DNSCrypt for pfsense 2.3 :)
-
I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
$4/mo gets you VPN. -
I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
$4/mo gets you VPN.Indonesian government impose the ISPs to use transparent DNS proxy to filter DNS query againts a list (provided by the government) to many publicly known DNS server, such as Google's and OpenDNS' and many others that I tested, with something called "Internet Positif" . Read this if you want some more context. So, yeah, maybe my government is an exceptionally shitty one in this regard.
I'm not hiding from the state, I'm just bypassing their DNS poisoning.I was using an OpenWRT-based router to do this, but nowadays the traffic in my network is becoming much larger, the device I used cannot cope with that…
-
That sucks man, but I think pfSense still has you covered with Resolver + DNSSEC doesn't it?
http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html#4
Domain Name System Security Extensions
DNS Security Extensions (DNSSEC) adds security functions to the DNS protocol that can be used to prevent some of the attacks discussed in this document such as DNS cache poisoning. DNSSEC adds data origin authentication and data integrity to the DNS protocol. DNSSEC specifications, implementation, and operational information is defined in multiple RFCs.
-
That sucks man, but I think pfSense still has you covered with Resolver + DNSSEC doesn't it?
http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html#4
Domain Name System Security Extensions
DNS Security Extensions (DNSSEC) adds security functions to the DNS protocol that can be used to prevent some of the attacks discussed in this document such as DNS cache poisoning. DNSSEC adds data origin authentication and data integrity to the DNS protocol. DNSSEC specifications, implementation, and operational information is defined in multiple RFCs.
I think so too (AFAIK, DNSSEC is enabled by default?), but unfortunately it doesn't work… I tried to enable "Experimental Bit 0x20 Support" too, but it still doesn't work.
So, I had to resort to this method. -
Yeah my understanding is that if you check the DNSSEC box and Resolve with Unbound then you will use DNSSEC.
You aren't forwarding DNS are you? No DNS servers in general setup, dns server override is unchecked?
No DNS servers listed in your DHCP servers?In DNS Resolver
Enable DNSSEC checked
DNS Query Forwarding UNchecked
DHCP Registration UNchecked
Static DHCP UNcheckedon Advanced page:
Hide Identity
Hide Version
Harden DNSSEC, all three checkedFollow these instructions to make sure all traffic is using your resolver:
https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSenseTry these out to test
https://dnssec.vs.uni-due.de/
http://en.conn.internet.nl/connection/Should be working if setup like that.
If not, I know you don't want to pay for it but VPN might be your best option for something that is fully supported.
PIA has servers all over the world and you get 5 clients for $3.33/mo. There are plenty of tutorials specific to pfSense installations on here for either 128bit or 256bit encryption.
You can even set up all five clients on your router in a gateway group to utilize multiple cores and have more redundancy if you have a lot of clients, and you can use different servers on each client so that if one goes down or degrades you'll still have internet. -
You aren't forwarding DNS are you? No DNS servers in general setup, dns server override is unchecked?
No DNS servers listed in your DHCP servers?With DNSCrypt, I'm forwarding DNS…
I've tried your way, but, well.. something weird happened, I kinda have no internet connection after doing that, I mean, WhatsApp and steam still receive updates but no web browsing...
Here's my full DNS Resolver config:
=General DNS Resolver Options= Enable: Yes Listen Port: (default) Network Interfaces: All Outgoing Network Interfaces: All System Domain Local Zone Type: Transparent DNSSEC: Yes DNS Query Forwarding: No DHCP Registration: No Static DHCP: No No Custom Options =Advanced Resolver Options= Hide Identity: Yes Hide Version: Yes Prefecth Support: No Prefecth DNS Key Support: No Harden DNSSEC Data: Yes Message Cache Size: 4MB Outgoing TCP Buffers: 10 Incoming TCP Buffers: 10 EDNS Buffer Size: 4096 Number of Queries per Thread: 512 Jostle Timeout: 200 Maximum TTL for RRsets and Messages: 86400 Minimum TTL for RRsets and Messages: 0 TTL for Host Cache Entries: 15 minutes Number of Hosts to Cache: 10000 Unwanted Reply Threshold: Disabled Log Level: 1 Disable Auto-Added Access Control: No Experimental Bit 0x20 Support: NoI also tried clearing up DNS in General Setup and rebooted my router, APs, PC and phone.
Oh, and I forgot to mention, my ISP (the sole ISP for my area) doesn't allow bridge mode for connection, and so I set my pfsense router as a DMZ host.
