Self Defence; DNSCrypt


(Glenn) #1

Hi all;

The blocking techniques of at least one major ISP has evolved in the last few months;

It used to be that citizens could simply switch to using a public DNS to get a correct response.

That stopped working a few months ago, and now they are responding with the IP of a government server that mentions the site is banned (i forget the details)…

Anyway, one fix to this man-in-the-middle attack is to use DNSCrypt, which prevents third parties from eavesdropping and/or hijacking your browser.

Encrypting DNS really should be considered best practices now, and it probably belongs in one of the guides somewhere.

https://dnscrypt.org/


#2

No way! This provides a false sense of security when in reality all the other packets after DNS could be intercepted or monitored. What is really needed is a VPN. If ISPs wanted to, they could block/intercept sites on the IP-address/BGP level than through DNS anyway.


(Glenn) #3

Look at it a different way, when not using a VPN, is it better to
a) using your ISP DNS
b) use non-encrypted public DNS
c) Encrypted DNS

If you think there is no point using encryption because it might only protect you against man-in-the-middle attacks, then why bother using a VPN ?


(Ben McGinnes) #4

Which one? Telstra?

The theory behind this will still work depending on how it’s done. This is why I run Bind on all my systems, including the laptop.

Which just moves the point of failure to them.

Best practices really ought to be encrypting all TCP/IP traffic, either a VPN or IPSec.


(Ben McGinnes) #5

Yes, but that introduces a lot more load on the network and in particular on essential core or edge routers, so it’s not the preferred methods. They know people who really want to visit a site will get around it anyway, so DNS poisoning let’s them make a show of kowtowing to gov’t pressure without making a major change.

IIRC DNS poisoning is used by Telstra against The Pirate Bay. Loading the site via Tor is all it takes to bypass.


(Glenn) #6

I forgot how difficult everything is here…


#7

Exetel did a blog piece about it years ago. Apparently it is quite easy. They just redirect the IP address to the government/MITM IP and the core router sees it just like any other route, no overhead. The only problem is selective redirecting of shared hosts. For example, if they wanted to block just one page of Wikipedia instead of the entire thing, then they would need to redirect it to a Wikipedia mirror and have that filtering done server side, which would be impractical.


(Ben McGinnes) #8

Yes, that’s how ASIC “accidentally” blocked hundreds of sites a few years ago and got spanked for it.

I went into far greater detail about how it’s done to everything a few years ago, I think you’ll enjoy this one:

http://www.adversary.org/wp/2011/01/04/cleaning-a-https-feed/

The PDF of the actual report is here:

http://www.adversary.org/files/CleanFeedHTTPS-01.pdf

Bonus points if you can spot the Yes, Minister references in the paper and extra points if you can name the episode (it’s in the first season).


(Alex Jago) #9

How convenient that I have the DVD…

Spoiler

image


(Kaz) #10

If possible, you could always switch to an OpenNIC DNS server which would bypass whatever your default server your ISP had, but in the long run your ISP will still be able to spot what IP addresses your computer is accessing, CDN networks are usually very accommodating to law enforcement requests for data access and VPN providers can be legally coerced into retaining logs and providing them to law enforcement on request if that is the domestic law in the jurisdiction in which they are operating.

The only way around this would be to shift completely onto some form of darknet with no external clearnet access, like I2P.


(David Crafti) #11

So anyway, is anybody going to address @bug1’s actual point?


(Kaz) #12

I would personally recommend going through the list of DNS servers on OpenNIC, they also have guides that make it a pretty easy process to change your DNS server.


(Ben McGinnes) #13

I just noticed that, as @dcrafti said, no one actually answered this bit.

I’d say:

d) Operate your own local resolver if possible and rely on DNSSEC to confirm authenticity of DNS responses where possible.

If this is not possible for whatever reason, then either:

  1. c, but only if you can independently verify or have audited (e.g. publicly audited) the configuration and operation of the resolvers used.

Otherwise:

  1. b, since at least it can be checked or rotated through multiple external parties.

(Tom Randle) #14

Good point @Ben, I wasn’t really sure if @bug1 was actually asking the Party to do something because I’m not at all sure what that could look like.

On the DNS front, I would think DNSSEC + DANE and a browser update is probably the best tech around to help create much better trust chains for everyone.