Tag: DNS

Opera Now Resolves the .Crypto Top-Level Domain

Opera recently announced that its browser would start resolving .crypto addresses. The interesting thing about that is that .crypto is not an officially recognized ICANN top-level domain.

Rather it is the work of Unstoppable Domains which is an attempt to “replace cryptocurrency addresses with a human readable name.”

In an announcement of new updates to its browser, Opera wrote,

True crypto-geeks will appreciate the fact that Opera has also partnered with Unstoppable Domains, a blockchain naming system built on Ethereum.

Blockchain domain names are similar to .com or .org domains, the main difference being that they are stored on a decentralized public ledger (Ethereum). Registering .com or .org domains allows people to easily reach web addresses instead of having to type in a long IP address. A .crypto domain or wallet address works in much the same way, providing this experience on a blockchain. What this means in practice is that by owning a .crypto domain name, you can simplify your wallet address. Instead of sending someone a long set of numbers, you can use a short address like operafan.crypto, which makes it easier to send and receive cryptocurrencies in your wallet.

For those who don’t use Opera, there is a Chrome extension that will resolve the .crypto domain name space correctly within that browser as well.

Firefox Enables DNS over HTTPS

Mozilla created a bit of controversy today by enabling DNS over HTTPS by default in the United States.

DoH will encrypt DNS traffic from clients (browsers) to resolvers through HTTPS so that users’ web browsing can’t be intercepted or tampered with by someone spying on the network. The resolvers we’ve chosen to work with so far – Cloudflare and NextDNS – have agreed to be part of our Trusted Recursive Resolver program. The program places strong policy requirements on the resolvers and how they handle data. This includes placing strict limits on data retention so providers- including internet service providers – can no longer tap into an unprotected stream of a user’s browsing history to build a profile that can be sold, or otherwise used in ways that people have not meaningfully consented to. We hope to bring more partners into the TRR program.

I agree with Bruce Schneier that this “is a great idea, and long overdue.”

A lot of the criticism of DNS over HTTPS is reminiscent of the criticism over TLS 1.3. Enterprises took advantage of poor security in DNS and TLS 1.2 to manage their networks, which is understandable. But we shouldn’t kneecap the security of the 3.2 billion people worldwide who use the Internet in favor of special interests.

A lot of that criticism also involves “experts” talking out of both sides of their mouths. For example, Caitlin Cimpanu offers contradictory complaints in ZDNet that, on the one hand, DoH doesn’t prevent ISPs or other network providers from tracking users.

But, in the same article, Cimpanu argues that DoH bypasses enterprise policies because it makes it impossible for those enterprises to track users.

Microsoft Announces Plans to Add DNS Over HTTPS to Windows

Nice to see Microsoft join the DNS Over HTTPS crowd.

Here in Windows Core Networking, we’re interested in keeping your traffic as private as possible, as well as fast and reliable. While there are many ways we can and do approach user privacy on the wire, today we’d like to talk about encrypted DNS. Why? Basically, because supporting encrypted DNS queries in Windows will close one of the last remaining plain-text domain name transmissions in common web traffic.

Providing encrypted DNS support without breaking existing Windows device admin configuration won’t be easy. However, at Microsoft we believe that “we have to treat privacy as a human right. We have to have end-to-end cybersecurity built into technology.”

We also believe Windows adoption of encrypted DNS will help make the overall Internet ecosystem healthier. There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal. To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.

Handshake–A Decentralized Naming and Certificate Authority

Handshake is an attempt to create a decentralized naming and certificate authority.

Handshake is a decentralized, permissionless naming protocol where every peer is validating and in charge of managing the root DNS naming zone with the goal of creating an alternative to existing Certificate Authorities and naming systems. Names on the internet (top level domains, social networking handles, etc.) ultimately rely upon centralized actors with full control over a system which are relied upon to be honest, as they are vulnerable to hacking, censorship, and corruption. Handshake aims to experiment with new ways the internet can be more secure, resilient, and socially useful with a peer-to-peer system validated by the network’s participants.

Handshake is an experiment which seeks to explore those new ways in which the necessary tools to build a more decentralized internet. Services on the internet have become more centralized beginning in the 1990s, but do not fulfill the original decentralized vision of the internet. Email became Gmail, usenet became reddit, blog replies became facebook and Medium, pingbacks became twitter, squid became Cloudflare, even gnutella became The Pirate Bay. Centralization exists because there is a need to manage spam, griefing, and sockpuppet/sybil attacks. Previous decentralized systems largely stopped working due to spam. If it were more costly to grief on the internet using decentralized systems, the need for trusted centralized corporations to manage these risks decrease. Internet services and platforms may benefit from building on top of a decentralized system which is specifically designed for resilience against sybil attacks.

As we may redecentralize.

CloudFlare’s Encrypted DNS App for Android and iOS

CloudFlare recently released an app for Android and iOS that makes it easy for users to encrypt their DNS queries using CloudFlare’s 1.1.1.1 DNS resolver.

For once, I’m really not sure what the point is of a security tool like this. One of the criteria for using the 1.1.1.1 app is you need to turn off any VPN you have activated. But I’m not really certain what the use case would be for wanting encrypted DNS but not a VPN.

Personally, I use ProtonMail’s VPN on my phone when I want privacy from the local network operator. There are issues with Proton, but it’s security is more than good enough for anyone not concerned about state actors in their threat model.