DNS over TLS forwarding howto
-
I too have privacy concerns and struggled with trusting OpenDNS vs using the resolver and opted to use resolver and have my DNS requests go thru my VPN only.
I went to Services -> DNS Resolver -> General Settings tab -> Outgoing Network Interfaces -> Selected only my VPN interface (vs WAN and VPN Interface).
Wouldn't this encrypt my DNS traffic? How is using DNScrypt or TLS any better?
Thanks for posting PertFlavus…good discussion!
-
Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception. But once the query leaves your vpn endpoint it would be in the clear still. Your vpn provider could be logging all the dns if they so desired..
When you use a vpn, your trusting them not be logging or looking at your traffic because..
dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.
I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld
So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7
Do you not use CC? They know exactly what and where and when you bought a box of condoms and what beer you like, etc.
Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you. Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's
There is the impression of privacy, then their is reality of it all.. I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc.. But that is just me.. What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS.. Which brings a valid point pfsense.org be using dnssec which it is not.
Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;) Same goes for netgate.com which I see also that they are missing their AAAA glue as well.
-
Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process… Should probably be an option in the pfSense Unbound GUI...
https://www.unbound.net/documentation/unbound.conf.html
https://ripe72.ripe.net/archives/video/219/qname-minimisation: <yes or="" no="">Send minimum amount of information to upstream servers to
enhance privacy. Only sent minimum required labels of the QNAME
and set QTYPE to NS when possible. Best effort approach; full
QNAME and original QTYPE will be sent when upstream replies with
a RCODE other than NOERROR, except when receiving NXDOMAIN from
a DNSSEC signed zone. Default is off.qname-minimisation-strict: <yes or="" no="">QNAME minimisation in strict mode. Do not fall-back to sending
full QNAME to potentially broken nameservers. A lot of domains
will not be resolvable when this option in enabled. Only use if
you know what you are doing. This option only has effect when
qname-minimisation is enabled. Default is off.</yes></yes> -
Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception. But once the query leaves your vpn endpoint it would be in the clear still. Your vpn provider could be logging all the dns if they so desired..
When you use a vpn, your trusting them not be logging or looking at your traffic because..
dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.
I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld
So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7
Do you not use CC? They know exactly what and where and when you bought a box of condoms and what beer you like, etc.
Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you. Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's
There is the impression of privacy, then their is reality of it all.. I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc.. But that is just me.. What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS.. Which brings a valid point pfsense.org be using dnssec which it is not.
Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;) Same goes for netgate.com which I see also that they are missing their AAAA glue as well.
To be clear, I did it because I could. It was fun. I also was able to host my own dns server, which wouldn't normally be possible, as it uses a different port/tcp. My VPS provider isn't as incentivised to scrape my traffic for ad revenue like google or my ISP are. Encrypting DNS by itself does nothing to keep your internet use private by itself though because https sends the hostname in a SNI request over plain text. That might change with TLS 1.3.
Baby steps John, baby steps. Google's going to get their info one way or another anyhow. (And probably through DNS over TLS! https://www.xda-developers.com/android-dns-over-tls-website-privacy/ ) glares at Android phone
I've considered just sending my internet connection through my VPS using OpenVPN but I don't think it's performance is up to snuff. I also turned off dns over tls for now because of the above points. I just figured I'd share how to do it to show it's possible, and without an FR for support.
-
I see this use case scenario as prob not all that bad..
I run a vps somewhere. On this vps out in the cloud I run a resolver.. I use dns over tls to talk to this resolver via forwarding from my location..
This hides your dns traffic from your isp.. This also hides your IP from from roots, and the authoritative servers even.
This allows you to use a resolver that you trust - your freaking running it ;) Hides your dns traffic from your isp.. And prevents any so called dns leaks…
-
It's not bad, so far but you'll need more than one. Linode has $5 nodes, so if you get two in different data centers you're good to go.
Latency on lookup is noticeable. Quarter secondish. My servers don't support tcp fast open and they're uncached queries, so I couldn't tell you which is causing the delay.
I can post my unbound server configs if you want to give it a try.
@BBcan177
qname-minimization appears to work fine, so I've updated the config. Thank you. =) -
"I can post my unbound server configs if you want to give it a try."
Thanks.. But have no real desire to try this at all.. Like I said I don't really care that my isp or roots can see that I go to forum.pfsense.org ;)
Its nice of you to share you info with the shinyhats out there.. But to me this is just waste of time.. You mean it slows down my dns.. Well sure sign me up! ;) lets give that a run hehehehehe
But why do you need two vps nodes? As long as the node is up, you sure don't need 2 of them.
Now what bcan posted about qname-minimisation, this is good way to help out the shinyhat wearers and not add complexity and layers and latency to your dns I would think.. I might play with that a bit to see if have any issues resolving stuff I go to..
-
Why do you need two vps nodes? As long as the node is up, you sure don't need 2 of them.
Because, at some point, it won't be, and there's not a damned thing you can do about that. It's another con to the waste of time.
In the above config your internet will totally stop working if the dns server you forward to is inaccessible because, say, your vps provider gets ddos'd ;)
-
My internet could also go down, I could loose power.. There could be a zombie Apocalypse as well ;)
As to the damn thing I could do about sure, if that vps goes down I just resolve normally… No reason to pay for extra vps because I would be worried that my vps provider gets hit with a ddos ;) hehehe
I use 3 different hosts for vpses - none of them have gone down because of ddos ;) tat I can recall They have had maint, sure.. But to be honest pretty freaking impressed with the uptime.. Especially the the main one I use where I have 4 different vps int 3 different data centers, etc.
