An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
DNSCrypt (Preview Release)
#19529 12/08/11 06:29 AM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
MacFixIt reported about DNSCrypt (Preview Release) ("mac only at the moment") yesterday.

I guess this is tacit's department.

It sounds useful, and I've installed it because of the reliability of the source, but I'd appreciate a 3rd party assessment of its purpose and functionality.

Thanks.

Edit: Why "Mac only," rather than "Windows only," as a starting point?

Last edited by artie505; 12/08/11 11:39 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #19533 12/08/11 02:55 PM
Joined: Aug 2009
Likes: 2
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 2
Originally Posted By: artie505
Why "Mac only," rather than "Windows only," as a starting point?

The developers were using Macs and not Windows boxes?


joemikeb • moderator
Re: DNSCrypt (Preview Release)
artie505 #19540 12/08/11 08:24 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The idea behind DNScrypt in specific, and secure DNS in general, is that it prevents "man in the middle" attacks from taking place.

The domain name system is not, as it is currently implemented, secure. Let's say that Alice wants to go to www.gmail.com to check her email. Her computer sends out a request to her ISP's name server. The name server, which is basically just a big telephone book, tells her "www.gmail.com is living at IP address 74.125.224.119" and her browser merrily goes off to 74.125.224.119.

Now, suppose Bob wanted to steer her wrong. He could plant malware on her computer, or intercept her transmissions on her network, so that instead of going to her ISP's name servers, the DNS request was instead diverted to a hostile name server that he controls. His name server looks for any request for www.gmail.com and instead of returning 74.125.224.119, it returns 77.88.5.0, an IP address for a server in Russia that he owns.

So Alice types www.gmail.com into her address bar, but she is not connected to Google's servers. She's connected to a server that Bob runs in Russia. From this point, there are a lot of things he can do. He can put up a fake login page and steal Alice's username and password. He can put up a fake Gmail page and feed Alice false emails that he wants her to see. If he forges a Gmail security certificate, which happened a while ago when hackers broke into a CA called DigiNotar and made themselves phony but authentic-seeming Gmail security certificates, he can connect Alice through to the real Gmail and read everything she reads and everything she writes.

The idea behind DNScrypt is that all your computer's name server requests are encrypted and routed to secure name servers. If someone attempts to intercept your name server requests and alter the results, they can't. They can't see what Web sites you're looking up because the name of the site is encrypted, and they can't substitute their own phony IP address because the answer is encrypted too.

This idea has been around for years, but nobody's really doing it yet. In order for it to be effective without using special DNS software, everyone would have to change over at once...it does no good if you make encrypting the name server queries optional, because then a bad guy could still set up a phony name server and just have it set to refuse encrypted requests, and the browser would try again with an unencrypted request.

My guess is that it's available for Mac OS X first because OS X is Unix. Nearly all the world's name servers run on Unix. The OpenDNS name servers run Unix; it's easy (well, relatively speaking) to write Unix name server clients and servers that implement encryption. It makes sense that you'd want to test the client in a Unix configuration before you started making it available to Windows.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: DNSCrypt (Preview Release)
tacit #19550 12/09/11 07:11 AM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Readably informative post...as always; many thanks. smile

If I've followed you, DNSCrypt addresses the redirect whatchamacallit (Trojan?) that was plaguing people a coupl'a years ago?

Last (I guess) question: I've been using Open DNS's servers, 208.67.222.222 / 208.67.220.220, and DNSCrypt now shows "Current resolvers: 208.67.220.220 using DNSCrypt."

What's the difference between the two sets of numbers, and what does "Current resolvers..." mean?

Thanks, again.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #19563 12/09/11 07:07 PM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The OSX/RSplug.A (or OSX/DNSchanger or OSX/Zlob, dependong on who you ask) malware might or might not continue to function, dependong on how DNScrypt works. The malware tells your computer to use its name servers; I don't know if the DNScrypt software prevents it from making that change, or makes all name server queries encrypted (which would break the malware, since I don't believe the hostile name servers can use encryption).

Fortunately, the FBI, working with overseas law enforcement, recently broke up the Zlob gang, which caused me to do a little dance. Though it also means that I don't know the answer to your question, asdly.

DNScrypt's list of "current name servers" is the list of name servers your computer is currently using.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: DNSCrypt (Preview Release)
tacit #19566 12/09/11 10:40 PM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Does this (from Introducing DNSCrypt) clarify anything?

