Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

cryptostorm running DNS resolvers in-house? Discussion...

A core mission of cryptostorm is ensuring consistent, reliable network security with minimal fuss & drama. From DNS-based services like our DeepDNS in-browser native .onion/.i2p site access, through grounbreaking research on IP6 leakblocking, & to firewall-based structures to enable "fail-closed" security, this is where we discuss & develop cryptostorm-style leakblock tech.

Topic Author
mrwaldo
Posts: 16
Joined: Sun Oct 20, 2013 4:58 am

cryptostorm running DNS resolvers in-house? Discussion...

Postby mrwaldo » Fri Nov 01, 2013 11:49 am

{direct link: dns.cryptostorm.org}

I was wondering if you guys have any plans to do your own logless DNS? I know that your OPENVPN config files points to DNS servers, but they aren't yours and who knows if they can be TRUELY trusted. I know that one is hosted on an OVH box. It would be great to see you guys roll out your own DNS hosted in Canada/iceland. I'm not really sure how safe iceland is since they were in the documents about helping the US hack etc were't they?


It would be really nice for you guys to roll out your own DNS servers though in Canada and some other country.


Let me know what you think and if you have any plans to do this.

User avatar

cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

Re: Your Own DNS?

Postby cryptostorm_team » Fri Nov 01, 2013 3:37 pm

Here's the current DNS services we push to clients connected to the cryptostorm network:

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org

push "dhcp-option DNS 91.191.136.152"
# Telecomix is.gd/jj4IER

push "dhcp-option DNS 213.73.91.35"
# CCC http://is.gd/eC4apk


These are all very well-regarded projects, with deep roots in the anti-surveillance and anti-censorship worlds. If there is any negative feedback or concerns in these, we'll gladly explore the issues and if they hold up, change the pushed settings.

We've actually run our own DNS services in the past - it's not a technically challenging task, and it doesn't eat resources at the level of infrastructure we're deploying. That said, if we can't do it better than those other projects, then we can't really justify the distraction from our core mission. Conversely, if we can do it better, then we have an obligation to network members to do so...

The selection of DNS servers for cryptostorm has been done in conjunction with Baneki Privacy Labs, and we'll certainly ensure they're involved in these discussions as they keep fairly close connections with many other nonprofit/activist projects in this space.

Overall, this is best seen as not a final outcome or decision - but rather as an ongoing process of improvement, and extension. DNS resolution is an important element of any secure network - it's a centralised chokepoint not only for surveillance attacks but also for censorship campaigns that block sites via DNS deletes. We want to ensure we do it the best it can possibly be done.

    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: support@cryptostorm.is
live chat support: #cryptostorm


Topic Author
mrwaldo
Posts: 16
Joined: Sun Oct 20, 2013 4:58 am

Re: Your Own DNS?

Postby mrwaldo » Fri Nov 01, 2013 5:21 pm

cryptostorm_team wrote:Here's the current DNS services we push to clients connected to the cryptostorm network:

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org

push "dhcp-option DNS 91.191.136.152"
# Telecomix is.gd/jj4IER

push "dhcp-option DNS 213.73.91.35"
# CCC http://is.gd/eC4apk


These are all very well-regarded projects, with deep roots in the anti-surveillance and anti-censorship worlds. If there is any negative feedback or concerns in these, we'll gladly explore the issues and if they hold up, change the pushed settings.

We've actually run our own DNS services in the past - it's not a technically challenging task, and it doesn't eat resources at the level of infrastructure we're deploying. That said, if we can't do it better than those other projects, then we can't really justify the distraction from our core mission. Conversely, if we can do it better, then we have an obligation to network members to do so...

The selection of DNS servers for cryptostorm has been done in conjunction with Baneki Privacy Labs, and we'll certainly ensure they're involved in these discussions as they keep fairly close connections with many other nonprofit/activist projects in this space.

Overall, this is best seen as not a final outcome or decision - but rather as an ongoing process of improvement, and extension. DNS resolution is an important element of any secure network - it's a centralised chokepoint not only for surveillance attacks but also for censorship campaigns that block sites via DNS deletes. We want to ensure we do it the best it can possibly be done.

    ~ cryptostorm_team


I'm just worried about it, because the one hosted in canada seems to be hosted by OVH.
Let's be honest and say that OVH doesn't have that great of a reputation when it comes to being secure. They've been hacked multi-times. That IP for the DNS from Canada also points to a website that seems very amateur. If you look here you can see the link to the site and the fact that it is hosted by OVH. If the infomation provided by that link is correct. http://whatismyipaddress.com/ip/198.100.146.51


I just feel like it would be great for your users to provide your own logless DNS for your network.

User avatar

DesuStrike
ForumHelper
Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby DesuStrike » Fri Nov 01, 2013 6:28 pm

Even though I fully trust the CCC I also understand Waldos reservations. The milae.net DNS really looks strange and I felt not comfortable about it when I saw it running DNS leakage tests. Afaik it's pretty unusual for a DNS IP to also point to some kind of video streaming page.

Also choosing and using a VPN service means placing your trust into the people running the VPN. That can include trusting the DNS-Providers that you choose (because you trust them) but it might as well not. If I had a say I would at least remove the milae.net DNS from the pushed DNS-Servers.

Personally I would be happy if you'd just push the 3 DNS-Servers the CCC provides but somebody else might not trust them because they don't know the CCC and it's history.

So long story short: I understand your choice from a theoretical stance but in practice only DNS-Servers run by yourself will be fully trusted by the community because they trust YOU and nobody else with their online privacy. I guess this was something that could not be considered in your meetings because it is very hard to see these things from the communities perspective.
home is where the artillery hits


lelu

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby lelu » Sat Nov 02, 2013 8:29 pm

I agree with DesuStrike and mrwaldo. DNS is an important issue when it comes to privacy and "outsourcing" this important aspect of your network doesn't guarantee the security/anonymity that you are claiming.


