I've been struggling to solve this privacy problem.
DNS/SNI leakage
The issue is that every site I request either through a proxy, a vpn, SSL/TLS or plaintext
is being transmitted to my isp/outside my network.
obviously telling any MITM what I'm up to on the internet.
I thought about a few solutions.
GNUnet - it's great on paper and maybe someday will see more daylight but it's pretty complicated and doesn't solve my imidiate problem.
encrypting - using a service like DNScrypt which I can't seem to understand enough to give an opinion.
obfuscating - using other computers in the network and request random queries through a single dns server running dnsmasq(tried)
caching - I had the idea of caching all the TLDs and routinly(every 48 hours maybe) updating them.
The issue I'm facing with caching the entire list of domains(about 333M domains) is how to obtain an updated list of domains from the root nameservers.
even before I start to prioritize more indexed of more common domains and reduce computation I need to obtain every host name domain pair.
I'm trying to reach people who put some thought into how fucked up the internet and DNS service is and want to contribute and discuss some more.
I'm using DNSCrypt on all my devices (disabled on my phone for now because (((school))) blocks the port DNSCrypt uses and turning it on and off is a pain in the ass). It works pretty well, it's reliable and it's quite easy to set up on (GNU/)Linux. Install dnscrypt-proxy, start the service and add it to your default runlevel, set your DNS server to 127.0.0.1.
Bumping for interest. Here's a free win XP pro key
How do I install dnscrypt from source?
>>62370919
Why not VPN?
>>62371345
depends on the vpn
>>62371025
can you explain how dnscrypt works exactly?
I use a setup to connect to my own dns server, running dnsmasq can I set up the server to use the encryption? how do I exchange keys? is there a CA? can I use it on android without root?(assuming i can change the dns IP only?
DNS just makes me so angry
anyone knows any channels on freenode where I can discuss this with?
>>62370919
The answer as you've sort of said is Gnunet.
These problems can't be fixed in any nice/acceptable way by tacking more shit on with layers of abstraction.
With what we know know retrospectively, you have to start over from the very beginning and rework everything all the way down.
Gnunet is the future.
I think that once they finally get this next major version out, you'll see an explosion of interest and new work being done around it. I know for a fact that a number of people don't want to start working on anything involving it right now as it will mostly be made incompatible with the next version - But once it's out they'll be all in.
Keep hyping it - This may be our only chance at salvation.
>>62372839
What is the difference in gnunet between other p2p solutions?
instead of rewriting the entire internet system and protocols I was thinking about an extension to the current state of things, exactly like SSL/TLS did on securing the internet.
I indulged in the idea of a block chain like domain ledger so the entire system is more secure and decentralized, easier to maintain a local cache of domains and securely verify owner ship of a domain.
DNScrypt over a VPN, shuffling through different VPN providers and DNS providers on desynchronized random timers. Tons of OpenNIC servers claim not to keep logs, and there are others like dnscrypt.eu
dnnsec on top of that because why not, muh verification
name of the game is thwarting passive commercial surveillance
i2p is a more practical privacy layer than gnunet and tons of cool stuff (as in not pizza) is shared over it constantly.
>>62372980
Gnunet aims to be a full IP/TCP replacement, prioritizing anonymity and decentralization as the core starting point and building up from there.
Tacking things on later is sometimes a necessary stopgap measure when it's discovered that something critical was overlooked - They shouldn't be seen as satisfactory solutions.
Other existing options don't take the whole of the problem into account.
From a privacy and security standpoint DNS seems like a malfunctioning solution to domain resolving. At the moment it's either very hard to implement a secure solution(DNSCrypt) or impossible to implement a privacy solution(Caching and re-check 333 Milion domains). I just want to use the internet in a friendly securly with privacy, and not to go through the hassle of setting up DNScrypt over a VPN while shuffling providers and DNS providers on desynchonized random timers and use dnssec on top of everything, just to keep out passive commercial surveillance... other overhaul solutions like i2p/gnunet/p2p are more of a fix to another problem and not actually viable at current state of things for normal use. So what can I do to obtain minimal freedom over my dns necessities?
>>62373187
Get a different computer to do caching and rsync it with your main one.
Mission accomplished.
>>62373092
Is this diagram accurate? I was excited for ipfs. Could you link me to some sources discussing the differences between the different current solutions?