Open Opensourcecommunitydevelopment opened 7 years ago
ameshkov
commented
7 years ago @Opensourcecommunitydevelopment thanks for the tip, we'll look into it!
There is already dnscrypt resolvers offering this hidden for few years.
Could you please point me any example of such hidden resolvers?
Opensourcecommunitydevelopment
commented
7 years ago Hello thanks for your reply. If you need more info i will try to provide. But my english isn´t perfect for explaining this things sorry. Yes, one of the first dnscrypt resolvers does support.
i quote whole page because cert expired by date and sadly service half broken so this may be a bad example today at least for dnscrypt. it worked very well in past years. But the list lists only cloudns-syd actually and i cannot reach it by onion. cloudns-au is connectable.
cloudns@ https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
Connect: dnscrypt-proxy does not support socks5 yet. you would need to socksify it to tor manually. dnscrypt-proxy does not support domain names in resolvers! so no onion address. But tor can map its address. just put into torrc config file the following: `MapAddress 113.20.6.2 gc2tzw6lbmeagrp3.onion
MapAddress 113.20.8.17 l65q62lf7wnfme7m.onion`
https://www.torproject.org/docs/tor-manual.html.en
MapAddress address newaddress
now you can even use any dns query forwarded to 113.20.6.2:443 without dnscrypt standard dns is enabled also and it goes through hidden service resolver.
it works as os resolver with unboud tcp upstream configered forward-server 113.20.6.2:443 if unbound outbound connection goes through torsocks port
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
09/06/2015 - This signed text was written for https://cloudns.com.au
--Announcement--
Welcome to CloudNS!
CloudNS is an australian based security focused DNS provider.
Currently our DNS hosting and Email infrustructure is under construction, however our public DNS resolver is now online!
--Information--
Primary Server (Canberra, Australia):
Address: 113.20.6.2:443 or gc2tzw6lbmeagrp3.onion:443 Provider name: 2.dnscrypt-cert.cloudns.com.au DNSCrypt Key: 1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
Secondary Server (Sydney, Australia):
Address: 113.20.8.17:443 or l65q62lf7wnfme7m.onion:443 Provider name: 2.dnscrypt-cert-2.cloudns.com.au DNSCrypt Key: 67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330
--Features--
Our DNS resolvers have many security relevant features and other benefits:
- DNSCrypt Support We only allow connections to our service using DNSCrypt, this provides confidentially and message integrity to our DNS resolver, and makes it harder for an adversery watching the traffic of our resolver to identify the origin of a DNS query as all the traffic is mixed together.
- DNSSEC Validation Our server does complete trust validation of DNSSEC enabled names, protecting you from upstream dns poisoning attacks or other DNS tampering. For ccTLD/gTLDs that are not DNSSEC signed, ISC's DLV Registry (dlv.isc.org) is used for validation.
- Namecoin resolution Namecoin is an alternative, decentralized DNS system, that is able to prevent domain name censorship. Our DNS server does local namecoin resolution of .bit domain names making it an easy way to start exploring namecoin websites.
- Hosted in Australia Our DNS Server is hosted in Australia, making it a faster alternative to other open public DNS resolvers for Australian residents.
No domain manipulation or logging We will not tamper with any domain queries, unlike some public providers who hijack domain resolution for domains that fail to resolve. Our servers do not log any data from connecting users including DNS queries and IP addresses that make connections.
--Getting Started--
Our DNS resolver is only accessible using the DNSCrypt protocol, to get started you will need to use a DNSCrypt resolver such as dnscrypt-proxy.
