trustor-poc
trustor-poc copied to clipboard
nusenu
dnscrypt-proxy
dnscrypt-proxy might not yet perform local DNSSEC validation, see:
- https://github.com/DNSCrypt/dnscrypt-proxy/discussions/1954
- https://github.com/DNSCrypt/dnscrypt-proxy/issues/167#issuecomment-367689381
Not sure you'd like to merge this. Could you consider enabling github issues please? Would have made posting this comment easier.
Hi Patrick,
nice to see your interest.
dnscrypt-proxy is just used for its SOCKS support - not for DNSSEC.
We do not expect dnscrypt-proxy to do DNSSEC validation, we use pyunbound for DNSSEC, see the README and this function: https://github.com/nusenu/trustor-poc/blob/c8e7ed42b95a6e2e4a0ec2aa01a713e7ded580fd/trustor-poc.py#L265
btw: I envisioned Whonix (as a project that makes use of some tails tools) as one of the platforms that the serious implementation should be easy to support.
Thank you for warm welcome!
You mean, you're combining dnscrypt (for encryption) with unbound (for DNSSEC validation)? That would be very good!
I was looking for the best DNS setup(s) for Whonix and Kicksecure:
- https://www.whonix.org/wiki/Alternative_DNS_Resolver
- https://www.kicksecure.com/wiki/DNS_Security
If I could manage to combine dnscrypt with unbound that would kinda square a circle that I thought couldn't be squared at present.
btw: I envisioned Whonix (as a project that makes use of some tails tools) as one of the platforms that the serious implementation should be easy to support.
Awesome!
You mean, you're combining dnscrypt (for encryption)
dnscrypt is primarily used for its SOCKS support, but yes it also supports encryption (and multiple upstreams)
with unbound (for DNSSEC validation)?
we don't run unbound (the DNS resolver daemon) we use their python module. That module does the DNSSEC validation.