[Request] Add in DNS encryption.

[Rich700000000000]

First of all, this is an excellent project: We need more automatic tools like this. However, you're still missing one critical tool: DNS encryption.

Even if you're using TOR or a VPN, your DNS queries are still sent to the server in cleartext. And worse, it's usually google's dns server at 8:8:8:8. If we added in DNScrypt, using the server version they have available, that would go a long way towards eliminating a possible weak link.

[nickolasclarke]

aye, this has been a major problem for me. To speed queries, I run https://github.com/shadowsocks/ChinaDNS on my router which has eliminated nearly all of my DNS woes here in china. However, having DNScrypt as an option would be excellent.

On Tue, Mar 15, 2016 at 1:32 AM, Rich700000000000 notifications@github.com wrote:

First of all, this is an excellent project: We need more automatic tools like this. However, you're still missing one critical tool: DNS encryption.

Even if you're using TOR or a VPN, your DNS queries are still sent to the server in cleartext. And worse, it's usually google's dns server at 8:8:8:8. If we added in DNScrypt https://dnscrypt.org/, using the server version they have available, that would go a long way towards eliminating a possible weak link.

— Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/272.

[Rich700000000000]

Yeah, this is a major thing. Is there some way I could perhaps donate, to get the ball rolling faster?

[jlund]

I don't want to make any money off of Streisand. When people ask, I encourage them to donate to the projects that it sets up and other great causes like the EFF and Open Whisper Systems.

The good news is that I'm going to do this. DNSCrypt seems pretty straightforward to set up on the server side. It looks like an absolute nightmare to configure on the client side (when it's even possible; poor iOS). That's a separate issue, but luckily the users who want this tend to already have it running on their systems.

It's also not at all the case that DNS requests are sent in plaintext in every scenario right now. Streisand's OpenVPN setup, for instance, sends clients a DNS server IP that is only accessible via the encrypted tunnel. Other daemons and services route the DNS requests through their respective encrypted tunnels too. There are a few exceptions where you can fail to follow the directions and end up using your ISP's name servers, but everything was tested to avoid DNS leaks.

You can also change the DNS servers from the default ones that are provided by Google. I haven't been able to find any other public resolvers that are reliable, stable, and that are not super sketchy (e.g. injecting ads into the mix for mistyped domains, instead of sending a proper NXDOMAIN). If you have any other suggestions that I might have missed, that would be great.

The China DNS workaround that Nick mentioned is orthogonal to DNSCrypt and I don't think that situation would be helped by its inclusion. I may be misunderstanding something. The issue there is that you want certain DNS requests to stay within the Great Firewall for sites in China, while non-China sites should be resolved outside of the GFW.

I recognize that people who are passionate about DNSCrypt are really, really passionate about it, and I'm going to make it happen. It's a cool project. The world is not on fire though.

[nickolasclarke]

Yes I should have mentioned that was an aside. Tbh, it's not entirely clear to me why exactly chinaDNS seems to have cleared up DNS issues for me, as the documentation is light and I haven't had time to dig in further. It is not an appropriate inclusion into Streisand. DNScrypt is the correct route for this project.

Nick On Mar 17, 2016 9:46 AM, "Joshua Lund" notifications@github.com wrote:

I don't want to make any money off of Streisand. When people ask, I encourage them to donate to the projects that it sets up and other great causes like the EFF and Open Whisper Systems.

The good news is that I'm going to do this. DNSCrypt seems pretty straightforward to set up on the server side. It looks like an absolute nightmare to configure on the client side (when it's even possible; poor iOS). That's a separate issue, but luckily the users who want this tend to already have it running on their systems.

It's also not at all the case that DNS requests are sent in plaintext in every scenario right now. Streisand's OpenVPN setup, for instance, sends clients a DNS server IP that is only accessible via the encrypted tunnel. Other daemons and services route the DNS requests through their respective encrypted tunnels too. There are a few exceptions where you can fail to follow the directions and end up using your ISPs name servers, but everything was tested to avoid DNS leaks.

You can also change the DNS servers from the default ones that are provided by Google. I haven't been able to find any other public resolvers that are reliable, stable, and that are not super sketchy (e.g. injecting ads into the mix for mistyped domains, instead of sending a proper NXDOMAIN). If you have any other suggestions that I might have missed, that would be great.

The China DNS workaround that Nick mentioned is orthogonal to DNSCrypt and I don't think that situation would be helped by its inclusion. I may be misunderstanding something. The issue there is that you want certain DNS requests to stay within the Great Firewall for sites in China, while non-China sites should be resolved outside of the GFW.

I recognize that people who are passionate about DNSCrypt are really, really passionate about it, and I'm going to make it happen. It's a cool project. The world is not on fire though.

— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/jlund/streisand/issues/272#issuecomment-197644413

[jlund]

@Rich700000000000 Would you be willing to help out with client configuration instructions? I'll probably just start out with a simple page on the Gateway that contains the basic DNSCrypt server details.

[Rich700000000000]

What do you need?

[unstatusthequo]

Very impressed by the package overall and think adding DNSCrypt is a great addition. Here's a start for the Ubuntu 14.04 method: http://www.webupd8.org/2014/08/encrypt-dns-traffic-in-ubuntu-with.html (though this focuses on setting DNS changes via GUI where is really needs to be nano /etc/network/interfaces

[unstatusthequo]

This is also a nice option for DNSCrypt:

RandomDNS aims to improve the security, privacy and anonymity of DNSCrypt. It can randomize the server choice at runtime, rotate it frequently and much more. https://github.com/pwnsdx/RandomDNS

Install method on ubuntu 14.04:

_LinuxBrew first: _ http://linuxbrew.sh/

RandomDNS next:

1. Update Brew: `brew update && brew upgrade`
2. Install DNSCrypt + Node + NPM: `brew install dnscrypt-proxy node npm`
3. Download and run RandomDNS: `npm install -g randomdns && sudo DEBUG=* randomdns`
4. Set your DNS settings to 127.0.0.1... You can use `resolvconf` if it isn't already installed use: `sudo apt-get install resolvconf`
5. Edit the config file: `sudo nano /etc/resolvconf/resolv.conf.d/base` by entering your nameservers (one per line) with: `nameserver xxx.xxx.xxx.xxx`
6. Update resolvconf with `sudo resolvconf -u` and changes should be permanent and for all interfaces.

[Rich700000000000]

RandomDNS

Oh, that's absolutely perfect. It really, really is.

@jlund, are you sure you don't want any donations, of any kind? This project is shaping up to be a truly amazing privacy tool.

[blahah]

@jlund I know this thread is not about donations, but consider that accepting donations towards costs is not the same as making money off the project. You are expending resources (time, energy, and probably money) on development and a lot of people depending on the software would like to help make that sustainable. No pressure, but no doubt a bunch of us would like to help cover your costs.

[muamma]

@unstatusthequo Very helpful instructions above, thanks; but I get stuck on point 4: "Set your DNS settings to 127.0.0.1".

I wonder if you, or indeed anyone, could help me with instructions as to how I do that for my Ubuntu 14.04 server?

[unstatusthequo]

@muamma Lots of articles on Google for this. Here's one: http://askubuntu.com/questions/346838/how-do-i-configure-my-dns-settings-in-ubuntu-server

Also: https://help.ubuntu.com/community/NetworkConfigurationCommandLine/Automatic

And: http://askubuntu.com/questions/130452/how-do-i-add-a-dns-server-via-resolv-conf

[muamma]

Thanks, @unstatusthequo. That's a wealth of information (some of which I had already located) which I as someone new to this find overwhelming - sorry!

I have an Ubuntu 14.04 Streisand server set up on Digital Ocean. I've managed to install Linuxbrew, DNSCrypt, Node, NPM and RandomDNS as per above instructions.

Now I think (!!) I need a sure-fire way, via the ssh command line, to ensure that, when parsing a DNS requests, my server inquires of 127.0.0.1 and only 127.0.0.1, routing the request via DNSCrypt and RandomDNS to the resolvers I have set via 'sudo nano /etc/resolvconf/resolv.conf.d/base'.

Is that at all right?

Is this done via dnsmasq.conf? I see that 'listen-address' is set as '127.0.0.1, 10.x.x.x'. Is this something I should be changing? Is there something else, or in addition, which I should be doing? Simply adding 'nameserver 127.0.0.1' at the top of the list in /etc/resolvconf/resolv.conf.d/base still causes the VPS to resolve DNS via the resolvers I have set in dnsmasq.conf at the two entries at 'server=xxx.xxx.xxx.xxx'.

Essentially, what I am asking for (sorry to be a pain!) is a step by step set of instructions to achieve this. I'm rather out of my depth at this point, and it would be great if someone could lead my by the hand on this!

[grempe]

FWIW @alterstep has a pretty good DNSCrypt client for OS X/macOS that runs as a menubar app and autoupdates its server list. It does not currently seem to allow manual specification of the encrypted resolver you'd like to talk to, but maybe that's something the author would be willing to add so it could be used as a client for a streisand DNSCrypt instance.

[Quentin-M]

While DNSCrypt would be a great add, you'd have to make sure to only use DNSCrypt-compatible servers that do not log anything - this is a lesser set of the suggested lists of servers.

[cpu]

I believe this is a duplicate of https://github.com/jlund/streisand/issues/68 but since the discussion here seems to have been more complete I will leave this issue open as the feature request for DNSCrypt and close 68.

[cpu]

Closing in favour https://github.com/jlund/streisand-discussions/issues/14