Guest

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby Guest » Sun Nov 03, 2013 4:28 am

seeing we're still in beta, I see DNS servers from cryptostorm and the team in the future.

in the mean time you could use OpenNIC servers if needed (anon/no log or otherwise) or even set up your for instance to accept all DNS requests to DNS lookup through Tor.

Buts its always good to keep in mind that DNS will see the request from the VPN IP too.

User avatar

cryptostorm_team
ForumHelper
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

best practices?

Postby cryptostorm_team » Sun Nov 03, 2013 2:01 pm

Guest wrote:in the mean time you could use OpenNIC servers if needed (anon/no log or otherwise)...


Great minds think alike; the first entry in our current pushed DNS resolver settings is...

Code: Select all

push "dhcp-option DNS 198.100.146.51"
# OpenNICproject.org


What we'd like to ask of everyone reading this thread is to think (and comment) on this question:

    ...with a completely blank slate, what is the best-practices approach we can take in the future when it comes to in-house DNS resolution? What is the wishlist for the best way to do this, if there were no constraints on our approach?


Of course, it's not a technical challenge to provide baseline DNS resolution service in-house and do so competently - we've done that before, and we're happy to do it again. But... if we're going to do it, is there a qualitative jump in DNS resolver service that we can implement in doing so? Theoretical discussions that have taken place, but been deemed "impractical" for one reason or another?

Let's cast a very wide net, in terms of possible capabilities, and see if this is an opportunity to genuinely step things up a notch. Rather than simply doing a good job of doing what others already do (which is a starting point), can we use this as a catalyst for doing something substantively better?

It was this sort of discussion, in relation to privacy network authentication systems that eventually lead to the development of our token-base auth system; had we just assumed the way forward was to do a good job of doing what "everyone else" already does, we'd have missed the opportunity to approach the issue as one with unbounded options to improve.

Looking forward to what folks might have to suggest and explore...

    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: support@cryptostorm.is
live chat support: #cryptostorm


Lignus
Posts: 33
Joined: Sat Nov 02, 2013 1:26 am

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby Lignus » Sun Nov 03, 2013 3:51 pm

Here is a thought of how to reasonably securely get DNS into your network: Steal it from someone else's network. Not quite as crazy as it sounds.

One machine VPNs into another provider's network that runs a heavy ratio of users behind a single IP and pull DNS through their network. You just tumbled all your user's DNS requests with theirs.

Now, for the machine that caches DNS requests:
  • Set a high stale-refresh timeout (3600 minutes or so) - I know, it sucks in edge cases
  • Constantly flush the DNS cache to encrypted RAMdisk
  • Add random resolve delays of 0-100ms (mitigates timing attacks)

Best part about it? You guys don't even know the DNS of sites being requested by your users, much less by whom.

Not a complete solution, but hopefully a few ideas that will turn some mental wheels.

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

namecoin for DNS

Postby Pattern_Juggled » Mon Nov 04, 2013 5:00 pm

Saw this come through the twitter stream & figured I'd echo it here in case someone has an interest to take a look to see whether we can leverage for our future DNS work in-house. Yes, I know, it's a tweet from 2012 - I'm sure there's lots more news since then! :-)
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f


Guest

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby Guest » Mon Nov 04, 2013 10:54 pm

there's the dot-bit project for .bit domains http://dot-bit.org/

but I'm unaware how it would work as DNS lookup for everything else.

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby parityboy » Fri May 02, 2014 7:35 am

@cryptostorm_team

But... if we're going to do it, is there a qualitative jump in DNS resolver service that we can implement in doing so?


Yep, there is.

1) We (the community) would have an on-network high performance DNS resolver that is 100% trusted.
2) It would (or could) provide another leg of the "dark net" platform - internal DNS resolving of ".cs" or ".storm" internal domains. Assuming such a thing is in your plans...

:D


Guest

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby Guest » Sat May 03, 2014 8:40 pm

Very interesting ideas you've got there.
As far as I know the NSA has a special attack program that waits for DNS queries of certain individuals or even groups of people. Those queries are then answered by the NSA before the real DNS server can respond thus redirecting the target to a false address that shows a fake version of the site that he requested. This way they can grab confidential information, make the target download malicious software or use exploits onto his browser.
Especially with situations like the heartbleed bug those kinds of attacks become very interesting for man in the middle operations on a big scale.

All of the above described attacks could be made useless by simply providing an in-darknet DNS that by nature is always faster than any outside agency toys.


The internal domain system is just an extra but could be used for reliably shipping automatic updates for both configuration files and iptables whitelists or whatever leakblock implementation will be used in future.

Watcha' think cryptostorm?

User avatar

Operandi
Posts: 88
Joined: Fri Nov 22, 2013 4:23 pm

Re: cryptostorm running DNS resolvers in-house? Discussion..

Postby Operandi » Sat May 03, 2014 11:14 pm

I know that cryptostorm have taken the Privacy Seppuku Pledge. But what about those DNS providers?

User avatar

cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

thread bump & move

Postby cryptostorm_admin » Mon Nov 24, 2014 1:56 pm

As there's now tangible movement on this question, and news to report, we've moved this thread over the community discussion subforum and will post updates here as we move forward.

Thank you,

cryptostorm_admin


Return to “DeepDNS.net - cryptostorm's no-compromise DNS resolver framework”

Who is online

Users browsing this forum: No registered users and 3 guests

Login