Follow

it's a pity doesn't get any attention lately. it was the first of the three main standards, it has a community and quite a few resolvers. it (unlike DoH and DoT!) adds paddings to queries, so dpi can't figure out how long the requested domain name is.

its official implementation is the best. it has cache, logging, blacklists, whitelists, custom forwarding, etc.

there're only two issues: it's harder to implement (as opposed to just using tls / https libraries) and its creators don't have the political power of cloudflare, mozilla and google, so it won't become an ietf standard

Show thread

i read about unbound a little, kinda disappointed. there's no dedicated whitelist file, but you can add a lot of rules to not resolve individual domains. so afaiu you can't make whitelists.

turns out, dnscrypt-proxy is quite an advanced resolver

Show thread

@leip4Ier
I've been using it for a year and never had any problems

@leip4Ier my home network has dnscrypt-proxy running in the router for the whole network. An amusing side effect is that after the cache starts to fill (which doesn't take much time) it tends to be faster (that is: less latency) that our ISP's DNS servers. That being said, now that I think of it I have rarely seen an ISP have speedy ones... :pika:

@leip4Ier I got interested in DNScrypt (but admit I haven't actually used it yet!) while thinking/reading about using DNS as a way to validate TLS certificates without relying on CA infrastructure - DoH and DoT both *use* TLS, so you run into chicken and egg problems and they're not so useful there. I know DANE needs DNSSEC to really work properly, but honestly, attacking *my* connection to insert a phony certificate *and* attacking my chosen DNScrypt resolver(s) simultaneously to feed them phony DNS records matching that certificate raises the bar high enough for a lot of people.

I'm thinking about putting DNScrypt client support into my Gemini client and letting it check for DANE records as part of the initial TOFU acceptance. But who knows if anybody will set up the records.

Also pondering Perspectives-style notaries that speak Gemini. Unlike at the time Perspectives was a thing, cheap VPSes and containers make it really easy for people, pubnixes, hackerspaces, etc. to run their own notaries so it could become pretty decentralised.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.