Below is an example command to connect to our primary and secondary servers using dnscrypt-proxy (dnscrypt.org), it verifies the fingerprint to our server using provider-key and if successful will setup a listening port at 127.0.0.1:2053 and 127.0.0.1:3053 which can then use like a normal DNS server:
dnscrypt-proxy -d -a 127.0.0.1:2053 -r 113.20.6.2:443 --provider-name=2.dnscrypt-cert.cloudns.com.au --provider-key= 1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
dnscrypt-proxy -d -a 127.0.0.2:3053 -r 113.20.8.17:443 --provider-name=2.dnscrypt-cert-2.cloudns.com.au --provider-key= 67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330
An additional step to limit the amount of trust you must place in our resolver, is to setup your own DNS Cache and DNSSEC validating resolver, a good choice is to use "unbound" with forwarding to dnscrypt-proxy:
do-not-query-localhost: no
forward-zone: name: "." forward-addr: 127.0.0.1@2053 forward-addr: 127.0.0.2@3053
--Clients--
Windows users who want to test the resolver can connect using a simple .NET GUI application:
https://github.com/FivfBx2dOQTC3gc8YS4yMNo0el/dnscrypt-winclient
--CloudNS Security--
We will always sign announcement messages with our GPG key with key fingerprint: BCA5 6403 5599 8EC3 F0D9 6408 BFB6 560B EAE6 69FB
The SHA-2 fingerprint for our SSL certificate is below. If you see any other certificate than this one, then the connection has been compromised: ?58:f2:f5:de:f8:ba:d8:a9:2d:24:b8:27:6c:6c:2f:9d:06:70:e7:5a
Any questions can be directed to admin@cloudns.com.au, please sign and encrypt emails using GPG, you can find our public key at https://cloudns.com.au/BCA5640355998EC3F0D96408BFB6560BEAE669FB.pub.asc and also on PGP public keyservers. If you receive an email from us, it will be signed using our secret key. If it isn't, assume it has been tampered with or spoofed altogether.
- The CloudNS Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQIcBAEBAgAGBQJVdvEoAAoJEL+2Vgvq5mn7fzYP/AvhasOFyovJgsm9/BuMiXOV 0JL02MzvRvdk70BwuTaOn8xr2jdbglWz1vkjDg8gfbXhrah0grzi2tYnoLjg/fZS +lN/C3T0LpuNkNHHIxEykBRYUttFFdXyJKMOaSTMsFj6xtgr0UYilbVbmFW/HB/l 12CBtBRWEBAAhuih9jYG+hUswW9nn4txoIsSLXuRgaScDS6CMzelg19cYaj5g67I VyLtWG8d0WGqz5RHJdh/lOaUYtgp2ZeyNWHSdCJT8Z0RbZ6eIh4s3ZWOSqG9JHVQ C+Eu1FGYxzT8+7IvSMr+NKtZMcHrf8Jyfh6aFtHBAvgNZwdDk8Qp7hnkESCNUQgL Li58o+MNBtjPanoLQTRFtuxD09UlMR7RbeFiNTlwWfmW+vTUWdJBceEsoDBwNNbM 1WEjA3O0umYHCYBVdOOMjZjPoI5VWCYzO6bqf02w4hhK/dhEJEn0hul7jaqbSG6k znorX351PAYzNtjFhSg3cLjUYMg6ufBzD2Y1EFJuHwubOCnPc+zwhAmadZPYyRxv x+bzAc5VF3fFYL5AL0dV2gknbUwF09QmEQHwJvafzz/blqsNnSnqnol6871S4PW8 V0HU7h59U8RWKz+HQ3QvmCIdX3M1r1DUjzJ1oxdvYZ15WXq1oIjdg5MZ18fIZbeC +C2FlssGMCkLgA0E0rHC =OPjV -----END PGP SIGNATURE-----
4-FLOSS-Free-Libre-Open-Source-Software
commented
4 years ago Could you please point me any example of such hidden resolvers? @ameshkov example of such hidden resolver
For a privacy Service like this it would be very nice to see. May let people allow to connect anonymously and even use it if behind firewall or as a bridge for people have ipv6 only connection with issue of ipv4 resolver connectivity as found in other issue for example add Hiddenservice address like adguard1dns5443.onion as a DNS/-Crypt resolver Sure DNS is based on UDP by default and this support only tcp. but as you are dnscrypt enabled! Which is great. It works with your server on port TCP with dnscrypt-proxy -T (command line agrument). That works fine on anycast IP by now. There is already dnscrypt resolvers offering this hidden for few years.
If fearing latency there still is some improvement along default config, first easiest is local dns cache..
https://adguard.com/en/privacy.html#website