📝 Correction | Encrypted DNS can be anonymous with DNSCrypt v2 protocol #1822

New Issue

2020-04-09T12:28:36Z

lrq3000 commented

2020-04-09 12:28:36 +00:00

(Migrated from github.com)

Description

While writing #1821, I have just discovered that the DNSCrypt v2 protocol supports anonymized DNS queries. Here is the documentation.

It seems to only be implemented in one software at the moment, in dnscrypt-proxy.

Maybe other softwares such as Simple DNSCrypt, which is based on dnscrypt-proxy, may implement (or will in the future) anonymized DNS queries, but at the moment it seems from this listing that it's not the case.

Why I am making the suggestion

In https://www.privacytools.io/providers/dns/ , it's written:

Note: Using an encrypted DNS resolver will not make you anonymous

DNSCrypt v2 seems to fix this issue, and there is a concrete application.

My connection with the software

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Description While writing #1821, I have just discovered that the DNSCrypt v2 protocol supports anonymized DNS queries. Here is the [documentation](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/ANONYMIZED-DNSCRYPT.txt). It seems to only be implemented in one software at the moment, in [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). Maybe other softwares such as [Simple DNSCrypt](https://simplednscrypt.org/), which is based on dnscrypt-proxy, may implement (or will in the future) anonymized DNS queries, but at the moment it seems from [this listing](https://dnscrypt.info/implementations/) that it's not the case. ## Why I am making the suggestion In https://www.privacytools.io/providers/dns/ , it's written: > Note: Using an encrypted DNS resolver will not make you anonymous DNSCrypt v2 seems to fix this issue, and there is a concrete application. ## My connection with the software  - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

beerisgood commented

2020-04-09 20:54:47 +00:00

(Migrated from github.com)

Well that's not fully true. It exist exist the eSNI problem.

👍 1

lrq3000 commented

2020-04-15 18:12:06 +00:00

(Migrated from github.com)

Very interesting, I admit I have no expertise in DNS and such, I am more of a savvy end-user (I can adopt a new protocol/framework but I could certainly not tweak it nor make one).

I found this article about eSNI, is this what you were referring to? From the doc, I understand that SNI had an issue with privacy, but eSNI should solve this. However, I did not find any mention about eSNI on the DNSCrypt v2 doc.

Maybe asking them directly may help clarify this issue :-)

Very interesting, I admit I have no expertise in DNS and such, I am more of a savvy end-user (I can adopt a new protocol/framework but I could certainly not tweak it nor make one). I found this article about [eSNI](https://www.sentinelone.com/blog/privacy-2019-fixing-16-year-old-problem-tls-esni/), is this what you were referring to? From the doc, I understand that SNI had an issue with privacy, but eSNI should solve this. However, I did not find any mention about eSNI on the DNSCrypt v2 doc. Maybe asking them directly may help clarify this issue :-)

beerisgood commented

2020-04-15 18:19:47 +00:00

(Migrated from github.com)

The problem with eSNI is that every visiting server need to support it and I sadly guess most doesn't care.

👍 1

Mikaela commented

2020-04-17 15:07:52 +00:00

(Migrated from github.com)

It's also still a draft and many may be opting to wait for it to stabilize first.