Alternative is using unencrypted, non-DNSSEC ISP provided servers.
Related:
Any suggestions for which DNS servers to use?
See this list:
sort by DNSSEC, click DNSSEC button
server requirements:
- non-filtering
- non-logging
- DNSSEC
- IPv6 probably unavailable, there are not too many servers
- hosted by a “good” organization
One good pick might be scaleway-fr
since hosted apparently by the same people that created DNSCrypt, server homepage is https://fr.dnscrypt.info.
But more servers are required in case one server goes (temporarily) overload or offline.
Instead of having to trust some random third party, why not create our own Kicksecure DNS server?
Or instead of sticking to just one DNS server for all users, there could be a section for the user to choose their own DNS server in the installer.
Lack of resources. No server admin.
Legal: Not great to mix producing software while at the same time running infrastructure. (Better to split that such as Tor Project does not run any Tor relays directly.)
Maybe later. I am not great at creating GUI prompts either. And wouldn’t know how to sort CLI users. And unattended use case. A lot work. But for initial version, only realistic option is to predefine a list.
You can just use
read -r -p "Which DNS server would you like to use? " dns_server
Then add a bunch of error checking.
The prompt needs to be started at some point. Took a while to get whonixsetup right back then. Such interactive questions aren’t great. Bad usability.
Looking at DNSCrypt - List of public DoH and DNSCrypt servers there’s not much users who could make good decisions by looking at DNSCrypt - List of public DoH and DNSCrypt servers
That information would have to be parsed and prepared for the user.
I don’t think asking the user is worth it here. Would be same mess if we started asking about Suggest Trustworthy Tor Hidden Services as Time Sources for sdwdate.
Then we can have a fallback DNS if the user doesn’t want to choose to pick their own.
Raising the bar a little wo’t do harm. Same with our development direction with VirusForget.
Why would users be able to pick? We’d be already lucky if we can even find 5-10 reasonable choices.
Interactive setup isn’t great. A lot work for minor or negative applause.
We should never involve the user in a security decision when possible. Most will have no idea what a DNS is. Let’s just pick a couple from the list.
Here are some nice choices, run by independent FLOSS devs. You might want to add the IPv6 sister nodes if you think we have a use for them.
charis Public DNSCrypt server in Germany. DNSSEC, no logs, no filter. Maintained by @lucenera
arvind-io Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC.
bottlepost-dns-nl Provided by bottlepost.me Hosted in The Netherlands, DNSSEC / No Logs / No Filter
developerli-fr DNSSEC - OpenNIC - Non-logging - Uncensored - hosted on ovh.com Location: Gravelines, France. Maintained by piraces - https://developer.li
dnscrypt.ca-1 Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated DNS service for your pleasure.
dnswarden-dc1 DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com
We could have a prompt that says something like “Do you want to change the default DNS server? (for advanced users)” and if they pick no, they’ll just use one we pick as the default.
Sounds similar to:
Whonix Control Panel
https://phabricator.whonix.org/T89
but that could be more generalized so it would also cover Kicksecure.
Using server list as suggested by @HulaHoop.
Added scaleway-fr
as previously mentioned by me.
This is implemented. And ready for configuration file review.
Except not enabled by default yet.
- https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/dnscrypt-proxy/kicksecure.toml
- https://github.com/Whonix/kicksecure-network-conf/blob/master/lib/systemd/system/dnscrypt-proxy.service.d/30_kicksecure.conf
- https://github.com/Whonix/kicksecure-network-conf/blob/master/etc/resolv.conf.kicksecure
To enable:
- package kicksecure-network-conf required
- installing kicksecure-network-conf outside of Kicksecure not be a good idea [1]
sudo apt install dnscrypt-proxy
-
/etc/resolv.conf
needs to be edited.- See file comments.
- comment in
nameserver 127.0.2.1
- comment out
nameserver 10.0.2.3
Enabling this by default will be a simple change in that package.
[1] Unfortunately I didn’t have any idea how to make dnscrypt-proxy config a package independent from kicksecure-network-conf since there can’t be two packages editing /etc/resolv.conf and I didn’t want to introduce the complexity of resolvconf. kicksecure-network-conf
- Sets up external network interfaces eth0 by shipping a configuration file /etc/network/interfaces.d/30_kicksecure for Kicksecure.
- Disables systemd Predictable Network Interface Names.
- Configures DNS by shipping a configuration file /etc/resolv.conf for Kicksecure.
Will be default in first Kicksecure release.
Due to above issue, under consideration:
/lib/systemd/system/dnscrypt-proxy.socket.d/50_user.conf
[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53
DNSCrypt has some good features, but it did not work for me. Mass adoption also seems unlikely compared to DoT and DoH.
DoT is already supported by enterprise-class software like Unbound. The Stubby package is supposed to be better for queries because of the way it handles connections. That might be a good choice.
DoH is something that browsers are supporting but admins are not happy about it because of potential policy bypasses in corpnets. My opinion is that DoH could become very useful for censorship avoidance. If webadmins can direct to resolvers they host, it could be a good thing. Not-authoritative replies would be a good way to route traffic when chosen per-website. Such inventive routing would probably only be used by crackers, but it could be used to keep people safe.
I was considering bring DNSCrypt easy configuration back through an
opt-in package. Easily installed, tested, easily uninstalled.
Not adamant about DNSCrypt specifically. Could be something else…
DoT… DoH… Didn’t research enough yet.
Are there any packages available in Debian to set encrypted DNS up
system wide (ideally also DNSSEC compatible)? Reason for choosing
DNSCrypt was that there’s a Debian package (packages.debian.org), hence
(pre-)configuring it in Kicksecure (through opt-in package) seems doable
effort.