Encrypted DNS Request and Replies

evilbunny · 04-19-2008, 08:22 AM

Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so.

Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitiors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses.

Currently there is no internet draft nor RFC covering this subject as far as I/we are aware, but that will be the next step for us from here.

The actual code doesn't decode the DNS response, I have compared the responses to a normal response and they matched but my intention wasn't to re-invent the wheel only prove that encrypted and unencrypted DNS lookups could utilise the same name servers without too much trouble.

DNS Encryption - e164.org Wiki

If you really did want to do a dig replacement using this code it wouldn't be that difficult since most of the code is written, all you have to do is parse the information returned, then again I'm pondering about finishing the code simply so it can be easily integrated into things like FreePBX.

I'll probably get yelled at by the DNS purists because I hacked it together and cheated a little in the process, but again my intent wasn't
to do anything more than a simple proof of concept to prove that it could be done.

I haven't designed the system to be ENUM specific and should be usable for any DNS although it's possibly not the best way to do things and I'd be open to further discussions on this topic.

.

04-19-2008, 08:22 AM	#1
evilbunny Senior Member Join Date: Feb 2006 Posts: 176 Thanks: 0 Thanked 14 Times in 10 Posts	Encrypted DNS Request and Replies Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so. Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitiors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses. Currently there is no internet draft nor RFC covering this subject as far as I/we are aware, but that will be the next step for us from here. The actual code doesn't decode the DNS response, I have compared the responses to a normal response and they matched but my intention wasn't to re-invent the wheel only prove that encrypted and unencrypted DNS lookups could utilise the same name servers without too much trouble. DNS Encryption - e164.org Wiki If you really did want to do a dig replacement using this code it wouldn't be that difficult since most of the code is written, all you have to do is parse the information returned, then again I'm pondering about finishing the code simply so it can be easily integrated into things like FreePBX. I'll probably get yelled at by the DNS purists because I hacked it together and cheated a little in the process, but again my intent wasn't to do anything more than a simple proof of concept to prove that it could be done. I haven't designed the system to be ENUM specific and should be usable for any DNS although it's possibly not the best way to do things and I'd be open to further discussions on this topic. .