Use DNSCrypt by default in Kicksecure? (not Whonix!)

nurmagoz · July 8, 2023, 1:07pm

Its OS feature, and btw windows (optionally) doing it (specially windows 11).

Having it doesnt harm, any app which support it then it gonna support it if not then not, there is no downside to this (app wont be disconnected if it doesnt support DOH/ECH).

So if possible to have it then better to have it.

Patrick · July 8, 2023, 5:35pm

If it’s possible + stable + improvement (+ free in effort + free in time) = yes, implement.

Obviously. But the technical details matter and that complexity cannot be brushed away. The topic of DNS security is complex… DNS Security - Kicksecure

dnscrypt-proxy is DNSSEC aware but dnscrypt-proxy at time of writing is DNSSEC non-validating. That I find weird. Therefore the answer for Use DNSCrypt by default in Kicksecure? (not Whonix!) for now is “no”.

When re-purposing this forum thread with a more general open question, “which DNS security improvements should Kicksecure deploy by default” the answer is unresolved too. First…

1. Choose an option.

recursive, unencrypted, validating, caching

iterative, encrypted (DoT), validating, caching

Patrick · July 9, 2023, 7:11pm

8 posts were split to a new topic: Default DNS Provider Discussion for Kicksecure (not Whonix!)

Patrick · July 9, 2023, 4:24pm

github.com/NLnetLabs/unbound

Unbound fails to resolve DNS if the system has IPv6 enabled but IPv6 connectivity is broken

opened 04:23PM - 09 Jul 23 UTC

adrelanos

**Describe the bug** Unbound fails to resolve DNS if the system has IPv6 enab…led but IPv6 connectivity is broken. Does unbound attempt to fallback on IPv4 in case IPv6 is broken? **To reproduce** Steps to reproduce the behavior: 1. Debian bookworm 2. Install dnssec-trigger 3. nslookup **Expected behavior** Functional DNS. **System:** - Unbound version: 1.17.1 - OS: Debian bookworm - `unbound -V` output: - ``` Version 1.17.1 Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.9 30 May 2023 Linked modules: dns64 python subnetcache respip validator iterator TCP Fastopen feature available BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues ```

Patrick · July 9, 2023, 7:11pm

I split the policy discussion from this and moved it here: