DNS Encryption
Background
Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so.
Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitiors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses.
Currently we're writing an internet draft on this subject, however there are no other internet drafts or RFCs that implement DNS query and response encryption as far as we are aware.
We'll probably get yelled at by the DNS purists because we hacked it together and cheated a little in the process, but again our intent wasn't to do anything more than a proof of concept to prove that it could be done.
We haven't designed the system to be ENUM specific and it should be usable for any DNS although it is possibly not the best way to do things and we want further discussions on this topic.
What about DNSSec?
DNSSec and DNS encryption share things in common, however DNSSec was only ever designed to authenticate that the DNS information you received hadn't been tampered with and it doesn't handle encryption at all but both technologies share many things in common and there was no reason DNSSec couldn't have included an encryption component as well.
Internet Draft
The current internet draft can be viewed here http://wiki.taug.ca/wiki/Draft-groth-dns-encryption all the code running on our name servers has been updated to match the current draft.
Proof of Concept
This code is currently not working, it will be updated shortly to work again to match the internet draft being written. In the mean time version 0.0.4 of the Asterisk FastAGI script has been updated to support the changes, so if you would like to view some concept code scroll to the bottom of this page.
More information
[http://www.e164.org/enum2.phps Asterisk encrypted AGI ENUM lookup script]
[http://www.freepbx.org/trac/ticket/2797 FreePBX enumlookup.agi patch]
The FastAGI scripts are a work in progress, there is a number of issues and we'd welcome help with spit and polishing.
[http://www.e164.org/enumlookup-0.0.4.fagi Asterisk FastAGI Encrypted ENUM Lookup 0.0.4]