Does the Dnscrypt support multiple resolvers now?[solved]

  • Hello.
    Does the Pfsense Dnscrypt-proxy plugin support multiple resolvers now?

  • LAYER 8 Global Moderator

    And what plugin is that exactly??  There is no pfsense plugin for dnscrypt that I see listed in the package manager.

  • @johnpoz:

    And what plugin is that exactly??  There is no pfsense plugin for dnscrypt that I see listed in the package manager.

    I didn't own a pfsense box now, I'm may going to build it and I see many people mention this feature, which I also want.
    There's no package for Dnscrypt? So are there any native way to let pfsense have Dnscrypt/DNSsec function?

  • @sam1275:

    Does the Pfsense Dnscrypt-proxy plugin support multiple resolvers now?

    It doesn't do that now just because there is no such thing.


    … to let pfsense have Dnscrypt/DNSsec function?

    Are you sure you know what you're talking about?
    Dnscrypt and DNSsec are totally different technologies with Dnscrypt being proprietary from OpenDNS and DNSsec is backed by IETF.
    DNSsec can easily be activated in pfSense with a click in a checkbox.
    You will see that once you have your own pfSense installed  ::)

  • Rebel Alliance Developer Netgate

    Definitely need to see some clarification.

    dnscrypt is not supported on pfSense, and there are no plans for a package.

    DNSSEC is supported using the DNS Resolver (unbound) in standard resolver mode (it doesn't rely on upstream forwarding DNS servers), and DNSSEC is also supported with the DNS Resolver in forwarding mode, provided the upstream forwarders support DNSSEC.

    Personally I fail to see the point of dnscrypt in a world where DNSSEC exists and is widely supported. You put far too much trust in the operator of the DNS server with dnscrypt, instead of with the origin of the records with DNSSEC.

    DNSSEC proves that the records have been unmodified from their original source, dnscrypt only validates that they came from your chosen resolver, that resolver could still return spoofed results.

    If you really are that worried about authenticating results from a specific resolver, you may as well use a VPN instead.

  • Thank you everyone.
    I did search and read a lot about them before, but I didn't understand them clearly until yesterday, after read more I seems know that DNSSEC is a mature and universal standard, which works a bit similar to https, and need the website owner to support it; while DNSCRYPT was started by OpenDNS but got no further official support, now it's maintenance by folks on github, and it need it's own tool instead of implement of a standard. Don't know if I'm completely right or not.
    I saw the screenshot of Pfsense and it do have a Dnssec checkbox, nice one.
    I do use VPN everyday because the ISP and government always block/redirect websites, one of the method is by DNS poisoning, and I think DNSSEC/DNScrypt on the gateway will increase my security for the whole network, in case the VPN is down or it not convenient to use it on some devices.
    I think this question is solved, thanks.

  • Rebel Alliance Developer Netgate

    Sounds like DNSSEC is exactly what you want since it would verify records all the way back to their origin.

    You can only trust dnscrypt as much as you can trust the upstream DNS server, and OpenDNS being run by Cisco isn't exactly trustworthy (to me), especially if you're worried about governmental interference.

  • Thank you.
    Some days ago I read something about authoritative and recursive DNS server and I was wondering why people not using root servers in DNS setting, they are the most trustworthy ones.
    Then after lots of reading I know that root servers will not answer a normal query like a website address, they just tell you where to find it, so normal client and forwarder cannot use them.
    Thanks to your inspire, I just read something about the difference between a Dns resolver and forwarder, and it seems I can use the resolver function to actually resolve a address from root servers, then step by step, to the final IP. This is so awesome!

  • Rebel Alliance Developer Netgate

    Yes, that's one of the reasons we switched to the DNS Resolver because it could act in that way (queries root servers, then authoritative DNS servers directly), bypassing the need for forwarding DNS servers entirely. And it's more secure since it can validate DNSSEC directly rather than requiring an upstream DNS server to support it.

  • LAYER 8 Global Moderator

    Pfsense moving to a resolver with dnssec was a great step forward, the only problem is much of the user base doesn't really understand what the difference is between a forwarder and a resolver.  The amount of questions related to these sorts of questions points to that for sure.

    There are rare cases where use of resolver is not optimal.  You may be on a shitty isp that blocks access to public on 53 and or does interception of your dns queries.  Or maybe your latency of your connection is really really high, if that is the case using of just a forwarder that is closer to you and the resolver its using has a better connection?

    But in the big picture if your connection allows for it, then yes by all means running a actual resolver with dnssec is going to be the best choice for sure.

  • Rebel Alliance Developer Netgate

    Yeah there is definitely some confusion. I've been trying to clear that up in the book and hangouts, will eventually get to the wiki once the book updates are done.

Log in to reply