-
Yes, the destination domain is leaked over HTTP/HTTPS/TLS, but it's more strenuous for an entity who wants to listen on your line to examine HTTP/HTTPS traffic and manipulate it.
DNS traffic is trivially recorded, manipulated, and proxied transparently; HTTPS is not.
Don't think of DNSCrypt as a solution to total privacy or encryption, but certainly making it nontrivial for someone to spy on and/or manipulate your traffic is certainly a good value for such an easy setup.
DNSCrypt is like small lock on your luggage; it makes it just difficult enough for most people not to open it and just take something, but it wouldn't protect against someone who is highly determined. There are a massive amount of sniffers in the world, and giving them less data by encrypting DNS without sacrificing throughput or money from your pocket is… well... cool.
-
The real question for me is "who's my opponent?" For me, the answer is "any of my service providers."
I run both dnscrypt and a VPN. Some of my traffic can't pass over the VPN - Netflix, some of the vehicle forums - because the websites reject connections from VPN providers.
My ISP resells an ATT product, and ATT has the worst possible privacy policies. The up side is that the ATT data cap doesn't apply, but the down side is that I'm transiting the ATT network. I don't let ATT see DNS requests in the clear any more than I have to. I use pfsense as my resolver for everything on the network, and pfsense runs its queries via dnscrypt once the system is fully up, and to cleartext servers earlier on in the startup process - pfsense is the only box on my network permitted to use outbound 53. In my design, traffic runs over VPN by default, but of course you have to get VPN and other services spun up during boot… (And no, this design isn't that popular in the house, since if I restart the box during the day, the time to fully operational is a little long.)
If my opponent was a government, there'd be precious little I could do if they decided to target a VPN. I expect there is covert access to most VPN providers' egress nodes and connection information - many companies don't log, but a government grade attacker with access to their colos could set up logging. Given the amount of play that VPN gets in the tech press, I think VPN colos are a target but I also think that the government would prefer not to launch prosecutions or share data with public companies gleaned from it. A court filing that admitted intercepting VPN providers en bloc would lead to another round of tut-tut in the press and would drop real threat actors off the technology.
By contrast, the public companies obviously share a ton of data with one another, and realistically, that's an opponent I can make life more annoying for. ATT knows I own an old Ford and knows when I'm watching Netflix. They also know that I make the rest of it a PITA to get into...
(Personally, I hope that a lot of the data the NSA is storing in Utah is Youtube videos being streamed over VPNs and awaiting decryption - but I suspect that they built themselves an easy button for intercepting and attributing VPN traffic long ago. On the other hand, given how much of the internet is devoted to Netflix content, perhaps some of the nonsense Netflix is doing with blocking VPNs and refusing to tell customers which hosts they need to bypass their VPN for is a policy set up at the request of entities which do bulk interception and got fed up with storing Netflix streams. The rationale for not telling people what hosts to permit access to makes no sense. My suricata DNS logs from the LAN interface were very helpful in figuring out which hosts I needed to have bypass the VPN.)
-
…the down side is that I'm transiting the ATT network. I don't let ATT see DNS requests in the clear any more than I have to. I use pfsense as my resolver for everything on the network...
...pfsense is the only box on my network permitted to use outbound 53.
In my design, traffic runs over VPN by default,
but of course you have to get VPN and other services spun up during boot...
If you're only using pfSense to resolve all DNS for your network, and you're only letting traffic exit through your VPN client, why do you care about DNScrypt? Especially against AT&T? You aren't using their DNS servers, and you are encrypting all of your traffic to include your DNS requests.
And what do you mean you have to wait for VPN to spin up, and why would it matter from a privacy standpoint? My system runs OpenVPN, pfBlockerNG, Suricata, and other packages and if I reboot all services are up and running as soon as my system comes back online to be able to logon, and I boot from USB 2.0 flash drives.
No matter what, it doesn't matter from a privacy standpoint that they need to "spin up" if you are only letting your traffic exit on a VPN gateway, if the gateway isn't up, then traffic isn't leaving until it is up.
-
I need some guidance please.
i use expressvpn for all traffic except;
- my work laptop which has its own vpn. i route the static ip out of the wan both so get both encrypted and unencrypted depending on vpn status
- i route my voip phone out of the wan port, because over the vpn i couldn't get it working reliablymy dns servers for pfsense are opendns and google.
i fail dns leak tests.if i understand correctly, in this scenario i should be using dnscrypt and redirecting all client dns requests to pfsense. is that correct?