Wednesday, February 1, 2012

DNSCrypt

This is a very premature response to what I believe is the single best solution to dangers like SOPA, PIPA, and ACTA: DNSCrypt.

To be fair, I don't think DNSCrypt in and of itself would be a solution to draconian "take the free out of internet" laws; however, it's going to be a very necessary component to maximize liberty in the 21st century. It's amazing the web has lasted this long without end-to-end crypto for DNS.

As stated in the link above, DNSCrypt is no replacement for DNSSEC. In fact, the ideal solution would be to rebuild DNS from the ground up using more of a web-of-trust model and completely end-to-end confidential and authenticated channels everywhere, with the ability to determine which "authority" you subscribe to for DNS and with resources listing themselves with as many authorities as they wish to be associated, ending the centralized (yet distributed for availability) control of the web. There's probably no reason to put that much power in the hands of a single entity anyway, and as governments continue on the path they appear to be on, locking down the web, isolated technical solutions will essentially create black markets for essential services like DNS.

For maximum persistence, an ideally liberated DNS solution would also need to float through filters, learning what it can from protocols designed to do so, like bittorrent, IRC, and basically any "cloud service" an enterprise IT Security team would want to block (those online drive storage services always seem to find a way through!).

And ultimately, wide-scale adoption is very necessary. It's excellent to see the inklings of that plan in DNSCrypt. Look at the choice to use ECC to preserve confidentiality. ECC requires low CPU overhead compared to other public key schemes, like RSA encryption, making it perfect for small devices like phones, wireless routers, and other embedded platforms to natively support DNSCrypt. Also important is for large scale providers like OpenDNS to support it. But like so many great technical solutions to problems, market penetration has been the deciding factor what wins out and what doesn't.

Even if DNSCrypt isn't perfect, it's a step in the right direction.

2 comments:

Anonymous said...

I was reading your post on DNSCrypt which came up on a search of the insecurities of using bittorrent. In these lawsuits, the ISP tags a particular IP address as belonging to a particular downloader. I am of the understanding that DNSCrypt does nothing to protect the bittorrent downloader because the IP address of the bittorrent user is unaffected by using DNS Crypt. Am I correct in this understanding?

Tim MalcomVetter said...

Anonymous:

All DNSCrypt provides is privacy for doing DNS lookups (servers' domain names to IP Address of those servers, like a phone book).

It does nothing to hide source (client) IP addresses from BitTorrent. For that, look at something like a VPN provider or TOR.