But sure yes failover planning and redundancy is part of any system that needs to be taken into account sure.
-
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.
In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy. So I think in that case even using a 3rd party server would be worthwhile.
-
If your isp is doing dns interception and doing any sort of injection or filtering to stop you from looking up something then by all means this makes sense.. Be it dnscrypt/tls tunnel - vpn, etc. To get your data past such network.
My guess is they are attempting to block p2p sites, etc. But doesn't matter what they are blocking - blocking whatever it is to me in violation to what they are suppose to be doing which is just providing you a net connection. If you want to lookup up p0rn, p2p, whatever - and its out there.. They shouldn't be messing with your ability to look up the IP that is for sure.
But if all they are doing is logging it.. Then I don't give 2 shits.. If they want to sell it to someone that I seem to like xyz I really don't care. But they better not mess with what is to be returned from the authoritative server.. If they were doing such a thing I would be on a different isp..
-
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.
In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy. So I think in that case even using a 3rd party server would be worthwhile.
Damn.. that's terrible.. but why do they stop at dns when they could also filter http/https? I don't suppose you know a good source that describes this? I'd be interested in learning about it. I'm really hoping tls 1.3 includes a way to encrypt sni.
-
John yes UK isps commonly block p2p and other undesirable sites, there may be other motives for them to do so also. But it is common practice in the UK sadly on the major isps.
Just wanted to point out in some parts of the world on some isps there is a definite good reason to mask out DNS traffic. :)
-
So why don't you just run through a vpn and be done with it?
Here is a question for you.. Are they actually doing interception, or is their isp dns is just not returning the stuff they want you not to go to? Its a whole different ball game to just block specific dns in your dns that your running vs intercepting users dns, or blocking outbound on 53..
-
Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process… Should probably be an option in the pfSense Unbound GUI...
https://www.unbound.net/documentation/unbound.conf.html
https://ripe72.ripe.net/archives/video/219/qname-minimisation: <yes or="" no="">Send minimum amount of information to upstream servers to
enhance privacy. Only sent minimum required labels of the QNAME
and set QTYPE to NS when possible. Best effort approach; full
QNAME and original QTYPE will be sent when upstream replies with
a RCODE other than NOERROR, except when receiving NXDOMAIN from
a DNSSEC signed zone. Default is off.qname-minimisation-strict: <yes or="" no="">QNAME minimisation in strict mode. Do not fall-back to sending
full QNAME to potentially broken nameservers. A lot of domains
will not be resolvable when this option in enabled. Only use if
you know what you are doing. This option only has effect when
qname-minimisation is enabled. Default is off.</yes></yes>This looks incredibly easy to implement in the unbound package. I'll see if I can get a pull request for this soon. I will most likely not include a -strict option though as I don't see a reason to have it.
edit: Maybe not so easy. I saw the files to edit in https://github.com/pfsense/pfsense-packages to edit, but I can't find the xml files or the inc files in the new repo, https://github.com/pfsense/FreeBSD-ports =/
-
For me, unbound solved most of my DNS issues since I get to be my own dns server and the info comes directly from the root servers.
The only way it could get better is if I typed in all the names and IPs by hand… My hands hurt just thinking about it.
-
Hi all,
I have been following this thread and reading up a bit more on qname-minimisation. Also found some info about the topic at this source:
https://tools.ietf.org/html/rfc7816
In order to enable this feature in pfSense DNS resolver, it is as simple as adding the appropriate line(s) to unbound.conf and then restarting Unbound? If so, where is unbound.conf located in pfSense?
One thing I'm not quite sure on: Does this still offer protection when the DNS Resolver in pfSense is enabled with forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)? Or does it not offer any privacy enhancement in that case?
Thanks in advance for your help, I really appreciate it.
-
"forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)?"
Thought you said you read the RFC?? When you use the forwarder you do not talk to roots, you would have to send the forwarder the FULL thing your looking for, not just the pieces of the fqdn you need to find the authoritative server. So you could ask it for the record..
So in this scenario instead of asking roots hey whats the NS for .com in www.domain.com - its just asks hey whats the NS for .com
Then asks hey NS for .com whats the NS for domain.com, vs asking for NS of www.domain.comHow would that work with a forwarder?
You do not need to edit the conf file directly.. Just add it to the custom options box.
here… This simple.. see attached.
I ask the resolver hey www.testthisdomain.com and it just ask the NS for .com for testthisdomain.com vs the www.testthisdomain.com see attached sniff pic.
dig -x 192.31.80.30 +short
d.gtld-servers.net.;; QUESTION SECTION:
;com. IN NS;; ANSWER SECTION:
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
-
The spec was a good read. I removed it from the config above since forwarding to a DNS over TLS server would defeat the point, and I don't know if qname-minimisation is ignored automatically or not in this config. For now, DNS over TLS has to be explicitly enabled and does not work at all if the server's queried do not support it.
I also created an FR to add this as an option within the Advanced UI, so if anyone has anything to add… That's where I'd recommend doing it.
https://redmine.pfsense.org/issues/8028
edit: I wish i could edit these FR's for typos lol. How embarassing...
-
I added note to your FR, that I am now using the strict option as well.
If you or anyone else running the
server:
qname-minimisation: yes
qname-minimisation-strict: yesOptions in the custom option box find any domains your having a problem resolving - please post them so we can look resolving issue related to the settings or something, etc. I will post back after say a week or so if run into any problems.
