Use DNSCrypt by default in Kicksecure? (not Whonix!)

Related:

Any suggestions for which DNS servers to use?

See this list:

sort by DNSSEC, click DNSSEC button


server requirements:

  • non-filtering
  • non-logging
  • DNSSEC
  • IPv6 probably unavailable, there are not too many servers
  • hosted by a “good” organization

One good pick might be scaleway-fr since hosted apparently by the same people that created DNSCrypt, server homepage is https://fr.dnscrypt.info.

But more servers are required in case one server goes (temporarily) overload or offline.

Instead of having to trust some random third party, why not create our own Kicksecure DNS server?

Or instead of sticking to just one DNS server for all users, there could be a section for the user to choose their own DNS server in the installer.

1 Like

Lack of resources. No server admin.

Legal: Not great to mix producing software while at the same time running infrastructure. (Better to split that such as Tor Project does not run any Tor relays directly.)

Maybe later. I am not great at creating GUI prompts either. And wouldn’t know how to sort CLI users. And unattended use case. A lot work. But for initial version, only realistic option is to predefine a list.

2 Likes

You can just use

read -r -p "Which DNS server would you like to use? " dns_server

Then add a bunch of error checking.

The prompt needs to be started at some point. Took a while to get whonixsetup right back then. Such interactive questions aren’t great. Bad usability.

Looking at DNSCrypt - List of public DoH and DNSCrypt servers there’s not much users who could make good decisions by looking at DNSCrypt - List of public DoH and DNSCrypt servers

That information would have to be parsed and prepared for the user.

I don’t think asking the user is worth it here. Would be same mess if we started asking about Suggest Trustworthy Tor Hidden Services as Time Sources for sdwdate.

1 Like

Then we can have a fallback DNS if the user doesn’t want to choose to pick their own.

Raising the bar a little wo’t do harm. Same with our development direction with VirusForget.

1 Like

Why would users be able to pick? We’d be already lucky if we can even find 5-10 reasonable choices.

Interactive setup isn’t great. A lot work for minor or negative applause.

2 Likes

We should never involve the user in a security decision when possible. Most will have no idea what a DNS is. Let’s just pick a couple from the list.

2 Likes

Here are some nice choices, run by independent FLOSS devs. You might want to add the IPv6 sister nodes if you think we have a use for them.

charis Public DNSCrypt server in Germany. DNSSEC, no logs, no filter. Maintained by @lucenera

arvind-io Public resolver by EnKrypt (https://arvind.io). Hosted in Bangalore, India. Non-logging, non-filtering, supports DNSSEC.

bottlepost-dns-nl Provided by bottlepost.me Hosted in The Netherlands, DNSSEC / No Logs / No Filter

developerli-fr DNSSEC - OpenNIC - Non-logging - Uncensored - hosted on ovh.com Location: Gravelines, France. Maintained by piraces - https://developer.li

dnscrypt.ca-1 Free, Canadian, uncensored, no-logs, encrypted, and DNSSEC validated DNS service for your pleasure.

dnswarden-dc1 DnsCrypt protocol . Non-logging, supports DNSSEC. By https://dnswarden.com

We could have a prompt that says something like “Do you want to change the default DNS server? (for advanced users)” and if they pick no, they’ll just use one we pick as the default.

1 Like

Sounds similar to:
Whonix Control Panel
https://phabricator.whonix.org/T89

but that could be more generalized so it would also cover Kicksecure.

1 Like

Using server list as suggested by @HulaHoop.

Added scaleway-fr as previously mentioned by me.

1 Like

This is implemented. And ready for configuration file review.

Except not enabled by default yet.

To enable:

  • package kicksecure-network-conf required
    • installing kicksecure-network-conf outside of Kicksecure not be a good idea [1]
  • sudo apt install dnscrypt-proxy
  • /etc/resolv.conf needs to be edited.
    • See file comments.
    • comment in nameserver 127.0.2.1
    • comment out nameserver 10.0.2.3

Enabling this by default will be a simple change in that package.


[1] Unfortunately I didn’t have any idea how to make dnscrypt-proxy config a package independent from kicksecure-network-conf since there can’t be two packages editing /etc/resolv.conf and I didn’t want to introduce the complexity of resolvconf. kicksecure-network-conf

  • Sets up external network interfaces eth0 by shipping a configuration file /etc/network/interfaces.d/30_kicksecure for Kicksecure.
  • Disables systemd Predictable Network Interface Names.
  • Configures DNS by shipping a configuration file /etc/resolv.conf for Kicksecure.
2 Likes

Will be default in first Kicksecure release.



Due to above issue, under consideration:

/lib/systemd/system/dnscrypt-proxy.socket.d/50_user.conf

[Socket]
ListenStream=127.0.0.1:53
ListenDatagram=127.0.0.1:53
2 Likes

https://gitlab.com/whonix/kicksecure-network-conf/-/commit/38cfa20cbaf5f732ee1edaac75fdef1c769b5716

DNSCrypt has some good features, but it did not work for me. Mass adoption also seems unlikely compared to DoT and DoH.

DoT is already supported by enterprise-class software like Unbound. The Stubby package is supposed to be better for queries because of the way it handles connections. That might be a good choice.

DoH is something that browsers are supporting but admins are not happy about it because of potential policy bypasses in corpnets. My opinion is that DoH could become very useful for censorship avoidance. If webadmins can direct to resolvers they host, it could be a good thing. Not-authoritative replies would be a good way to route traffic when chosen per-website. Such inventive routing would probably only be used by crackers, but it could be used to keep people safe.

I was considering bring DNSCrypt easy configuration back through an
opt-in package. Easily installed, tested, easily uninstalled.

Not adamant about DNSCrypt specifically. Could be something else…
DoT… DoH… Didn’t research enough yet.

Are there any packages available in Debian to set encrypted DNS up
system wide (ideally also DNSSEC compatible)? Reason for choosing
DNSCrypt was that there’s a Debian package (packages.debian.org), hence
(pre-)configuring it in Kicksecure (through opt-in package) seems doable
effort.

That would be good. I didn’t like breaking the host metapackage when I removed it.

DNSCurve is another one.

systemd-resolvd has basic support for DNSSEC and DoT, but it is not suited for Kicksecure. There are no hardening options and It can’t authenticate DoT servers. Might not be too bad if resolvd was given a pointer to a local daemon that was better. I will look around and report back later.

1 Like