|
Post by pharrisire on May 10, 2012 12:37:56 GMT -5
OpenDNS has a product called DNSCrypt that it says "boosts online privacy and security" by "encrypting all DNS traffic between the user and OpenDNS preventing any spying, spoofing or man-in-the-middle attacks" that is currently available for Mac, Linux, and Windows. As a part of a layered defense, is this something that may be used in conjunction with KNOS when it becomes available to BSD?
|
|
|
Post by Kevin McAleavey on May 14, 2012 0:22:43 GMT -5
OpenDNS has a product called DNSCrypt that it says "boosts online privacy and security" by "encrypting all DNS traffic between the user and OpenDNS preventing any spying, spoofing or man-in-the-middle attacks" that is currently available for Mac, Linux, and Windows. As a part of a layered defense, is this something that may be used in conjunction with KNOS when it becomes available to BSD? Yeah, been playing with it. They introduced a Windows version of it, and versions for BSD, Linux and OSX and several other variants exist as well. Problem is that you can only use it with OpenDNS. It doesn't work with any other DNS servers. It's a nice selling point and all ... this article though kinda sums up the issue with it: blog.trendmicro.com/dnscrypt-%E2%80%93-not-fundamental-enough/ In BSD world, we provide TOR which encrypts everything and works with any DNS you choose, it's useful for situations like public wifi, hotels, etc and works with any DNS. On a custom build of KNOS, we also provide OpenVPN and of course DNSSEC is also available. DNSSEC is far superior to what they're doing which only encrypts the DNS lookup, not anything following it. DNSSEC though is where this is all going to go further down the road as "certificates" become obsolete. The certificate authorities blew it badly enough that this is truly the answer.
|
|
|
Post by pharrisire on May 14, 2012 14:14:53 GMT -5
""DNSSEC though is where this is all going to go further down the road as "certificates" become obsolete. The certificate authorities blew it badly enough that this is truly the answer.""
OK, what do I start doing to get this dedicated KNOS machine DNSSEC ready?
|
|
|
Post by Kevin McAleavey on May 16, 2012 2:48:39 GMT -5
""DNSSEC though is where this is all going to go further down the road as "certificates" become obsolete. The certificate authorities blew it badly enough that this is truly the answer."" OK, what do I start doing to get this dedicated KNOS machine DNSSEC ready? Simple answer? Nothing! It's already in there as part of bind. DNSSEC operates on DNS *servers* and the transaction is checked on DNS lookups between other sites and the DNS which you are connected to for lookups. You'll need to copy and paste the https links, they're not allowed for security purposes here: www.dnssec-deployment.org/index.php/2012/03/If you'd like to check which sites have their DNSSEC together, this Firefox plugin will allow you to check them since KNOS will allow DNSSEC validation to flow all the way down: addons.mozilla.org/en-US/firefox/addon/dnssec-validator/In order to run DNSSEC in KNOS, you would have to have it built to provide the DNS server in KNOS itself. But everything for it, except the signed certificates for local server operation (which you would have to obtain from a signatory authority) is in here. But it's up to the DNS that you're using to provide that end-to-end coverage. Here's a document that explains the tecnicals behind it all: www.dnssec.net/Hope that helps. But if you're concerned, that Firefox plugin will let you see how deployment of it is going. It's still going to be a while before it's there completely out there and IPV6 will pretty much require it. And as to DNSCrypt, remember that it locks you into using OpenDNS which isn't as fast as it used to be. Won't work with any other DNS.
|
|
|
Post by rustleg on May 16, 2012 4:04:23 GMT -5
... And as to DNSCrypt, remember that it locks you into using OpenDNS which isn't as fast as it used to be. ... If you have a Windows box handy this tool from Steve Gibson is good at checking DNS performance. www.grc.com/dns/benchmark.htmHe also claims it runs under Wine and has a page of how to but I haven't tried this way myself www.grc.com/freeware/wine.htm
|
|
|
Post by Kevin McAleavey on May 16, 2012 5:45:21 GMT -5
... And as to DNSCrypt, remember that it locks you into using OpenDNS which isn't as fast as it used to be. ... If you have a Windows box handy this tool from Steve Gibson is good at checking DNS performance. www.grc.com/dns/benchmark.htmHe also claims it runs under Wine and has a page of how to but I haven't tried this way myself www.grc.com/freeware/wine.htmYep ... I can confirm that his stuff runs just fine in KNOS ... I benchmarked several DNS' and his tool was precisely what made me change our DNS from OpenDNS when I saw how poorly it did. And google ... heh. The further away you are from a DNS server, the worse it gets. His tool is QUITE useful!
|
|
|
Post by pharrisire on May 16, 2012 10:57:21 GMT -5
This message showed when trying to get the plugin:
""DNSSEC Validator 1.1.5 ................ Not available for your platform""
I'll try 'Nightly Tester Tools" later to see if it can get around the restriction.
|
|
|
Post by Kevin McAleavey on May 16, 2012 20:18:46 GMT -5
This message showed when trying to get the plugin: ""DNSSEC Validator 1.1.5 ................ Not available for your platform"" I'll try 'Nightly Tester Tools" later to see if it can get around the restriction. Apparently they haven't caught up to Firefox 12 as yet. It's not a KNOS issue, it's a Firefox issue. They haven't built their FF12 version as yet. I'm sure they will. If you search for it in FF12, there is an earlier version but I haven't seen any DNSSEC verifies pop up in it so far.
|
|
|
Post by pharrisire on May 17, 2012 9:49:15 GMT -5
'Nightly Tester Tools' does allow the next screen to show with options for Mac, Linux, and Windows, but I think I'll wait for the FF12 version.
|
|
|
Post by Kevin McAleavey on May 18, 2012 1:09:20 GMT -5
'Nightly Tester Tools' does allow the next screen to show with options for Mac, Linux, and Windows, but I think I'll wait for the FF12 version. I can't fathom why they designed their plugin to be system-dependent like that. Plugins should run wholly within the Mozilla environment which isn't system-dependent. I have to assume that their screens run outside the browser, which is a bad idea for security. So looked into it a bit further, and here's something you can try instead. Go to "tools" in Firefox and search for an add-on called "Extended DNSSEC Validator 0.5" ... same concept, doesn't need anything external to the browser. It'll show you how few sites currently support DNSSEC right now, but the number is growing quickly. In trying THIS plugin, I noted that the DNSSEC lookup stayed at "busy" when I hit the site for the other plugin, so dunno how well it works. But at least it installs ...
|
|
|
Post by pharrisire on May 18, 2012 10:36:31 GMT -5
"" Go to "tools" in Firefox and search for an add-on called "Extended DNSSEC Validator 0.5" ""
I didn't find it in 'tools', but I did find the xpi download and installed it. It hasn't shown anything yet, guess I haven't been to the right places yet....
|
|
|
Post by Kevin McAleavey on May 19, 2012 1:36:17 GMT -5
"" Go to "tools" in Firefox and search for an add-on called "Extended DNSSEC Validator 0.5" "" I didn't find it in 'tools', but I did find the xpi download and installed it. It hasn't shown anything yet, guess I haven't been to the right places yet.... "Tools" is up on the menu bar in Firefox, when you click it, there's a path straight to "Add-ons" there where you can search. But looks like you found it.
|
|
|
Post by pharrisire on May 19, 2012 4:47:01 GMT -5
"" "Tools" is up on the menu bar in Firefox, ""
I didn't mean I couldn't find "Tools" , I meant I didn't find the addon from there.... No matter, its here, on, and ready for action.
|
|