Securing the DNS communications

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Fri, 13 Nov 2015 15:46:51 -0800

Hi Logan,
At 22:58 11-11-2015, Loganaden Velvindron wrote:
>There are 2 paths that we are interested in:
>
>1) Path from OpenDNS DNS servers (which act as public resolvers) and the
>Authoritative DNS servers ("Big" servers).
>
>2) Path from the OpenDNS servers to the customers. (you, me and others
>on the mailing list).
>
>Securing the DNS communications in 1) involves dnscrypt deployed at both
>ends. That's not our concern, as this is not under our control.
>
>Securing the DNS communications in 2) is what is within our control, and
>what concerns us. DNScrypt solves 2) by setting up a secure
>bi-directional path, using certificates, and cryptography. It's also
>quite fast, as the cryptography used was optimized.
>
>We can go further and force everything to go through DNScrypt on my home
>router. I'm going one step at a time here :)
>
>So with 2) enabled, It's hard for my ISP to get my DNS messages, and
>possibly send it to other agencies for analysis.
>
>As an indicator of DNScrypt potentially disruptive impact, DNScrypt.org
>is now blocked from within China :)


If the objective is to secure the DNS communication I would look at
both (1) and (2). I would not argue for only making (2) secure and
leaving (1) open to attack. Your approach is to secure the path
which is under your control. Is it worth doing?

You chose (2) because you are concerned about what is known as the
"last mile". The way you are securing that part is through
encryption. I did not find any information in the blog article to
learn more about how the "DNS communications" will be secure, e.g.
how does the encryption work. The blog article does not say anything
about how you ensured that the server you used for (2) provided
adequate security. The problem you are looking at is about
privacy. Can that be solved with encryption? I do not think so.

Your concern was about your ISP building a profile about you. What
can a person who has access to the profile find out about
you? Here's another question. What if the person was interested in
finding out who accessed, for example, the web site of a political
organization? Is it possible to do that?

It is a complex problem. You focused on one part of it. You mixed
several things in such a way that it would be difficult to see
whether there is a good thing among them.

Regards,
S. Moonesamy
Received on Sat Nov 14 2015 - 02:26:40 PST

This archive was generated by hypermail 2.3.0 : Sat Nov 14 2015 - 02:36:03 PST