TC1977
commented
5 years ago Algo's already using dnscrypt-proxy for this.
Open v1gnesh opened 5 years ago
TC1977
commented
5 years ago Algo's already using dnscrypt-proxy for this.
v1gnesh
commented
5 years ago @TC1977 Please spend a moment reading what I've written. It appears that you have't done that.
TC1977
commented
5 years ago I read what you wrote, twice in fact, but I guess I don't understand it. 🤷♂
From my total beginner standpoint, it looks like 'DNS Safety' blocks DNS requests for undesired domains, which is what dnscrypt-proxy currently does when you choose the adblocking option - Algo used to deploy dnsmasq to do that, and the readme even mentions dnsmasq as a point of reference. Dnscrypt-proxy also uses DoH and DNSSEC thru Cloudflare in Algo's specific implementation.
'Web Safety' may be worthwhile, but the scripts to install either of these are 1) very simple, so I don't see the benefit of attaching them to Algo when they can be run separately so easily, 2) require root privileges to install a closed-source package, then permits root SSH login and changes the root password, which seems like a bad idea to me. I'm sure I could be wrong.
v1gnesh
commented
5 years ago @TC1977 'DNS Safety' provides a lot more control over how DNS blocking can be implemented.
The script you looked at for 'Web Safety' is the one for which you need to use their virtual appliance. We don't necessarily need to use their VA, can just install scripts.ubumtu18 (for example) in a VM we create with Ubuntu Desktop/Server 18.
Anyway, the idea is to see if Algo maintainers would be interested in these 2 solutions, and help harden its implementation, security wise, by bringing the deployment bits under Algo's Ansible wing, so to speak..
Is your feature request related to a problem? Please describe. With the increasing availability of DNS-over-HTTPS options, shady websites/apps/IoT can just do their own domain lookups via DoH, therefore bypassing any local, network-wide DNS blocking. Additionally, DNS-over-QUIC is on the horizon. How many security apparatus (apparatii/apparatuses?) can actually detect QUIC, and perhaps block QUIC? And finally, websites/apps/IoT can always detect that DNS is being sink-holed, and therefore just request connecting to an IP address. Not ideal, but tracking business is a huge pie, so we can't really write it off as 'unlikely'.
Describe the solution you'd like An extension to the Algo deployment process, to include DNS and HTTPS filtering, whereby it provides the same security hardening to said DNS & HTTPS filtering software. https://github.com/diladele <-- There are 2 repositories here called 'DNS Safety' and 'Web Safety', and they do DNS filtering & HTTP filtering, respectively. Not sure what 'DNS Safety' is based on, but 'Web Safety' uses Squid Cache and ICAP filtering. Most of the deployment-related code is open source, and once the package are installed, one can browse most of the source code too. Just the filtering engines are closed source, and therefore 'Web Safety' is SaaS, I'm not sure about 'DNS Safety'.
Additional context Since AlgoVPN is meant to be an alternative to commercial VPNs, focusing on security, DIY, and automation, it would be much more powerful if it can be complemented with proper content filtering. The above packages needn't necessarily be deployed on cloud, if the scripting to deploy them on to a local machine is available, it will make for a top notch ad/tracker/privacy setup, with a great level of control.