[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Use DNSCrypt by default in Kicksecure? (not Whonix!)

Alternative is using unencrypted, non-DNSSEC ISP provided servers.

1 Like

Related:

Any suggestions for which DNS servers to use?

See this list:

https://dnscrypt.info/public-servers/

sort by DNSSEC, click DNSSEC button


server requirements:

  • non-filtering
  • non-logging
  • DNSSEC
  • IPv6 probably unavailable, there are not too many servers
  • hosted by a “good” organization

One good pick might be scaleway-fr since hosted apparently by the same people that created DNSCrypt, server homepage is https://fr.dnscrypt.info.

But more servers are required in case one server goes (temporarily) overload or offline.

Instead of having to trust some random third party, why not create our own Kicksecure DNS server?

Or instead of sticking to just one DNS server for all users, there could be a section for the user to choose their own DNS server in the installer.

1 Like

Lack of resources. No server admin.

Legal: Not great to mix producing software while at the same time running infrastructure. (Better to split that such as Tor Project does not run any Tor relays directly.)

Maybe later. I am not great at creating GUI prompts either. And wouldn’t know how to sort CLI users. And unattended use case. A lot work. But for initial version, only realistic option is to predefine a list.

2 Likes

You can just use

read -r -p "Which DNS server would you like to use? " dns_server

Then add a bunch of error checking.

The prompt needs to be started at some point. Took a while to get whonixsetup right back then. Such interactive questions aren’t great. Bad usability.

Looking at https://dnscrypt.info/public-servers/ there’s not much users who could make good decisions by looking at https://dnscrypt.info/public-servers/

That information would have to be parsed and prepared for the user.

I don’t think asking the user is worth it here. Would be same mess if we started asking about Suggest Trustworthy Tor Hidden Services as Time Sources for sdwdate.

1 Like

Then we can have a fallback DNS if the user doesn’t want to choose to pick their own.

Raising the bar a little wo’t do harm. Same with our development direction with VirusForget.

1 Like

Why would users be able to pick? We’d be already lucky if we can even find 5-10 reasonable choices.

Interactive setup isn’t great. A lot work for minor or negative applause.

2 Likes

We should never involve the user in a security decision when possible. Most will have no idea what a DNS is. Let’s just pick a couple from the list.

2 Likes

Here are some nice choices, run by independent FLOSS devs. You might want to add the IPv6 sister nodes if you think we have a use for them.

charis Public DNSCrypt server in Germany. DNSSEC, no logs, no filter. Maintained by @lucenera

arvind-io Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC.

bottlepost-dns-nl Provided by bottlepost.me Hosted in The Netherlands, DNSSEC / No Logs / No Filter

developerli-fr DNSSEC - OpenNIC - Non-logging - Uncensored - hosted on ovh.com Location: Gravelines, France. Maintained by piraces - https://developer.li

dnscrypt.ca-1 Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated DNS service for your pleasure.

dnswarden-dc1 DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com

We could have a prompt that says something like “Do you want to change the default DNS server? (for advanced users)” and if they pick no, they’ll just use one we pick as the default.

1 Like

Sounds similar to:
Whonix Control Panel
https://phabricator.whonix.org/T89

but that could be more generalized so it would also cover Kicksecure.

1 Like

Using server list as suggested by @HulaHoop.

Added scaleway-fr as previously mentioned by me.

1 Like

This is implemented. And ready for configuration file review.

Except not enabled by default yet.

To enable:

  • package kicksecure-network-conf required
    • installing kicksecure-network-conf outside of Kicksecure not be a good idea [1]
  • sudo apt install dnscrypt-proxy
  • /etc/resolv.conf needs to be edited.
    • See file comments.
    • comment in nameserver 127.0.2.1
    • comment out nameserver 10.0.2.3

Enabling this by default will be a simple change in that package.


[1] Unfortunately I didn’t have any idea how to make dnscrypt-proxy config a package independent from kicksecure-network-conf since there can’t be two packages editing /etc/resolv.conf and I didn’t want to introduce the complexity of resolvconf. kicksecure-network-conf

  • Sets up external network interfaces eth0 by shipping a configuration file /etc/network/interfaces.d/30_kicksecure for Kicksecure.
  • Disables systemd Predictable Network Interface Names.
  • Configures DNS by shipping a configuration file /etc/resolv.conf for Kicksecure.
2 Likes

Will be default in first Kicksecure release.



Due to above issue, under consideration:

/lib/systemd/system/dnscrypt-proxy.socket.d/50_user.conf

[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53
2 Likes
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]