CloudNS is a DNS host that supports a few cool security features. I’ve set it up, and it’s working for me on Linux Ubuntu 13.04. I think its security features give it the potential to be the preferred choice for those looking for that higher level of security and privacy.
* DNSCrypt Support We only allow connections to our service using DNSCrypt, this provides confidentially and message integrity to our DNS resolver, and makes it harder for an adversery watching the traffic of our resolver to identify the origin of a DNS query as all the traffic is mixed together. * DNSSEC Validation Our server does complete trust validation of DNSSEC enabled names, protecting you from upstream dns poisoning attacks or other DNS tampering. * Namecoin resolution Namecoin is an alternative, decentralized DNS system, that is able to prevent domain name censorship. Our DNS server does local namecoin resolution of .bit domain names making it an easy way to start exploring namecoin websites. * Hosted in Australia Our DNS Server is hosted in Australia, making it a faster alternative to other open public DNS resolvers for Australian residents. * No domain manipulation or logging We will not tamper with any domain queries, unlike some public providers who hijack domain resolution for domains that fail to resolve. Our servers do not log any data from connecting users including DNS queries and IP addresses that make connections.
I think those are some really interesting features. For one thing, it forces DNSCrypt and validates with DNSSEC, and it appears to be the only resolver to do both of these things. And it’s also hosted outside of the US, which has its own implications for security.
So I went ahead and set up CloudNS using the following command (and setting this in rc.local) after configuring DNSCrypt from this guide. You can check Cloudns.com.au for the updated information, but as of today (Aug 8th, 2013) this command works for me.
--daemonize --resolver-address=22.214.171.124:443 --provider-name=2.dnscrypt-cert.cloudns.com.au --provider-key=1971:7C1A:C550:6C09:F09B:ACB1:1AF7:C349:6425:2676:247F:B738:1C5A:243A:C1CC:89F4
To use the secondary server as well the command is:
dnscrypt-proxy --user=dnscrypt --daemonize --resolver-address=126.96.36.199:443 --provider-name=2.dnscrypt-cert-2.cloudns.com.au --provider-key=67A4:323E:581F:79B9:BC54:825F:54FE:1025:8B4F:37EB:0D07:0BCE:4010:6195:D94F:E330
So the three big improvements for me are DNSSEC, DNSCrypt, and Australia hosting.
DNSSEC is an extension of DNS that aims to provide authentication and integrity of DNS results; it ensures that you know who the result is from and that no one else has tampered with it. DNS responses are authenticated but they are not encrypted, so DNSSEC does not prevent someone between you and the resolver from viewing the request.
DNSCrypt provides encryption of DNS requests, which provides confidentiality of the requests, meaning that an attacker between you and the resolver can not view the traffic between you and your DNS resolver.
Stacking DNSSEC and DNSCrypt works out very well, as you end up covering your bases and achieving confidentiality, integrity, and authentication.
Hosting In Australia
While I’m not particularly familiar with Australia’s laws, hosting outside of the US definitely provides a bit more peace of mind. Just yesterday we learned that Lavabit (the email provider chosen by Edward Snowden) has shut down due to the US government trying to compromise their ability to protect their users. The truth is that hosting in the US just makes a service less trustworthy at this point, and hosting outside is a big plus. This, combined with Namecoin and their pledge to not log, is really somewhat comforting.
So, while I can’t absolutely recommend it at this point (I haven’t been using it long enough) I think there’s a lot of potential here.