Quote:
Many will remember the Kaminsky Vulnerability, which impacted nearly every DNS implementation in the world (though not OpenDNS).

That said, the class of problems that the Kaminsky Vulnerability related to were a result of some of the underlying foundations of the DNS protocol that are inherently weak -- particularly in the "last mile." The "last mile" is the portion of your Internet connection between your computer and your ISP. DNSCrypt is our way of securing the "last mile" of DNS traffic and resolving (no pun intended) an entire class of serious security concerns with the DNS protocol.

You left me hanging on one point, though: I've been using Open DNS's servers, 208.67.222.222 / 208.67.220.220, and DNSCrypt now shows "Current resolvers: 208.67.220.220 using DNSCrypt."

What's the difference between the two sets of numbers(, and why does the first set drop out when I use DNSCrypt)?

Thanks, again.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #19567 12/10/11 01:00 AM
Joined: Aug 2009
Likes: 1
Offline

Joined: Aug 2009
Likes: 1
The article is talking about the inherent vulnerability to man-in-the-middle attacks (setting up hostile DNS servers) when using unencryted DNS. It doesn't talk about how secure DNS is implemented in a software basis on Macs.

Most likely, the 208.67.222.222 server run by OpenDNS isn't set up for secure DNS queries; only the one at 208.67.220.220 is.


Photo gallery, all about me, and more: www.xeromag.com/franklin.html
Re: DNSCrypt (Preview Release)
tacit #19568 12/10/11 01:10 AM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Originally Posted By: tacit
The article is talking about the inherent vulnerability to man-in-the-middle attacks (setting up hostile DNS servers) when using unencryted DNS. It doesn't talk about how secure DNS is implemented in a software basis on Macs.

Most likely, the 208.67.222.222 server run by OpenDNS isn't set up for secure DNS queries; only the one at 208.67.220.220 is.

1. I guess we'll find out sometime down the road, and hopefully not the hard way.

2. Aaah... The two sets of numbers represent two different servers. (Did I miss something incredibly obvious?) I just noticed that when I toggle "Crypt" off the second set of numbers appears.

Again... Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
tacit #19575 12/10/11 06:34 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Quote:
To reduce the disruption to infected machines, the rogue DNS servers have been replaced with modified machines that are being operated for the next four months by the not-for-profit Internet Systems Consortium. Authorities wisely opted not to disconnect the DNS servers completely because millions of PCs now rely on them to find internet domains.

That will only delay the inevitable problem. They should have rigged the dns to forward you to a web page telling you what problem you have and how to fix it. All this is going to do is delay the "pulled the plug on the internet" effect for a few months.


I work for the Department of Redundancy Department
Re: DNSCrypt (Preview Release)
Virtual1 #20065 01/11/12 05:06 AM
Moderator
Online
Moderator

Joined: Aug 2009
Reply to Virtual1 simply because he was closest....

It looks like the DNSCrypt beta installation has caused me an issue with network access over here in 'far-far-away' land.

The method for me over here is PPPoE using the WiFi network as a pipeline to a satellite connection.....and when I first arrived and renewed my subscription, I was unable to access anything over PPPoE.

I've since fallen back to my old internal drive in an external enclosure running Snow Leopard in order to gain network connectivity.

Unfortunately, the DNSCrypt beta doesn't have a very good uninstall option and it looks like I will have to wait until I return to the States before I can get my Lion installation refreshed (since I don't have great access to any significant broadband throughput over here....).

My feeling is that the DNSCrypt software makes some changes under the hood in the OS that doesn't play nice with PPPoE.


Freedom is never free....thank a Service member today.
Re: DNSCrypt (Preview Release)
MacManiac #20067 01/11/12 07:25 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
check your network prefs for an alternate DNS entry, quite possibly overriding to 127.0.0.1


I work for the Department of Redundancy Department
Re: DNSCrypt (Preview Release)
Virtual1 #20104 01/15/12 12:33 AM
Moderator
Online
Moderator

Joined: Aug 2009
Yep, thought of that......unfortunately it's more "under the hood" than that.

I get completely blocked from access beyond the router (pings fine to the router, but not beyond) when logged into 2 of the 3 WiFi networks within range.....on the third WiFi network (all three go to the same PPPoE server) I get limited throughput beyond the router.....on the first two, I can't even ping my own assigned IP address, while on the third I CAN ping my own IP but with significant packet loss.

