Originally, I posted this as a reply to :
'Android stealthily forcing google dns'
http://forum.kitz.co.uk/index.php/topic,17374.msg317604.html#msg317604But I realised that it was:
a) completely off topic in
Computers & Hardware > Android & other hand held devices
and
b) too much of a thread hijack
So I thought better of that and tried to find a better place to post it.
'General Internet' seemed like a relevant area, but mods feel free to move this if I have overlooked a more appropriate sub-forum.
Anyways a comment from Chrysalis piqued my interest:
I am considering moving my DNS server out of the UK tho, as I wonder how much power the UK authority has in been able to get the transit provider at my UK location to sniff my dns traffic, the DNScrypt will encrypt between my router and the server which stops sky sniffing, but not from the server to other DNS servers. The problem been that DNScrypt is a hack, its not a standard, so there is no encryption protocol for server to server queries.
Similarly I prefer DNScrypt to encrypt client to server queries and similarly I prefer to administer my own DNS server with a free public service (opendns) as a backup.
ATM I run unbound as a server hosted DNS resolver, mostly for the ease of setup and maintenance since I feel that I can probably rely on Debian packagers for security updates.
I also had it in my mind to at some point change the setup to obfuscate the currently plaintext server-to-server queries that Chrysalis mentions.
However, in The Real Word, time is a finite resource, and I have not (yet) spent the time to reimplement an otherwise functional system.
The general idea would be to change from setup
A) (myclient) -> dnscrypt client proxy [1] ->
_encrypted_ (myserver) -> dnscrypt-wrapper [2] -> myDNS_daemon [ unbound | Powerdns | DNSmasq | Bind ] ->
_unencrypted_ root servers
to
B) (myclient) -> dnscrypt client proxy [1] ->
_encrypted_ (myserver) -> dnscrypt-wrapper [2] -> {DNSmasq -> dnscrypt client proxy} ->
_encrypted_ open public servers e.g opendns*
[1]
https://dnscrypt.org/#dnscrypt-proxy[2]
https://dnscrypt.org/#dnscrypt-server*
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csvThe basic idea behind configuring such an overly convoluted query architecture being that dnsmasq allows to control where the servers queries are directed to, and thus could be configured to despatch them via dnscrypt-proxy, which would thus allow them to be serviced by an encrypted server upstream.
Not exactly ideal, but possibly better than the existing undesireable plaintext.
As I happened to mention in another post earlier this morning, UKNOF34 had a couple of interesting presentations on the dnsdist configurable DNS server
http://forum.kitz.co.uk/index.php/topic,17559.msg321838.html#msg321838I see that this interesting line has appeared on the dnscrypt.org site at the end of para [1]
'dnsdist can act as a DNSCrypt server when compiled with --enable-dnscrypt.'
Which suggests that the following (much less complicated) setup is now a possibility
C) (myclient) -> dnscrypt client proxy [1] ->
_encrypted_ (myserver) -> dnsdist [3]
leaving open the question of
(myserver) -> [ root servers | open public servers e.g opendns ]
[3]
http://dnsdist.org/README/#DNSCryptSo it looks like there may now be 2 FOSS server based solutions possible.
I would appreciate any thoughts/comments/suggestions from anyone interested in the provision of encrypted DNS.
Thanks for reading this far!
p.s. Anyone interested in providing encrypted DNS services to their LAN can easily do so via OpenWRT
https://wiki.openwrt.org/inbox/dnscrypt 
p.p.s. Anyone interested in trying the namecoin encrypted DNS service can easily do so via the Gargoyle open source router project where it has been integrated into the GUI for years.
https://www.gargoyle-router.com/phpbb/viewtopic.php?f=3&t=2120
