From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qe0-f46.google.com (mail-qe0-f46.google.com [209.85.128.46]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id F120F21F1EE for ; Tue, 22 Oct 2013 04:43:32 -0700 (PDT) Received: by mail-qe0-f46.google.com with SMTP id s14so4604534qeb.19 for ; Tue, 22 Oct 2013 04:43:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3BNBjwM/vOgxyRkYVLPEbMHw8diNgvprnBiuEcyXWu8=; b=a+ZVqiMEy2+t2D7BfUawzukTrr+wKi1ls6LCH4sbZ4/ixXSR3Y2sa237oXFRhgShKu t812OHHQq/hT0KWpsVSIhiOR41Rq39kZLWXADFEhICIplML2S7BDUbYbmLYhRjuCoIQ1 kh4fssRLeihsja/w4Yog6vC2NdbpzN2lHO7drMkubGE4rtTGXkdrecxT9H3Xp6sG7HU3 RC3aaYN0aLRKFtB2UmaDnyU7jl0US8Igu3tpgNcgVQC6wIqrnVKTf2M7LQUbxTks3E+V x93QhL5sY54PVSQ7z+XCcTr9UWJjG1BDh03Fqq6uisCkJSIDBGAwvU2G35CwNhD0La+3 yVkA== X-Gm-Message-State: ALoCoQnrz3ygxGnD2ixdvBnN3kr5Rvi5bcBtq1kAAB2LQrzV7YyuZ+D8rFpzentpL3Y8PxgP2ejL MIME-Version: 1.0 X-Received: by 10.229.244.69 with SMTP id lp5mr28748370qcb.14.1382442211138; Tue, 22 Oct 2013 04:43:31 -0700 (PDT) Received: by 10.96.52.98 with HTTP; Tue, 22 Oct 2013 04:43:31 -0700 (PDT) X-Originating-IP: [213.189.36.98] In-Reply-To: References: Date: Tue, 22 Oct 2013 13:43:31 +0200 Message-ID: From: Maciej Soltysiak To: Aristar Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] cerowrt security X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Oct 2013 11:43:33 -0000 > https://forum.openwrt.org/viewtopic.php?id=3D36380&p=3D3 ) on cero 3.7.5,= it requires setting dnsmasq to use 127.0.0.1 for dns requests. Perhaps if= this makes it into trunk we'd be able to consider it in the future? The fu= ll source is available here: https://github.com/opendns/dnscrypt-proxy - no= tably, it requires libsodium to function. I can confirm it works as I'm running it on cero 3.8.something. One comment. You are suggesting to use OpenDNS. Depending on level of paranoia (which *IS* a virtue) the question whether they keep logs or not might be an issue. They probably do and would give the data to NSA gladly. There are 3 other DNSCrypt resolvers which claim not to keep the logs. They are in Holland, Japan Australia. The last one is endorsed by prism-break.org, but I have 500ms latency. Therefore I have bought a VM at a cloud provider in my city and deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a default config of unbound to provide recursive, DNSSEC validated NS. So my humble setup is: [home.lan] <-> [dnsmasq] <-> [dnscrypt-proxy] <-> [dnscrypt-wrapper] <-> [recursive unbound] dnsmaqs and dnscrypt-proxy are on Cero dnscrypt-wrapper and unbound are controlled by me, sitting on a Debian VM. Note this leaves home.lan clients still send regular UDP to Cero. Last mile not protected. There are other ways to configure this, like do it on the client, and put the wrapper on cero. In any case we should be able to have both: dnscrypt-proxy and dnscrypt-wrapper. Both need libsodium, which in turn needs libevent-dev. If anyone wants to check out my dnscrypt provider, it's at 178.216..201.222:2053. Connect using: dnscrypt-proxy -a 127.0.0.1:2053 --provider-name=3D2.dnscrypt-cert.soltysiak.com -r 178.216.201.222:2053 \ --provider-key=3D25C4:E188:2915:4697:8F9C:2BBD:B6A7:AFA4:01ED:A051:0508:5= D53:03E7:1928:C066:8F21 Test by: dig -p 2053 google.com 127.0.0.1 Best regards, Maciej