Good news for security fans – I was already reporting that DNSCrypt Proxy v2 gets a second life – now Android also gets supported with an Magisk Module coded by bluemeda. The Module downloadable via the official Magisk Module Manager and the source code is available on GitHub.
I wrote about the death of DNSCrypt and I recommend to use DNS-over-TLS which might be a thing, however the problem with DNS-over-TLS is that it leaks the hostname in plain text by the Server Name Indication (SNI) extension for TLS. This can be a problem and there will be no solution for it, the currently implementation of TLS-over-DNS is a bit tricky because not every server owner uses the RFC or he tries to ‘fix’ something which might break the connection, as a result you see often a disconnect or packages getting ‘lost’. That’s why stubby is unstable, cause every test server is nothing but that .. a test and there all more or less unstable for a daily usage.
DNS-over-TLS rcently got hyped and I want to talk a little bit about it, the RFC exist since 2011 and there is nothing special about it, however there exist several clients to get it working on server or client side.
The maintainer of DNSCrypt stopped supporting it, closed the repository on GitHub and put the domain on sale. The repository has already been cloned and is now maintained by Dyne. Unfortunately, they do not plan to add any new features, so DNSCrypt is abandoned in favor of the “DNS over TLS” standard.
A lot of people choosing a DNS provider to block malware or to bypass ISP DNS server-side restrictions but when it comes to blocking there is almost no documentation what exactly has been blocked. To answer this simple question, CryptoAUSTRALIA has now compared the threat-blocking performance of ten popular DNS providers. Suprisingly Norton ConnectSafe, SafeDNS and Strongarm have managed to block the largest number of harmful websites.
DNSCrypt is a protocol for securing a single hop during a DNS lookup. It allows you to authenticate that the packet you received from the DNS server you connected to is the one that it sent, and also encrypts it over that single hop. Sadly there several people spreading false facts about DNSCrypt.
Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn’t prevent “DNS leaks”, or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks websites host.
– DNSCrypt page
For all the attention that HTTPS gets, I’m amazed how little (relatively speaking) attention plaintext DNS gets. Let’s check it!