Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ
Ξ We've updated our CA certificate. All members need to be using the latest ones by Dec 22. See this page for more infoΞ

cryptostorm running DNS resolvers in-house? Discussion...

Post a reply

:
In an effort to prevent automatic submissions, we require that you enter the letters that are written in red.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek: :angel: :clap: :crazy: :eh: :lolno: :problem: :shh: :shifty: :sick: :silent: :think: :thumbdown: :thumbup: :wave: :wtf: :yawn:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

If you wish to attach one or more files enter the details below.

Expand view Topic review: cryptostorm running DNS resolvers in-house? Discussion...

thread bump & move

Post by cryptostorm_admin » Mon Nov 24, 2014 1:56 pm

As there's now tangible movement on this question, and news to report, we've moved this thread over the community discussion subforum and will post updates here as we move forward.

Thank you,

cryptostorm_admin

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by Operandi » Sat May 03, 2014 11:14 pm

I know that cryptostorm have taken the Privacy Seppuku Pledge. But what about those DNS providers?

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by Guest » Sat May 03, 2014 8:40 pm

Very interesting ideas you've got there.
As far as I know the NSA has a special attack program that waits for DNS queries of certain individuals or even groups of people. Those queries are then answered by the NSA before the real DNS server can respond thus redirecting the target to a false address that shows a fake version of the site that he requested. This way they can grab confidential information, make the target download malicious software or use exploits onto his browser.
Especially with situations like the heartbleed bug those kinds of attacks become very interesting for man in the middle operations on a big scale.

All of the above described attacks could be made useless by simply providing an in-darknet DNS that by nature is always faster than any outside agency toys.


The internal domain system is just an extra but could be used for reliably shipping automatic updates for both configuration files and iptables whitelists or whatever leakblock implementation will be used in future.

Watcha' think cryptostorm?

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by parityboy » Fri May 02, 2014 7:35 am

@cryptostorm_team

But... if we're going to do it, is there a qualitative jump in DNS resolver service that we can implement in doing so?


Yep, there is.

1) We (the community) would have an on-network high performance DNS resolver that is 100% trusted.
2) It would (or could) provide another leg of the "dark net" platform - internal DNS resolving of ".cs" or ".storm" internal domains. Assuming such a thing is in your plans...

:D

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by Guest » Mon Nov 04, 2013 10:54 pm

there's the dot-bit project for .bit domains http://dot-bit.org/

but I'm unaware how it would work as DNS lookup for everything else.

namecoin for DNS

Post by Pattern_Juggled » Mon Nov 04, 2013 5:00 pm

Saw this come through the twitter stream & figured I'd echo it here in case someone has an interest to take a look to see whether we can leverage for our future DNS work in-house. Yes, I know, it's a tweet from 2012 - I'm sure there's lots more news since then! :-)

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by Lignus » Sun Nov 03, 2013 3:51 pm

Here is a thought of how to reasonably securely get DNS into your network: Steal it from someone else's network. Not quite as crazy as it sounds.

One machine VPNs into another provider's network that runs a heavy ratio of users behind a single IP and pull DNS through their network. You just tumbled all your user's DNS requests with theirs.

Now, for the machine that caches DNS requests:
  • Set a high stale-refresh timeout (3600 minutes or so) - I know, it sucks in edge cases
  • Constantly flush the DNS cache to encrypted RAMdisk
  • Add random resolve delays of 0-100ms (mitigates timing attacks)

Best part about it? You guys don't even know the DNS of sites being requested by your users, much less by whom.

Not a complete solution, but hopefully a few ideas that will turn some mental wheels.

best practices?

Post by cryptostorm_team » Sun Nov 03, 2013 2:01 pm

Guest wrote:in the mean time you could use OpenNIC servers if needed (anon/no log or otherwise)...


Great minds think alike; the first entry in our current pushed DNS resolver settings is...

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org


What we'd like to ask of everyone reading this thread is to think (and comment) on this question:

    ...with a completely blank slate, what is the best-practices approach we can take in the future when it comes to in-house DNS resolution? What is the wishlist for the best way to do this, if there were no constraints on our approach?


Of course, it's not a technical challenge to provide baseline DNS resolution service in-house and do so competently - we've done that before, and we're happy to do it again. But... if we're going to do it, is there a qualitative jump in DNS resolver service that we can implement in doing so? Theoretical discussions that have taken place, but been deemed "impractical" for one reason or another?

Let's cast a very wide net, in terms of possible capabilities, and see if this is an opportunity to genuinely step things up a notch. Rather than simply doing a good job of doing what others already do (which is a starting point), can we use this as a catalyst for doing something substantively better?

It was this sort of discussion, in relation to privacy network authentication systems that eventually lead to the development of our token-base auth system; had we just assumed the way forward was to do a good job of doing what "everyone else" already does, we'd have missed the opportunity to approach the issue as one with unbounded options to improve.

Looking forward to what folks might have to suggest and explore...

    ~ cryptostorm_team

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by Guest » Sun Nov 03, 2013 4:28 am

seeing we're still in beta, I see DNS servers from cryptostorm and the team in the future.

in the mean time you could use OpenNIC servers if needed (anon/no log or otherwise) or even set up your for instance to accept all DNS requests to DNS lookup through Tor.

Buts its always good to keep in mind that DNS will see the request from the VPN IP too.

