Home Forums Networks & Cross-Platform Networking DNSCrypt (Preview Release)

MacFixIt reported about DNSCrypt (Preview Release) ("mac only at the moment") yesterday.

I guess this is tacit's department.

It sounds useful, and I've installed it because of the reliability of the source, but I'd appreciate a 3rd party assessment of its purpose and functionality.

Thanks.

Edit: Why "Mac only," rather than "Windows only," as a starting point?

The developers were using Macs and not Windows boxes?

The idea behind DNScrypt in specific, and secure DNS in general, is that it prevents "man in the middle" attacks from taking place.

The domain name system is not, as it is currently implemented, secure. Let's say that Alice wants to go to www.gmail.com to check her email. Her computer sends out a request to her ISP's name server. The name server, which is basically just a big telephone book, tells her "www.gmail.com is living at IP address 74.125.224.119" and her browser merrily goes off to 74.125.224.119.

Now, suppose Bob wanted to steer her wrong. He could plant malware on her computer, or intercept her transmissions on her network, so that instead of going to her ISP's name servers, the DNS request was instead diverted to a hostile name server that he controls. His name server looks for any request for www.gmail.com and instead of returning 74.125.224.119, it returns 77.88.5.0, an IP address for a server in Russia that he owns.

So Alice types www.gmail.com into her address bar, but she is not connected to Google's servers. She's connected to a server that Bob runs in Russia. From this point, there are a lot of things he can do. He can put up a fake login page and steal Alice's username and password. He can put up a fake Gmail page and feed Alice false emails that he wants her to see. If he forges a Gmail security certificate, which happened a while ago when hackers broke into a CA called DigiNotar and made themselves phony but authentic-seeming Gmail security certificates, he can connect Alice through to the real Gmail and read everything she reads and everything she writes.

The idea behind DNScrypt is that all your computer's name server requests are encrypted and routed to secure name servers. If someone attempts to intercept your name server requests and alter the results, they can't. They can't see what Web sites you're looking up because the name of the site is encrypted, and they can't substitute their own phony IP address because the answer is encrypted too.

This idea has been around for years, but nobody's really doing it yet. In order for it to be effective without using special DNS software, everyone would have to change over at once...it does no good if you make encrypting the name server queries optional, because then a bad guy could still set up a phony name server and just have it set to refuse encrypted requests, and the browser would try again with an unencrypted request.

My guess is that it's available for Mac OS X first because OS X is Unix. Nearly all the world's name servers run on Unix. The OpenDNS name servers run Unix; it's easy (well, relatively speaking) to write Unix name server clients and servers that implement encryption. It makes sense that you'd want to test the client in a Unix configuration before you started making it available to Windows.

Readably informative post...as always; many thanks.

If I've followed you, DNSCrypt addresses the redirect whatchamacallit (Trojan?) that was plaguing people a coupl'a years ago?

Last (I guess) question: I've been using Open DNS's servers, 208.67.222.222 / 208.67.220.220, and DNSCrypt now shows "Current resolvers: 208.67.220.220 using DNSCrypt."

What's the difference between the two sets of numbers, and what does "Current resolvers..." mean?

Thanks, again.

The OSX/RSplug.A (or OSX/DNSchanger or OSX/Zlob, dependong on who you ask) malware might or might not continue to function, dependong on how DNScrypt works. The malware tells your computer to use its name servers; I don't know if the DNScrypt software prevents it from making that change, or makes all name server queries encrypted (which would break the malware, since I don't believe the hostile name servers can use encryption).

Fortunately, the FBI, working with overseas law enforcement, recently broke up the Zlob gang, which caused me to do a little dance. Though it also means that I don't know the answer to your question, asdly.

DNScrypt's list of "current name servers" is the list of name servers your computer is currently using.

Does this (from Introducing DNSCrypt) clarify anything?


You left me hanging on one point, though: I've been using Open DNS's servers, 208.67.222.222 / 208.67.220.220, and DNSCrypt now shows "Current resolvers: 208.67.220.220 using DNSCrypt."

What's the difference between the two sets of numbers(, and why does the first set drop out when I use DNSCrypt)?

Thanks, again.

The article is talking about the inherent vulnerability to man-in-the-middle attacks (setting up hostile DNS servers) when using unencryted DNS. It doesn't talk about how secure DNS is implemented in a software basis on Macs.

Most likely, the 208.67.222.222 server run by OpenDNS isn't set up for secure DNS queries; only the one at 208.67.220.220 is.

1. I guess we'll find out sometime down the road, and hopefully not the hard way.

2. Aaah... The two sets of numbers represent two different servers. (Did I miss something incredibly obvious?) I just noticed that when I toggle "Crypt" off the second set of numbers appears.

Again... Thanks.

That will only delay the inevitable problem. They should have rigged the dns to forward you to a web page telling you what problem you have and how to fix it. All this is going to do is delay the "pulled the plug on the internet" effect for a few months.

Reply to Virtual1 simply because he was closest....

It looks like the DNSCrypt beta installation has caused me an issue with network access over here in 'far-far-away' land.

The method for me over here is PPPoE using the WiFi network as a pipeline to a satellite connection.....and when I first arrived and renewed my subscription, I was unable to access anything over PPPoE.

I've since fallen back to my old internal drive in an external enclosure running Snow Leopard in order to gain network connectivity.

