DNSCrypt Proxy v1 replaced by v2 #384
Comments
👍 |
|
@beerisgood Yes, I saw that when I was writing the issue, but at that time, the repository had just been created—it didn't even have a README yet. Now, it appears that work is proceeding quickly. So, dnscrypt-proxy v2 will likely be the replacement for v1. However, there is still the issue of what to put on the website for the time being. Sometime between this issue being posted and this comment now, the domain dnscrypt.org was snapped up by a domain parker. Now, it points to nothing—the http version of the site returns a 403, and the https version can't even be loaded because the certificate is configured incorrectly. I see two options if DNSCrypt is kept on the list of recommendations. Either we change the URL to point to Dyne's fork of v1, or we point it to Denis's v2 alpha. Which choice is best? Keep in mind that the documentation for both versions is a spotty as of now, which may make it difficult for newcomers to use them. The only v1 documentation I know of is through the Wayback Archive of the website (the GitHub wiki was not archived), and the Arch wiki. For v2, there are some comments in its configuration file that explain how it works. v2 seems to be pretty similar to v1, though, so most of the documentation for v1 probably applies to v2 too. |
|
Clearly, DNSCrypt should be removed forthwith until the situation described above settles. This site should be listing reliable options --- not the up-in-the-air, transitory or unpredictable! |
|
Yes, I agree with that. Here is some more information I've dug up on the situation: This issue from snorkasaurus's fork of DNSCrypt was created around the time the original repo was archived. It provides an explanation for the other fork of the original DNSCrypt, which is housed under the new DNSCrypt organization, along with what seems to be the rest of the original DNSCrypt repos. Apparently, this organization was created by Denis himself. The only public member of the organization, though, is Fusl, who is a member of the OpenNIC (if that has anything to do with it). Unlike Dyne's fork, which they promise to keep maintained (and feature freezed), this fork is only a clone of snorkasaurus's fork, which was updated on the day the original repo was set to read only. So, the situation is as follows:
For all these reasons, DNSCrypt should be removed from the list of recommendations. When or if an official statement comes out about the status and future of the project (including the resolvers), or v2 is stable, then it might be added back. For now, it's best to explore alternatives like DNS-over-TLS or DNS-over-HTTPS. Any suggestions would be much appreciated (they should be filed in a separate issue, though). |
|
The problem with DNS over TLS is that it leaks the hostname in plain text by the Server Name Indication (SNI) extension for TLS. DNSCrypt V2 may be better. |
|
I think you're mixing HTTPS (HTTP over TLS) with DNS-over-TLS. The purpose of DNS-over-TLS is to encrypt which hostname you are looking up, and as such it would make no sense to leak the hostname through SNI. DNS-over-TLS is the recommended way to secure your DNS-requests, and is used by companies like Google. Both DNS-over-TLS and DNSCrypt provides confidentiality (encrypting your requests) and authenticity (preventing tampering). |
|
Thanks @NPN I haven't had the chance to look properly at the new DNSCrypt project, thanks for the detailed write up. I've currently removed the links and added a warning not to refrain from using DNSCrypt for now. |
|
Further discussion about replacements should be held in a separate issue tho. |
|
Alright, it's been a while, and I think it's safe to add DNSCrypt back. Changes since January:
It's clear now, what with the steady releases, that DNSCrypt is back. The domain and forks issues have also been resolved, so I think there is nothing standing in the way of adding DNSCrypt back to the website. |
|
Let’s show a courtesy by notifying @jedisct1, the maintainer of DNSCrypt, that his brainchild is on trial. |
NPN
changed the title
and others
DNSCrypt has been abandoned by its creator, Frank Denis. On November 10, 2017, Denis tweeted that the project was looking for new maintainers. Some time later, the project repository was moved to Dyne, the new maintainers (edit: here is a tweet from them).
The README on Dyne's repository explains that DNSCrypt will continue to be maintained until "a viable and mature alternative arises," because Dyne relies on it for their project Dowse.eu. However, no new features will be added. Similarly, the first commit after the transfer states that:
The domain dnscrypt.org is still registered under Denis, but now redirects to https://dnsprivacy.org/wiki/, the site for the "DNS Privacy Project." As the Dyne README explains:
Denis has created a new repository under the same name as before, and is writing "a new implementation [of DNSCrypt] that sucks less."
I am uncertain of the status of the DNSCrypt resolvers. DNSCrypt is still working for me right now, so they probably haven't all shut down. The resolver list page is no longer available because the website is gone, but the CSV resolver list is still in Dyne's repository.
I don't have an answer for what to do here. This issue is more of a report to explain what has been going on. DNSCrypt could be kept on the website, as it will be maintained for a while. Denis's rewrite is still very young (as of writing this issue, the first commit was just a few hours ago), so it likely won't be an option for the forseeable future.
If DNSCrypt is kept, the link to dnscrypt.org should be removed or changed to point to the most recent Wayback Machine version, since the new site has nothing to do with DNSCrypt. Regarding the old website and GitHub wiki, Dyne says that they are willing to host them, but only if Denis gives them the archives.
Feel free to leave suggestions for what should be done, or for replacements for DNSCrypt. Perhaps DNS-over-TLS might be worth exploring?
The text was updated successfully, but these errors were encountered: