/tech/ - Technology★

Launched by OpenDNS

Most shilled DNSCrypt servers are OpenDNS, owned by Cisco

They mention a fucking Yandex browser on their page

Unless a server you connect to uses encrypted SNI, the domain name you connect to is still transferred in plaintext

You still trust one server to resolve your queries

DNSCrypt is often advised to be used with half-assed OpenVPN providers that don't push DNS options form their own servers, leaking your DNS queries to your ISP and ISP (DNS resolver) location to websites, when using DNSCrypt you still leak your location to DNSCrypt resolver run by g-d knows who, not good.

You can send your DNS requests to tor daemon with better anonymity and privacy.

>>810442

> You can send your DNS requests to tor daemon with better anonymity and privacy.

Can you tell more about that?

I use this guy. Is he bad?

http://dns.d0wn.biz

>>810449

Tor encrypts the query which then gets sent out at the exit node. It's still plaintext but instead of intercepting it upline where you are it's intercepted at the tor node. DNScrypt is a step in the right direction, but the protocol is weak because it's not end to end encrypted. Which means until you establish the server connection with a encrypted SNI dns server it can be MITM'd with laughable ease. But after the initial handshake in plaintext everything is encrypted if using a SNI server. If nothing else dnscrypt is useful for changing your dns server so it's harder to sort or locate your dns queries.

Most of the recomended DNS servers by them for defaults are honeypots, specifically the ones by D0wn, anti-adblock ones, cisco, yandex, and any located in the USA. Choose your servers carefully, or set one up yourself.

>>810454

Yes stop using nsa/d0wn right now. It's a fucking botnet.

Oh another one not to use is the babylon network. This needs no explanation, it's in the name itself.

>>810449

If you're using Android...

- install and run Orbot

- install OverRideDNS and change your DNS servers to 127.0.0.1:5400

If you're using Debian 9...

sudo apt-get install tor dnsutils dnsmasq

## append to /etc/tor/torrc:

DNSPort 9053

AutomapHostsOnResolve 1

AutomapHostsSuffixes .exit,.onion

## test tor dns:

service tor restart

dig @localhost -p 9053 www.google.com

## append to /etc/dnsmasq.conf:

no-resolv

server=127.0.0.1#9053

listen-address=127.0.0.1

>>810524

Oh, and of course set your DNS servers in Linux...

## append to /etc/dhcp/dhclient.conf:

supersede domain-name-servers 127.0.0.1, 127.0.0.1;

Not only I use it to hide from my ISP, I also use it too to block most of andress and IPs from Microsoft that does telemetry. I only worry over my ISP if it's spying me or not, even when I'm not a pedophile/like loli or shota stuff/a drug dealer.

>>810544

build your own router then. use opnsense or pfsense

>>810442

tor is controlled by SJWs. I'd consider it compromised.

>>810647

retard

>>810461

P-prove it

>>810670

Are you sure you want the truth?

>>810544

I hope you don't block Microsoft IPs on Microsoft's operating system, cuz that's kinda counterproductive.

>>810437 (OP)

Fair thing, there is DNSSEC. Similar project, but not same. Rather than encrypting queries which is dumb, it authenticates (signs) full chain down to website's domain holder/hoster using PKI similar to current X509 iirc. So let's say you query for example.com if it has DNSSEC enabled, you get a signed answer from it's recursive DNS servers that it is indeed example.com with that particular IP address.

Too bad, not many sites bother to use DNSSEC, so it's like using ONLY https sites in 2008 and refusing to go to plain http because so. Very painful. Tho, you can manually check or DNSSEC availability with browser plugin by CZ NIC.

https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/

I used DNSCrypt to get around blocks in turkey before (they are filtering port 53 and timing out blocked domains), it helps in bypassing censorship and keeping your domain requests secure too (along with HTTPS).

they ended up resetting connection on the destination IPs for the domains too, so I use sshuttle to access shit like imgur now. Fuck Erdogan.

>>810675

>>cezech

>>national inteligence command

What do I have to smoke to be this high?

>>810680

Tell me what NIC stands for and I will answer.

>>810647

I see, they must use their social justice wizardry to magically change a protocol after compilation from source.

>>810524

the problem with tordns is you should probably trust the tor exit node even less than your isp.

it's fine if your shitposting but the exitnode could easily fuck with the dns. they may not know who theyr'e fucking with, and that's supposed to be one of the reasons for ssl certs.

presumably if you know enough to do this you know enough to raise an eyebrow if the browser warns you that the ssl cert is fucked up before you login into your bank.

>>810673

>>810675

>>810680

>>810681

>CZ NIC

Gee, everybody knows it stands for CIA Zombies Network Interface Card.

Network Information Center, lurk your shit dumb niggers

>>810691

What about rule of three? Query multiple exit nodes for DNS, may even combine with DNSCrypt for extra placebo.

>>810689

Central Directory collects data from all nodes by default, how anonymous would it be if a system publicly announces how many connections each node gets every second? There was a Brazilian node that queried hidden services and scraped their front pages, somehow Tor project officials found this node and banned it from Tor swarm. How did they find it and why does the central authority has power to ban nodes?

https://www.mail-archive.com/tor-relays@lists.torproject.org/msg11946.html

>I was running a Tor Relay for the past month at my university and it seems that it got banned somehow.

https://www.mail-archive.com/tor-relays@lists.torproject.org/msg11947.html

>You relay has been found to be harvesting .onion addresses which is strictly prohibited on the network.

>>810696

I'm sure there are other ways that could be figured out pretty quickly.

Regardless, if Tor did have a backdoor of some sort, why would the feds allow it to keep highly illegal content completely untouched? I won't go into detail, but I'm confident you know exactly what I'm talking about.

There has yet to be a takedown that was through an insecurity in Tor. All have been user error in some form (Admins using shit passwords, terrible code, DDoS attacks, using personal email addresses, etc.). Why would the feds allow Tor ruin a perfect backdoor which they have yet to use?

>>810573

Thanks, but I use Windows 7, so I already have a firewall.

>>810673

>cuz that's kinda counterproductive.

What do you mean? Why are you suggesting that blocking telemetry is kind of "counterproductive"?

>>810672

yes please

The authentication between the client and the DNS server is good because it will prevent MITM attacks. However to me, the encryption seems a little useless given that anyone listening on the wire will already see what IP addresses you are connecting to so they can just resolve those themselves.

>>810689

Almost every tor node is using software from the tor group. Even a small percentage compromised compromises that whole system, and they can compromise almost all of it.

>>810712

The NSA/CIA aren't going to ruin their honeypot, they want to identify enemies of the Jews not go after some no-name druggies/diddlers. The FBI might care about things like CP but the FBI are mall cops with more authority and can at best do basic shit like put trojan javascript on sites.