[Dnsmasq-discuss] Suggestion: DNSCrypt
Petr Menšík
pemensik at redhat.com
Thu Jan 14 13:13:23 UTC 2021
Hi Riley,
First part is, dnscrypt seems obsoleted by DNS over TLS and DNS over
HTTPS. I think there is no advantage using dnscrypt instead. Could you
name any advantage of dnscrypt over one of standardized protocols?
Rewriting BSD licensed files under GPL is not okay, but using BSD in GPL
project is possible. I am not sure dnsmasq has well prepared TCP-only
forwarding code prepared for additional encapsulation, but might be wrong.
I am not sure it is worthy to implement encryption into dnsmasq itself.
It would bloat dnsmasq with not small libraries dependency and
non-trivial code. Is there any reason, why configuration bundled with
another dnscrypt-proxy instance for example is not desired instead?
On 1/7/21 8:44 AM, Riley Paxton wrote:
> Awesome!
>
> The problem is, I'm not a developer. Well, I know some C, but not *that* well.
>
> I was looking around, and I stumbled on a Git repo called "dnscrypt-wrapper". It has been 2 years since the last update, but I think the code itself is still good enough.
>
> Link here: https://github.com/Cofyc/dnscrypt-wrapper
>
> Specifically, I was skimming over "dnscrypt.c" and "dnscrypt.h" files.
>
> It is BSD licensed, and the code is simple enough that it could be rewritten as GPL, I think.
>
> It is also written in C, so I suppose the semantics of the code can be looked over by others. I wonder if this will work?
>
> If anyone out there wants to take a crack at it, I hope it will help.
>
> It also appears to depend on libsodium, so that will also add another dependency to dnsmasq (I do not think libevent is needed).
>
> So that dependency is something to consider, especially if the dnsmasq aurhor/developers are not comfortable making their own encryption library. Haha.
> -------- Original Message --------
> On Jan 6, 2021, 22:48, Patches Welcome wrote:
>
>> On Thu, Jan 07, 2021 at 01:05:27AM +0000, Riley Paxton wrote:
>>> Hey,
>>>
>>> dnsmasq does a lot, but it doesn't do DNSCrypt. :)
>>>
>>> I was wondering if there were any plans to get this baked in anytime?
>>>
>>> It is pretty bothersome to have to run `dnscrypt-proxy` with Debian,
>>> cumbersomely edit the freaking systemd socket file with `systemctl
>>> edit dnscrypt-proxy.socket` and make it run on a different port, since
>>> I really want dnsmasq to be the authoritative (only) DNS on standard
>>> port 53.
>>>
>>> Granted, I was able to completely replace `radvd` with the minimal
>>> IPv6 RD technology I needed in dnsmasq, so thank you all for that one!
>>>
>>> But now it's 2021. So where is DNSCrypt?
>>>
>>> I feel like this is needed to keep dnsmasq modern and relevant. What
>>> do you all think?
>>
>> P W
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210114/a99df8e8/attachment.sig>
More information about the Dnsmasq-discuss
mailing list