cDome Shield - Support for DNSCrypt or DNS-over-TLS for encryption of DNS requests

vitalsupport · December 9, 2017, 5:15pm

Hello fellow Comodo Geeks,

I’ve not been able to find anything about cDome Shield being having DNSCrypt or DNS-over-TLS capabilities. DNSCrypt encrypts DNS requests from the client to the DNS server using elliptical curve encryption so that DNS requests can’t be intercepted/modified. This is something that OpenDNS/Cisco Umbrella has supported for a number of years. The truth is not many firewall products have support for it. I currently use it with a Shibby Tomato-based router which does. I’d like to see either DNSCrypt or DNS-over-TLS or both integrated to Shield and for the Comodo Dome firewall to have a the client(s).

See the following for more info:
DNSCrypt: https://dnscrypt.org/ - There may be an opportunity to promote Comodo by sponsoring/assisting with it’s development as the primary author has been maintaining it for 6 years and is ready to move on to other things.
https://github.com/jedisct1/dnscrypt-proxy/issues/769

DNS-over-TLS: https://dnsprivacy.org/wiki/display/…oject+Homepage

C1 Partners please chime in on the topic. I’m curious to know how many are familiar with DNS encryption and if so, how they’ve implemented it.

Edit: I’ll also add that encrypting DNS requests keeps them private in transit and largely prevents ISPs and others from easily snooping the DNS requests themselves which is helpful in reducing intrusive data collection. However, it doesn’t prevent them from seeing where your packets are going once you are connected to the service looked up in DNS. Every little bit of privacy counts though.

Regards,
-felipe

Rick_C · December 9, 2017, 5:43pm

Hi @vitalsupport
We have forwarded your inquiry to the Comodo Dome team. We will update this post as soon as we get word from them. We appreciate your patience on the matter.

vitalsupport · December 9, 2017, 6:02pm

@Rick_C Thank you for your attention to the request!

ozermetin · December 10, 2017, 3:35pm

Dome Shield support DNSCrypt. Shield agents come with that functionality by default. So all DNS requests are encyrpted and you dont worry about privacy.

vitalsupport · December 14, 2017, 3:47am

@ozermetin I appreciate your reply and that is great to know especially for roaming laptops/mobile devices but not all of the computers or devices may Shield agents installed on them. For general network protection the on-premise router or Windows AD DNS server would forward client requests to Shield DNS servers. Some routers support one of the two encryption methods and more likely will over time. I’d like to see this implemented in Shield in such a way that can any DNSCrypt and DNS-over-TLS capable device can communicate with the Shield DNS service directly.

Regards,
-felipe

libretech · July 1, 2018, 9:17pm

I believe there are Cdome Shields VMs that works with the onsite internal and external services.