If I start from my external drive with Snow Leopard, the connection is as good as it ever was.

I've tried re-installing Lion from my ESD image, then updating to 10.7.2 using the combo updater (previously saved to my HD), but the symptoms remain.

My next test will be to re-install Lion, but not update....should show if there is a legacy challenge that survives the re-install, or prove that the challenge comes from the 10.7.2 update itself (as I didn't make the upgrade while I was here last time, but rather while I was at home).

The inconvenient truth about Lion is that without a decent broadband connection EVERYTHING related to system installation takes a really long time.....even with the ESD image burned to disk.


Freedom is never free....thank a Service member today.
Re: DNSCrypt (Preview Release)
MacManiac #20129 01/17/12 06:22 AM
Moderator
Online
Moderator

Joined: Aug 2009
Just a quick post to close out my issue.....the final fix was to create a new location in the Network PrefPane.

This gave me a clean set of network interfaces with no residual legacy issues and full connectivity.

My original "Automatic" location is trashed.


Freedom is never free....thank a Service member today.
Re: DNSCrypt (Preview Release)
MacManiac #20144 01/18/12 04:18 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
I've ran into network problems like that a few times in the past that required making a new network location, or deleting and re-adding the ethernet/wireless port. no idea why that fixes it - I've looked into the plists that control network and they look very easy to corrupt.. lots of cross-linking of information.


I work for the Department of Redundancy Department
Re: DNSCrypt (Preview Release)
artie505 #20150 01/18/12 06:45 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Bad day to try to download DNSCrypt. They're observing the SOPA strike.

Re: DNSCrypt (Preview Release)
grelber #20157 01/19/12 07:33 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
By Preview Release they really mean beta version.
In the intro to the installer it is noted:
"You're testing DNSCrypt – A first-of-its-kind service that encrypts all DNS packets between your computer and OpenDNS."
It might be wise to wait for the ultimate version.

Re: DNSCrypt (Preview Release)
grelber #20158 01/19/12 08:17 PM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Originally Posted By: grelber
By Preview Release they really mean beta version.
In the intro to the installer it is noted:
"You're testing DNSCrypt – A first-of-its-kind service that encrypts all DNS packets between your computer and OpenDNS."
It might be wise to wait for the ultimate version.

I think "Preview Release" inherently means no more advanced than beta, and why are you averse to installing one? (I never ran it, but OS X 10.0 was essentially a beta.)

I've run numerous betas with no ill effects (although I did have one close call), and it's bug reports from beta testers that generate ultimately (hopefully, fully) functional products.

I understand your reluctance, but I and others have been running DNSCrypt for a while now with no performance issues, although I don't think we can ever really determine that it is actually doing what it claims to do. (Edit: We can only be certain that it isn't. frown ).

Heck... It could be an alpha! grin

Last edited by artie505; 01/19/12 08:35 PM. Reason: Edit: & Cleanup

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #20159 01/19/12 11:42 PM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Deleted in favor of "Preview Release?".

Last edited by artie505; 01/20/12 01:31 AM.

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #20165 01/20/12 09:48 AM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: artie505
I think "Preview Release" inherently means no more advanced than beta, and why are you averse to installing one? (I never ran it, but OS X 10.0 was essentially a beta.)
I've run numerous betas with no ill effects (although I did have one close call), and it's bug reports from beta testers that generate ultimately (hopefully, fully) functional products.

I'm not savvy enough to do beta testing. So if something were to go radically wrong, I'd be up you-know-what's creek without a paddle. Noting again from their download page:
"DNSCrypt is immediately available as a technology preview. It should work, shouldn't cause problems, but we're still making iterative changes regularly."
I'll wait for the alpha version.

Re: DNSCrypt (Preview Release)
grelber #20166 01/20/12 10:02 AM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
Originally Posted By: grelber
Originally Posted By: artie505
I think "Preview Release" inherently means no more advanced than beta, and why are you averse to installing one? (I never ran it, but OS X 10.0 was essentially a beta.)
I've run numerous betas with no ill effects (although I did have one close call), and it's bug reports from beta testers that generate ultimately (hopefully, fully) functional products.

I'm not savvy enough to do beta testing. So if something were to go radically wrong, I'd be up you-know-what's creek without a paddle. Noting again from their download page:
"DNSCrypt is immediately available as a technology preview. It should work, shouldn't cause problems, but we're still making iterative changes regularly."

