OpenDNS and DNSCrypt

[dead-not-sleeping]

Open for discussion.. Is OpenDNS with the DNSCrypt software a viable solution for prism-break?

http://www.opendns.com/technology/dnscrypt/

All opinions solicited!

[Zegnat]

(Trying to merge all previous comments into one.)

In #47, @chuyskywalker commented:

I feel like this needs a foot note that OpenDNS is not a FOSS system and they are based in the U.S., thus making them highly susceptible to FISA orders.

In #72, @caffeinewriter and @owenversteeg reiterated the fact that ‘OpenDNS is not free’, the former adding:

Plus, the irony is that OpenDNS provided the DNS filtering for my school […]

In #184, @ikurua22 linked 2 blogs detailing logging and intercepting by OpenDNS:

1. Parsing Privacy Policies: Is OpenDNS logging data forever? (2007-06-26)
2. Five reasons to switch from OpenDNS to Google DNS. (2009-12-05)

From the DNSCrypt page:

[…] DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

This sounds good but does not limit the amount of traffic that can be recorded, stored, and censored by OpenDNS themselves.

[dead-not-sleeping]

Thanks Zegnat- I had tried searching for threads on OpenDNS before posting and didn't find any.

[jedisct1]

Use it with CloudNS, which focuses on security and privacy, and is not in the US: https://cloudns.com.au/
DNSCrypt, DNSSEC, no hijacking, no logging.

[Zegnat]

CloudNS does look good, any experience with them?

[jedisct1]

No issues so far.

Another option is dnssec-trigger: http://www.nlnetlabs.nl/projects/dnssec-trigger/

NLNet are also providing a free, non-hijacking, encrypted/authenticated service accessible through dnssec-trigger, and anybody can run such a server as well (DNS over SSL is supported by default in Unbound).

[owenversteeg]

Yup, OpenDNS may be the "good guys" in that they are against SOPA but again they are, contradictory to their name, not FOSS.

[Zegnat]

@owenversteeg, note that non-FOSS is allowed on PRISM Break if their ease of use or availability outranks any other alternative. See web search. I think this would also apply to DNS.

If there is some guide that can be linked to describing how people can easily switch to CloudNS or an other system I believe these should be added ASAP. I just don’t know any.

[caffeinewriter]

@Zegnat @owenversteeg Regardless of the fact that they are a "Good Guy", they are still subject to FISA requests and the like, and therefore, are not a good fit for PRISM Break. Albeit, I am biased, since, as I stated before, they provided DNS Site Filtering (read censorship) for my school. Sure this was to help keep kids focused, but the fact that the provide this technology as one of their core services is another reason I do not recommend them.