term key pairs every 24 hours.

The DNSCrypt protocol can also be used for access control or accounting, by accepting only a predefined set of public keys. This can be used by commercial DNS services to identify customers without having to rely on IP addresses.[ citation needed ]

Queries and responses are encrypted using the same algorithm and padded to a multiple of 64 bytes in order to avoid leaking packet sizes. Over UDP, when a response would be larger than the question leading to it, a server can respond with a short packet whose TC (truncated) bit has been set. The client should then retry using TCP and increase the padding of subsequent queries.

Versions 1 and 2 of the protocol use the X25519 algorithm for key exchange, EdDSA for signatures, as well as XSalsa20-Poly1305 or XChaCha20-Poly1305 for authenticated encryption.

As of 2023, there are no known vulnerabilities in the DNSCrypt protocol nor practical attacks against its underlying cryptographic constructions.

Anonymized DNSCrypt

Anonymized DNSCrypt is a protocol extension proposed in 2019 to further improve DNS privacy. [8]

Instead of directly responding to clients, a resolver can act as a transparent proxy to another resolver, hiding the real client IP to the latter. Anonymized DNSCrypt is a lightweight alternative to Tor and SOCKS proxies, specifically designed for DNS traffic. [8]

Deployment of Anonymized DNSCrypt started in October 2019, and the protocol adoption was fast, with 40 DNS relays being set up only two weeks after the public availability of client and server implementations. [9]

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol provides cryptographic authentication of data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

The Service Location Protocol is a service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. SLP has been designed to scale from small, unmanaged networks to large enterprise networks. It has been defined in RFC 2608 and RFC 3224 as standards track document.

A Service record is a specification of data in the Domain Name System defining the location, i.e., the hostname and port number, of servers for specified services. It is defined in RFC 2782, and its type code is 33. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements.

OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server applications.

NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

Extension Mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the Domain Name System (DNS) protocol which had size restrictions that the Internet engineering community deemed too limited for increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0 which was updated by RFC 6891 in 2013 changing abbreviation slightly to EDNS(0).

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the elliptic curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein.

<span class="mw-page-title-main">OpenSSH</span> Set of computer programs providing encrypted communication sessions

OpenSSH is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture.

The Ident Protocol, specified in RFC 1413, is an Internet protocol that helps identify the user of a particular TCP connection. One popular daemon program for providing the ident service is identd.

Amazon Route 53 is a scalable and highly available Domain Name System (DNS) service. Released on December 5, 2010, it is part of Amazon.com's cloud computing platform, Amazon Web Services (AWS). The name is a possible reference to U.S. Routes, and "53" is a reference to the TCP/UDP port 53, where DNS server requests are addressed. In addition to being able to route users to various AWS services, including EC2 instances, Route 53 also enables AWS customers to route users to non-AWS infrastructure and to monitor the health of their application and its endpoints. Route 53's servers are distributed throughout the world. Amazon Route 53 supports full, end-to-end DNS resolution over IPv6. Recursive DNS resolvers on IPv6 networks can use either IPv4 or IPv6 transport to send DNS queries to Amazon Route 53.

QUIC is a general-purpose transport layer network protocol initially designed by Jim Roskind at Google, implemented, and deployed in 2012, announced publicly in 2013 as experimentation broadened, and described at an IETF meeting. QUIC is used by more than half of all connections from the Chrome web browser to Google's servers. Microsoft Edge and Firefox support it. Safari implements the protocol, however it is not enabled by default.

<span class="mw-page-title-main">SoftEther VPN</span> Open-source VPN client and server software

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks. The well-known port number for DoT is 853.

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power than IPsec and OpenVPN, two common tunneling protocols. The WireGuard protocol passes traffic over UDP.

References

  1. 1 2 "DNSCrypt/dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols". GitHub . DNSCrypt. Archived from the original on 20 January 2016. Retrieved 29 January 2016.
  2. "Oblivious DoH · DNSCrypt/dnscrypt-proxy Wiki". GitHub. DNSCrypt project. Retrieved 28 July 2022.
  3. Ulevitch, David (6 December 2011). "DNSCrypt – Critical, fundamental, and about time". Cisco Umbrella. Archived from the original on 1 July 2020. Retrieved 1 July 2020.
  4. "AdGuard DNS Now Supports DNSCrypt". AdGuard Blog. Archived from the original on 12 September 2017. Retrieved 11 September 2017.
  5. "DNS filtering". AdGuard Knowledgebase. Archived from the original on 11 September 2017. Retrieved 11 September 2017.
  6. "DNSCrypt Now in Testing". Quad9 Blog. 30 August 2018. Archived from the original on 28 December 2019. Retrieved 1 July 2020.
  7. "DNSCrypt - List of public DoH and DNSCrypt servers". DNSCrypt. Archived from the original on 19 June 2020. Retrieved 1 July 2020.
  8. 1 2 "Anonymized DNSCrypt specification". GitHub . DNSCrypt. Archived from the original on 25 October 2019. Retrieved 1 July 2020.
  9. "Anonymized DNS relays". GitHub . DNSCrypt. 1 November 2019. Archived from the original on 1 July 2020. Retrieved 1 July 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.