discussions icon indicating copy to clipboard operation
discussions copied to clipboard
verified publisher icon StreisandEffect

[Request] Add in DNS encryption.

Open cpu opened this issue 8 years ago • 6 comments

Suggested by @Rich700000000000 in https://github.com/jlund/streisand/issues/272

First of all, this is an excellent project: We need more automatic tools like this. However, you're still missing one critical tool: DNS encryption.

Even if you're using TOR or a VPN, your DNS queries are still sent to the server in cleartext. And worse, it's usually google's dns server at 8:8:8:8. If we added in DNScrypt, using the server version they have available, that would go a long way towards eliminating a possible weak link.

cpu avatar Jul 23 '17 22:07 cpu

There's considerable follow-up discussion in jlund/streisand#272 that I don't want to copy/paste here but should be referred to by anyone interested in restarting this discussion.

cpu avatar Jul 23 '17 22:07 cpu

#29 also seems to be related.

nickolasclarke avatar Aug 04 '17 07:08 nickolasclarke

Hey All,

Following up on this, we can probably put this together really easily using cloudflare's implementation of DNS over https using their "cloudflared" package and newly launched 1.1.1.1/1.0.0.1 DNS resolvers. I think we should replace DNSmasq with this as the default. This will also remove the need for the upstream DNS host variable. I've done some tests with a few servers of mine and it works flawlessly. No client changes necessary either.

Let me know you thoughts, I can work on the role replacement and submit a pull request.

James

jamesspi avatar Apr 02 '18 21:04 jamesspi

I worry that the 1.1.1.1 DNS domains may get blocked by china, so I am not confident that this may be the best idea as the default implementation. many external DNS are blocked or highly intermittent here.

nickolasclarke avatar Apr 03 '18 04:04 nickolasclarke

The request will be https to cloudflare, not DNS. It’s a DNS proxy, so all DNS requests are made to localhost, and in turn sent to cloudflare over https. Cloudflare then make the dns request to their locally cached roots. This is why we would need to replace dnsmasq.

jamesspi avatar Apr 03 '18 05:04 jamesspi

ah, that is much more compelling.

On Tue, Apr 3, 2018 at 1:46 PM, jamesspi [email protected] wrote:

The request will be https to cloudflare, not DNS. It’s a DNS proxy, so all DNS requests are made to localhost, and in turn sent to cloudflare over https. Cloudflare then make the dns request to their locally cached roots. This is why we would need to replace dnsmasq.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/StreisandEffect/discussions/issues/14#issuecomment-378135304, or mute the thread https://github.com/notifications/unsubscribe-auth/ACE5KKeK2VIApS2pEamA0VILp6f7X5CRks5tkwy_gaJpZM4OglTF .

nickolasclarke avatar Apr 03 '18 06:04 nickolasclarke