DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 27th December 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default DNSCrypt and local Unbound resolver

I am reading one of BSD now tutorials

http://www.bsdnow.tv/tutorials/openbsd-router

As probably most of you my typical work/home DNS set up consists of local Unbound DNS resolver with DNSSEC validation turned on. However above tutorial advocates the use of dnscrypt-proxy. My understanding is that dnscrypt-proxy is useful in the case local resolver is forwarding requests to another resolver like OpenDNS (no U.S. resolver should be used IMHO if the privacy is of any concern). In my case my understanding is that each uncashed request will go to a top domain. Ideally one would be able to encrypt such traffic with DNSCurve but I am not aware that Matthew Dempsky finished that code and removed those explicit dependencies on Linux kernel system calls.

My question is: Is dnscrypt-proxy at all useful for people who run their own Unbound resolver (for example on my laptop) and don't forward DNS request to any server? Could anybody please explain me how dnscrypt-proxy actually works (RTFM with the link is OK too).
Reply With Quote
  #2   (View Single Post)  
Old 28th December 2014
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

dnscrypt-proxy is basically a proxy that wraps dns queries in TLS port 443 traffic to a specialized resolver that you point it to. My configuration has two such proxies running, with unbound configured to route certain traffic to them. You'll want to read up on which resolvers you can use, US ones are obviously not a great choice as you've pointed out, but make sure they don't log (granted, "we don't log queries" is no indication that they don't, in fact, log queries, but it's definitely better than "yes, we log your requests", IMHO).
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
directing DNS queries to local unbound? 22decembre OpenBSD Security 16 28th December 2014 04:52 AM
Unbound reverse-ptr stub-zone woes cmacrae OpenBSD General 0 9th August 2014 05:57 PM
dnscrypt-proxy build errors? gkbsd OpenBSD Packages and Ports 7 3rd May 2014 01:12 PM
unbound reverse lookup private zone Oko General software and network 2 20th November 2013 03:15 PM
Security DNSCrypt: a tool to encrypt all DNS traffic J65nko News 0 8th December 2011 08:13 PM


All times are GMT. The time now is 03:15 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick