Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I run DNS servers behind CurveDNS forwarders at home and it works fine. Of course that's not enough to convince anyone except me that it works. There are some nameservers that offer DNSCurve on the internet. This proves that it works.

For example,

   dq a ianix.com 192.5.6.30

   1 ianix.com - regular DNS:
   197 bytes, 1+0+2+2 records, response, noerror
   query: 1 ianix.com
   authority: ianix.com 172800 NS uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com
   authority: ianix.com 172800 NS uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com
   additional: uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com 172800 A 104.207.143.9
   additional: uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com 172800 A 104.248.15.206

   dq -s -k dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6 ianix.com 104.207.143.9

   1 ianix.com - streamlined DNSCurve:
   229 bytes, 1+2+2+2 records, response, authoritative, noerror
   query: 1 ianix.com
   answer: ianix.com 3600 A 104.248.15.206
   answer: ianix.com 3600 A 104.207.143.9
   authority: ianix.com 259200 NS uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com
   authority: ianix.com 259200 NS uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com
   additional: uz5dns1bx64zu3pgn9nm4zfvmh2vy4hpjy7nkjz6qjcu325bg9hzcx.ianix.com 259200 A 104.248.15.206
   additional: uz5dns2sdrnxskf5lqt46v34cdlfqb9q2lvvmpr95g3l1qh0148sf6.ianix.com 259200 A 104.207.143.9
The query to 192.5.6.30 is not encrypted because the .com nameservers do not provide a DNSCurve public key prefixed by "uz5" in the subdomain.

The query to 104.248.15.206 is encrypted using DNSCurve. Each packet is encrypted separately. Packets are exchanged via UDP just like regular DNS. DNSCurve predates QUIC.

There is also a free secondary DNS service that will let anyone offer DNSCurve without having to set up CurveDNS forwarders. Assuming they are still in business. I have not tested it. This should put to rest any doubts that DNSCurve actually works. But I know it won't.

https://www.bunnyns.com



The whole point of CurveDNS (and now DoH) is that it works right away, and doesn't depend on the rest of the Internet cooperating with you. It's a bottom-up design, contrasted to DNSSEC's (failed) top-down model. The only problem with DNSCurve is that it's been effectively superseded by DoH. It's the Betamax of secure DNS protocols. Doesn't matter if it's better.


DNSCurve is used to encrypt queries to authoritative DNS servers. DoH is only used to encrypt DNS queries to third party DNS caches. Using third party caches can open the door to cache poisoning. Cache poisoning can be and has been used as a "justification" for deploying DNSSEC.


Right, but (1) most of the value of secure transport for DNSSEC is in the "last mile" between the resolver and the stub resolver on the laptop or whatever, and (2) the same model that secures that hop can secure authoritative lookups for resolvers --- neither protocol is widely deployed for authority queries for recursors, but DoH already has huge deployment numbers for the other use, and seems the more likely bet for how this will play out going forward.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: