Linux User Group of Mauritius Promoting open source software in our beautiful island

11Nov/150

Encrypting my DNS traffic

Posted by logan

Protecting my DNS traffic

I use Internet Banking because my bank forced me to. They prefer that I avoid going to their regional office for bank transfers. When I launch my mobile banking application, There's a message known as DNS, which is sent to my ISP. The message is basically : "What is the IP address of Internet Banking web site ?". The DNS server at the ISP side will reply with something like "22.22.11.22".

Building a profile

The problem here is that this message is sent unencrypted. My ISP can capture this traffic and send it to some agency somewhere. We already know that they are filtering Internet in Mauritius, and blocking Child pornography. However, we don't know what else they might be collecting on us. Lack of transparency is an issue with the ICT Authorities in Mauritius. I'm not comfortable with my DNS traffic passing around unencrypted. It can be used to guess when I am checking my bank account. It can also be used to check which websites I've been visiting. DNS is a very good metadata to build a profile about anybody on the Internet :)

We have DNSSEC right ?

DNSSEC was never designed to to encrypt the question-reply DNS messages between my ISP and my home router. It was designed to check if the reply (22.11.22.22) I'm getting from my ISP DNS server is valid or NOT. If it's not valid due to failing the DNSSEC validation, we know that there might be an attack somewhere or someone who did not configure DNSSEC properly. [I will talk about misconfiguration of DNSSEC in another blog post.]

What I want to achieve

I want the DNS server on my ISP to receive my request encrypted, and also reply to me using encryption. So, if I type, ib.mcb.mu, I want "ib.mcb.mu" to be sent as "XSDSDDSDSDASASDS", and my ISP takes this string that nobody can make sense, and turn it back into "ib.mcb.mu". Then, It takes the IP address "22.11.22.22", and sends it back as "DEADBEEF0x42asd" to my home router. My home router takes this gibberish, does some math vodoo and sends it back to me as "22.11.22.22". However, in this case, I do not trust my ISP DNS server since it's operated by a partially-owned government ISP which blocked facebook once. The gibberish string is what is important here: This is what is called Encryption. This is key to prevent pervasive monitoring on the Internet.

Enter DNScrypt

A group of really smart people came up with a protocol known as dnscurve. It encrypts the traffic between resolvers, and the big DNS servers on the Internet. OpenDNS is the major company to deploy DNScurve for its public DNS servers. OpenDNS also released dnscrypt, which encrypts the "last mile". It encrypts the traffic between OpenDNS public servers, and my house. Perfect. Exactly, what I'm looking for ! The icing on the cake is that DNScurve and DNScrypt have NOT been influenced by NIST "recommendations" for cryptography.

Configuring DNScrypt

DNScrypt is surprisingly easy to configure and deploy on my end user equipment. The process can be improved further. Below is a snapshot of the start-up messages.


daemon.info dnscrypt-proxy[29929]: Generating a new
key pair
daemon.info dnscrypt-proxy[29929]: Done
daemon.info dnscrypt-proxy[29929]: Server certificate #1435874751 received
daemon.info dnscrypt-proxy[29929]: This certificate looks valid
Tue Nov 10 18:59:49 2015 daemon.info dnscrypt-proxy[29929]: Chosen certificate #1435874751 is valid from [2015-07-03] to [2016-07-02]
daemon.info dnscrypt-proxy[29929]: Server key
fingerprint is
ED19:BFBA:FAFC:9257:DFDC:68C7:69BF:AC24:94CD:743F:3C1D:4966:134D:FE2C:4BDC:F315
daemon.notice dnscrypt-proxy[29929]: Proxying from
127.0.0.1:5353 to 208.67.220.220:443

Fun adventure

I tested by snooping on the outgoing traffic leaving my router: my DNS messages are encrypted using strong crypto ! No need to change anything on my home PCs, wireless APs, smartphones, or tablets. It's all transparent to them. And my aim which is to encrypt my DNS traffic has been achieved ! It's going to make the job of pervasive surveillance agencies much harder to build a profile of my surfing habits. A follow-up blog post could be about combining DNScrypt and DNSSEC to get both the validated DNS reply from DNSSEC, with the encryption capabilities of DNScrypt.

Filed under: dns No Comments