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by lelu » Sat Nov 02, 2013 8:29 pm

I agree with DesuStrike and mrwaldo. DNS is an important issue when it comes to privacy and "outsourcing" this important aspect of your network doesn't guarantee the security/anonymity that you are claiming.

Re: cryptostorm running DNS resolvers in-house? Discussion..

Post by DesuStrike » Fri Nov 01, 2013 6:28 pm

Even though I fully trust the CCC I also understand Waldos reservations. The milae.net DNS really looks strange and I felt not comfortable about it when I saw it running DNS leakage tests. Afaik it's pretty unusual for a DNS IP to also point to some kind of video streaming page.

Also choosing and using a VPN service means placing your trust into the people running the VPN. That can include trusting the DNS-Providers that you choose (because you trust them) but it might as well not. If I had a say I would at least remove the milae.net DNS from the pushed DNS-Servers.

Personally I would be happy if you'd just push the 3 DNS-Servers the CCC provides but somebody else might not trust them because they don't know the CCC and it's history.

So long story short: I understand your choice from a theoretical stance but in practice only DNS-Servers run by yourself will be fully trusted by the community because they trust YOU and nobody else with their online privacy. I guess this was something that could not be considered in your meetings because it is very hard to see these things from the communities perspective.

Re: Your Own DNS?

Post by mrwaldo » Fri Nov 01, 2013 5:21 pm

cryptostorm_team wrote:Here's the current DNS services we push to clients connected to the cryptostorm network:

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org

push "dhcp-option DNS 91.191.136.152"
# Telecomix is.gd/jj4IER

push "dhcp-option DNS 213.73.91.35"
# CCC http://is.gd/eC4apk


These are all very well-regarded projects, with deep roots in the anti-surveillance and anti-censorship worlds. If there is any negative feedback or concerns in these, we'll gladly explore the issues and if they hold up, change the pushed settings.

We've actually run our own DNS services in the past - it's not a technically challenging task, and it doesn't eat resources at the level of infrastructure we're deploying. That said, if we can't do it better than those other projects, then we can't really justify the distraction from our core mission. Conversely, if we can do it better, then we have an obligation to network members to do so...

The selection of DNS servers for cryptostorm has been done in conjunction with Baneki Privacy Labs, and we'll certainly ensure they're involved in these discussions as they keep fairly close connections with many other nonprofit/activist projects in this space.

Overall, this is best seen as not a final outcome or decision - but rather as an ongoing process of improvement, and extension. DNS resolution is an important element of any secure network - it's a centralised chokepoint not only for surveillance attacks but also for censorship campaigns that block sites via DNS deletes. We want to ensure we do it the best it can possibly be done.

    ~ cryptostorm_team


I'm just worried about it, because the one hosted in canada seems to be hosted by OVH.
Let's be honest and say that OVH doesn't have that great of a reputation when it comes to being secure. They've been hacked multi-times. That IP for the DNS from Canada also points to a website that seems very amateur. If you look here you can see the link to the site and the fact that it is hosted by OVH. If the infomation provided by that link is correct. http://whatismyipaddress.com/ip/198.100.146.51


I just feel like it would be great for your users to provide your own logless DNS for your network.

Re: Your Own DNS?

Post by cryptostorm_team » Fri Nov 01, 2013 3:37 pm

Here's the current DNS services we push to clients connected to the cryptostorm network:

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org

push "dhcp-option DNS 91.191.136.152"
# Telecomix is.gd/jj4IER

push "dhcp-option DNS 213.73.91.35"
# CCC http://is.gd/eC4apk


These are all very well-regarded projects, with deep roots in the anti-surveillance and anti-censorship worlds. If there is any negative feedback or concerns in these, we'll gladly explore the issues and if they hold up, change the pushed settings.

We've actually run our own DNS services in the past - it's not a technically challenging task, and it doesn't eat resources at the level of infrastructure we're deploying. That said, if we can't do it better than those other projects, then we can't really justify the distraction from our core mission. Conversely, if we can do it better, then we have an obligation to network members to do so...

The selection of DNS servers for cryptostorm has been done in conjunction with Baneki Privacy Labs, and we'll certainly ensure they're involved in these discussions as they keep fairly close connections with many other nonprofit/activist projects in this space.

Overall, this is best seen as not a final outcome or decision - but rather as an ongoing process of improvement, and extension. DNS resolution is an important element of any secure network - it's a centralised chokepoint not only for surveillance attacks but also for censorship campaigns that block sites via DNS deletes. We want to ensure we do it the best it can possibly be done.

    ~ cryptostorm_team

cryptostorm running DNS resolvers in-house? Discussion...

Post by mrwaldo » Fri Nov 01, 2013 11:49 am

{direct link: dns.cryptostorm.org}

I was wondering if you guys have any plans to do your own logless DNS? I know that your OPENVPN config files points to DNS servers, but they aren't yours and who knows if they can be TRUELY trusted. I know that one is hosted on an OVH box. It would be great to see you guys roll out your own DNS hosted in Canada/iceland. I'm not really sure how safe iceland is since they were in the documents about helping the US hack etc were't they?


It would be really nice for you guys to roll out your own DNS servers though in Canada and some other country.


Let me know what you think and if you have any plans to do this.

Top

Nothing to display.

Login