Unfortunately, the DNSCrypt beta doesn't have a very good uninstall option and it looks like I will have to wait until I return to the States before I can get my Lion installation refreshed (since I don't have great access to any significant broadband throughput over here....).

My feeling is that the DNSCrypt software makes some changes under the hood in the OS that doesn't play nice with PPPoE.

check your network prefs for an alternate DNS entry, quite possibly overriding to 127.0.0.1

Yep, thought of that......unfortunately it's more "under the hood" than that.

I get completely blocked from access beyond the router (pings fine to the router, but not beyond) when logged into 2 of the 3 WiFi networks within range.....on the third WiFi network (all three go to the same PPPoE server) I get limited throughput beyond the router.....on the first two, I can't even ping my own assigned IP address, while on the third I CAN ping my own IP but with significant packet loss.

If I start from my external drive with Snow Leopard, the connection is as good as it ever was.

I've tried re-installing Lion from my ESD image, then updating to 10.7.2 using the combo updater (previously saved to my HD), but the symptoms remain.

My next test will be to re-install Lion, but not update....should show if there is a legacy challenge that survives the re-install, or prove that the challenge comes from the 10.7.2 update itself (as I didn't make the upgrade while I was here last time, but rather while I was at home).

The inconvenient truth about Lion is that without a decent broadband connection EVERYTHING related to system installation takes a really long time.....even with the ESD image burned to disk.

Just a quick post to close out my issue.....the final fix was to create a new location in the Network PrefPane.

This gave me a clean set of network interfaces with no residual legacy issues and full connectivity.

My original "Automatic" location is trashed.

I've ran into network problems like that a few times in the past that required making a new network location, or deleting and re-adding the ethernet/wireless port. no idea why that fixes it - I've looked into the plists that control network and they look very easy to corrupt.. lots of cross-linking of information.

Bad day to try to download DNSCrypt. They're observing the SOPA strike.

By Preview Release they really mean beta version.
In the intro to the installer it is noted:
"You're testing DNSCrypt – A first-of-its-kind service that encrypts all DNS packets between your computer and OpenDNS."
It might be wise to wait for the ultimate version.

I think "Preview Release" inherently means no more advanced than beta, and why are you averse to installing one? (I never ran it, but OS X 10.0 was essentially a beta.)

I've run numerous betas with no ill effects (although I did have one close call), and it's bug reports from beta testers that generate ultimately (hopefully, fully) functional products.

I understand your reluctance, but I and others have been running DNSCrypt for a while now with no performance issues, although I don't think we can ever really determine that it is actually doing what it claims to do. (Edit: We can only be certain that it isn't. ).

Heck... It could be an alpha!

Deleted in favor of "Preview Release?".

I'm not savvy enough to do beta testing. So if something were to go radically wrong, I'd be up you-know-what's creek without a paddle. Noting again from their download page:
"DNSCrypt is immediately available as a technology preview. It should work, shouldn't cause problems, but we're still making iterative changes regularly."
I'll wait for the alpha version.

Actually, you've come a long way from your initial un-savviness, but I understand the way you feel, particularly with an app such as DNSCrypt.

My approach to beta testing is maintaining an up-to-date clone in case I hose my boot volume.


Alpha precedes beta; you're waiting for the official release version.

Told ya I was unsavvy. Of course, that's right.
And it's also a tad embarrassing for a linguist to make that mistake, although I take a modicum of solace in the fact that computerese is generally opaque to the end-user.
(sigh}

Admittedly I am a chronic early adopter, I installed the OS X Public Beta the day it was released, I download nightly builds of Chromium and Camino, and I often participate in formal beta testing. So FWIW, I am using DNScrypt on three Macs all running OS X 10.7.2 and it has been absolutely problem free. There has been one update since I first installed DNScrypt and that was totally uneventful. Whether it is called a technology preview, an alpha release, or a beta — it works. If it makes you nervous all you have to do is UNcheck the "Enable DNSCrypt" box and you are back to unencrypted OpenDNS. UNcheck "Enable OpenDNS" and you are back to whatever DNS servers you were using before. (In my case that would be OpenDNS).

I suspect the main thing we will see in future releases is perhaps some new features and/or options.

> I suspect the main thing we will see in future releases is perhaps some new features and/or options.

And perhaps command-H will someday hide DNSCrypt's menu bar icon, as per its drop-down, rather than quit the app. (Three bug reports filed so far.)

Joe,

I too am normally an early adopter, and had run DNSCrypt for nearly two months without issue while at home in the States.

I suspect my challenge with DNSCrypt was because my network access over here is so uncommon....i.e., PPPoE over WiFi.....and because DNSCrypt inserts its' special network adjustments below the GUI, I was unable to network correctly over here until I made a completely new network location which had never had DNSCrypt installed. The "Automatic" location contained the original PPPoE network interface which remained in-place from my last trip over, but once re-activated with current userID and password, proved unusable.

Having run the DNSCrypt uninstaller script to remove the PrefPane and Menu Bar packages, re-run the 10.7.2 Combo updater, then totally reinstalled 10.7 from scratch and applied the 10.7.2 Combo --- all without success, I finally found the solution after several days' of effort.

I'm curious about what this really means, i.e. I understand what's happening, but why is it necessary?

Once every hour, DNSCrypt leaves these messages in Console:


Thanks.