Dnscrypt-proxy: DNScrypts new automatic De-anonamization feature

Created on 26 Mar 2020  路  5Comments  路  Source: DNSCrypt/dnscrypt-proxy

@jedisct1 You claim "And yes, if packets are dropped during the fragment test, anonymization will be disabled" its an automated test.

Dnscrypt is still querying cisco, and all the other relayed servers while at the same time claiming they "do not support anonamization"... so what the hell is going on with these servers? Are telling you us you have automatically de-anonamized these queries?

thats like de-balling tor. self defeating. more like kamakazee.

Please elaborate, if you are capable.

All 5 comments

If a 1450 bytes query is sent to these servers, it will go through.
If a 1500 bytes query is sent to these servers, they currently ignore it and will not sent a response.

For Cisco, this is a regression that was introduced a couple months ago.

For cleanbrowsing, quad9, qualityology.com, sth-dnscrypt-se, ams-dnscrypt-nl and freetsa.org, it may have been around forever. What they all have in common is a large certificate TTL, so I guess they don't run the same software as others. I know quad9 is using dnsdist, so this is likely where the issue has to be fixed.

Correctly handling any query size is required for anonymization to work reliably.

Instead of removing these servers, I'm currently trying to do my best to implement workarounds so that, at least without anonymization, they can be used reliably.

Initial investigations showed that dnsdist made that change:

Ignore Path MTU discovery on UDP server socket

that went into dnsdist 1.4.0, released on November 2019.

It may be what inadvertently broke the protocol.

@jedisct1 So when you say "Correctly handling any query size is required for anonymization to work reliably." Do you mean our anonymity is perfectly fine, only that the anonymous protocol occasionally has reliability issues receiving 1500 byte queries? because it was working fine 99.9% of the time with the servers I prefer, now 0% with your fix.

Please elaborate and please explain if your "fix" automatically disables anonymity as you previously suggested. I don't know if you broke my anonymity or not.

"And yes, if packets are dropped during the fragment test, anonymization will be disabled"

Please elaborate and please explain

Sorry, I don't have time to complete your assignment, whose description was already edited 9 times in 30 seconds. I'd rather try to help these servers fix the root cause.

So you wont explain to your users if you broke our anonymity and will be happy to leave us clueless. If you do not answer that it is pretty clear to me you are not a reliable or trust worthy programmer.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

dongjuanyong picture dongjuanyong  路  3Comments

Decopi picture Decopi  路  6Comments

EstherMoellman picture EstherMoellman  路  5Comments

dduransseau picture dduransseau  路  5Comments

Ambitious-Dreamer picture Ambitious-Dreamer  路  4Comments