Actually, you've come a long way from your initial un-savviness, but I understand the way you feel, particularly with an app such as DNSCrypt.

My approach to beta testing is maintaining an up-to-date clone in case I hose my boot volume.

Originally Posted By: grelber
I'll wait for the alpha version.

Alpha precedes beta; you're waiting for the official release version.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
artie505 #20167 01/20/12 01:19 PM
Joined: Aug 2009
Offline

Joined: Aug 2009
Originally Posted By: artie505
Originally Posted By: grelber
I'll wait for the alpha version.

Alpha precedes beta; you're waiting for the official release version.

Told ya I was unsavvy. Of course, that's right.
And it's also a tad embarrassing for a linguist to make that mistake, although I take a modicum of solace in the fact that computerese is generally opaque to the end-user.
(sigh}

Re: DNSCrypt (Preview Release)
artie505 #20170 01/20/12 01:31 PM
Joined: Aug 2009
Likes: 2
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 2
Admittedly I am a chronic early adopter, I installed the OS X Public Beta the day it was released, I download nightly builds of Chromium and Camino, and I often participate in formal beta testing. So FWIW, I am using DNScrypt on three Macs all running OS X 10.7.2 and it has been absolutely problem free. There has been one update since I first installed DNScrypt and that was totally uneventful. Whether it is called a technology preview, an alpha release, or a beta — it works. If it makes you nervous all you have to do is UNcheck the "Enable DNSCrypt" box and you are back to unencrypted OpenDNS. UNcheck "Enable OpenDNS" and you are back to whatever DNS servers you were using before. (In my case that would be OpenDNS).

I suspect the main thing we will see in future releases is perhaps some new features and/or options.


joemikeb • moderator
Re: DNSCrypt (Preview Release)
joemikeb #20171 01/20/12 03:20 PM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
> I suspect the main thing we will see in future releases is perhaps some new features and/or options.

And perhaps command-H will someday hide DNSCrypt's menu bar icon, as per its drop-down, rather than quit the app. (Three bug reports filed so far.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: DNSCrypt (Preview Release)
joemikeb #20194 01/21/12 07:08 AM
Moderator
Online
Moderator

Joined: Aug 2009
Joe,

I too am normally an early adopter, and had run DNSCrypt for nearly two months without issue while at home in the States.

I suspect my challenge with DNSCrypt was because my network access over here is so uncommon....i.e., PPPoE over WiFi.....and because DNSCrypt inserts its' special network adjustments below the GUI, I was unable to network correctly over here until I made a completely new network location which had never had DNSCrypt installed. The "Automatic" location contained the original PPPoE network interface which remained in-place from my last trip over, but once re-activated with current userID and password, proved unusable.

Having run the DNSCrypt uninstaller script to remove the PrefPane and Menu Bar packages, re-run the 10.7.2 Combo updater, then totally reinstalled 10.7 from scratch and applied the 10.7.2 Combo --- all without success, I finally found the solution after several days' of effort.


Freedom is never free....thank a Service member today.
Re: DNSCrypt (Preview Release)
joemikeb #20887 02/28/12 11:54 AM
Joined: Aug 2009
Likes: 1
OP Online

Joined: Aug 2009
Likes: 1
I'm curious about what this really means, i.e. I understand what's happening, but why is it necessary?

Once every hour, DNSCrypt leaves these messages in Console:

Quote:
2/28/12 7:37:21 AM com.opendns.osx.DNSCryptProxy[133] [INFO] Refetching server certificates
2/28/12 7:37:21 AM com.opendns.osx.DNSCryptProxy[133] [INFO] Server certificate #1323392947 received
2/28/12 7:37:21 AM com.opendns.osx.DNSCryptProxy[133] [INFO] This certificate looks valid
2/28/12 7:37:21 AM com.opendns.osx.DNSCryptProxy[133] [INFO] Server key fingerprint is E07C:5F90:03C2:D764:A9FC:9A1E:6633:632A:0FE0:B1C5:5EF9:894A:FC7A:BA18:4A62:462E

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Page 1 of 2 1 2

Moderated by  alternaut, dianne, MacManiac 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.3.15 Page Time: 0.038s Queries: 65 (0.022s) Memory: 0.8473 MB (Peak: 1.0281 MB) Data Comp: Zlib Server Time: 2020-09-18 07:09:19 UTC
Valid HTML 5 and Valid CSS