Anonymized DNS

Anonymized DNS

Intro

DNSCrypt is the protocol that we use to help protect a client's DNS traffic before they connect to our VPN servers.
Once they're connected to the VPN, DNS would go through the VPN tunnel. But before they can connect to the VPN, they'll need to use DNS to resolve the VPN server's hostname (unless they're using IPs in their configs, which we recommend against because our IPs change sometimes, but the hostnames rarely do).
DNSCrypt encrypts those DNS queries so that 3rd parties can't monitor or manipulate the traffic.
We don't know that a client is a client until after they login to the VPN, so all of our DNSCrypt (and regular DNS) servers are accessible to everyone.

Privacy

As with any other service, it's impossible to verify that a DNSCrypt server isn't logging IPs or other data.
The list at https://dnscrypt.info/public-servers has plenty of servers that claim not to log, but there's no way to prove that claim.
To ensure that a logging server won't get any useful data, most people would use Tor or HTTP/SOCKS proxies to connect to a DNSCrypt server, but those methods can be slow and unreliable since they weren't really made to relay DNS traffic.

Anonymized DNS

A new feature called "Anonymized DNS" was recently added to the
DNSCrypt v2 protocol specification.
In short, it allows you to send your DNSCrypt traffic to a relaying server that will forward it to the DNSCrypt server.
The relay doesn't have the keys to decrypt the traffic, it just forwards it.
That means the relay can see your IP, but it can't see the DNS traffic.
The DNSCrypt server that receives the traffic from the relay can see your DNS traffic, but not your IP.
So even if a DNSCrypt server is logging, they won't be able to see your real IP.
If a relay is logging, they won't be able to see your DNS traffic.

Some DNSCrypt servers (like ours) are also running relays, so obviously those setups could log both the client IP and the DNS traffic.

To prevent that from happening, the best option would be to use relays and DNSCrypt servers that are owned by different entities.

This is basically the same concept that our multihop page describes where two or more OpenVPN hops are used between different VPN providers so that you don't have to trust any single provider's "no-logging" claim, except instead of OpenVPN this is for DNSCrypt.

How to use

The fourth section of
https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS 
has detailed instructions for using these Anonymized DNS relays.
Here's a very minimal example dnscrypt-proxy.toml config:

listen_addresses = ['127.0.0.1:53']
[static]
[static.'scaleway-fr']
stamp = 'sdns://AQcAAAAAAAAADjIxMi40Ny4yMjguMTM2IOgBuE6mBr-wusDOQ0RbsV66ZLAvo8SqMa4QY2oHkDJNHzIuZG5zY3J5cHQtY2VydC5mci5kbnNjcnlwdC5vcmc'
[anonymized_dns]
routes = [
 { server_name='scaleway-fr', via=['sdns://gRE2NC40Mi4xODEuMjI3OjQ0Mw'] },
]

That would define scaleway-fr as a static entry (instead of downloading from the remote sources list), with dnscrypt-proxy listening on port 53 of 127.0.0.1
The sdns:// format, called "DNS Stamps" is described at
https://dnscrypt.info/stamps-specifications/
scaleway-fr is listed on https://dnscrypt.info/public-servers/ as:

DNSSEC/Non-logged/Uncensored - ARM server donated by Scaleway.com Maintained by Frank Denis - https://fr.dnscrypt.info

The second sdns:// entry in the config is our Atlanta, GA relay in the US.

Anonymized DNS was added in dnscrypt-proxy v2.0.29, so install that or any version after it, then start up dnscrypt from the directory containing the above dnscrypt-proxy.toml and you should see:

[2019-11-01 21:07:48] [NOTICE] dnscrypt-proxy 2.0.29
[2019-11-01 21:07:48] [NOTICE] Network connectivity detected
[2019-11-01 21:07:48] [NOTICE] Anonymized DNS: routing [scaleway-fr] via [sdns://gRE2NC40Mi4xODEuMjI3OjQ0Mw]
[2019-11-01 21:07:48] [NOTICE] Firefox workaround initialized
[2019-11-01 21:07:48] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
[2019-11-01 21:07:48] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
[2019-11-01 21:07:49] [NOTICE] [scaleway-fr] OK (DNSCrypt) - rtt: 122ms
[2019-11-01 21:07:49] [NOTICE] Server with the lowest initial latency: scaleway-fr (rtt: 122ms)
[2019-11-01 21:07:49] [NOTICE] dnscrypt-proxy is ready - live servers: 1

Finally, just tell your system to use the DNS server at 127.0.0.1

Your DNS traffic will be encrypted by the local dnscrypt-proxy, then sent to our Atlanta relay, which will forward it to scaleway-fr DNSCrypt server.

The full list of available relays is at
https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/relays.md
(ours are the ones that start with "anon-cs")

Posted on