DNS
On asking strangers for directions
October 13, 2017 — October 2, 2023
DNS determines where my devices go asking for directions on their way about the internet. My DNS setup thus impacts my security, safety, and convenience. My default DNS from my ISP is subject to AFAICT the highly criticised policy, within which your local council gets to know where you are browsing.
- I might like a DNS service that does not record where I browse, so that I am less easily tracked and profiled by corporate interest or nascent police states etc. One way to fix this is with a VPN, but if I don’t want that overhead, I can also specifically encrypt my DNS queries to a supported DNS server.
- I might like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from Vimeo, I cannot do so without DNS hacks because otherwise I am redirected to a site which tells me that Vimeo is pornographic (!). In China, I understand this tactic is one way they enforce the great firewall. One way around this is DNSSEC, which guarantees authenticity.
- Contrariwise, I might like a DNS service that is deliberately broken and will simply not work for malevolent sites such as malware distributors and advertisers, because filtering this myself is becoming difficult with some browsers. Some people maintain their own blocklists, but I am sometimes happy to entrust a third-party DNS provider with this power if they seem trustworthy.
Update: see DNS Privacy a site which has more information than you could possibly want about the privacy details, or the IEEE overview.
1 Alternate DNS servers
1.1 Fancy
There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value-added features such as censoring advertisers (and optionally “family unfriendly” content) by simply not resolving them and DNS-over-TLS.
Adguard is
or
Cloudflare is American and has enabled Nazi speech. Adguard operates in a Russian jurisdiction. What that says about the risk and benefit profiles of these organisations I leave you to decide for yourself.
Cisco’s opendns will do ad blocking, but not TLS-compatible.
1.2 Vanilla, Australian
Whirlpool’s list of DNS Servers to use in Australia. AFAICT only my ISP is required to log my DNS usage, so presumably I improve privacy somewhat by using any DNS server that is not my ISP’s.
1.3 Vanilla, global
CCC’s recommended DNS servers globally:
- 85.214.20.141 (FoeBud)
- 204.152.184.76 (f.6to4-servers.net, ISC, USA)
- 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
- 194.150.168.168 (dns.as250.net; Berlin/Frankfurt)
- 213.73.91.35 (dnscache.berlin.ccc.de)
The Google Public DNS IP addresses (IPv4) are as follows:
- 8.8.8.8
- 8.8.4.4
The Google Public DNS IPv6 addresses are as follows:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
2 Blocking some DNS records
I could do this myself with dnsmasq plus much love and attention and OCD, but I’m not quite anal retentive enough to get around to it. More comfortable might be to run a single board computer or vm as a net filter via pi-hole, which gives a nice GUI and monitoring system.
3 Encrypting DNS for privacy
3.1 encrypted responses: DNS-over-TLS
Want privacy about which sites you are requesting? This, de facto, means a standard called DNS-over-TLS.
There was also dnscrypt, which was abandoned so I guess you can ignore that.
How do we get our OS to make these encrypted queries? I guess proxying them? That seems to mean using stubby
and/or knot-resolver
, or dnsproxy.
3.2 Authenticated responses: DNSSEC
The authenticated DNS option is DNSSEC
.
Presumably we should all be using this but it still looks painful, at least on macOS and supporting code is everywhere. e.g. macos Apps can use DNSSEC; Can we force the entire OS to use DNSSEC?
That might need extra config. The server app of choice seems to be unbound
.
See Setting up your own DNSSEC-aware resolver using Unbound.
I suspect there is substantial overlap between unbound
, stubby
etc in practice. Geeks usually try to get All The Cryptography at once.
4 DNS reconfiguring
So I’m going to reconfigure my DNS to be more secure. To do this I will update DNS servers to be some DNS-over-TLS servers. and flush out the old poisoned records.
The OS can benefit from a DNS flush; but also the browser can keep stinky stale records around. Clearing browser DNS caches is also advised.
tl;dr you can and should use fancy encrypted DNS servers, but you can make life somewhat better by simply putting a new DNS service in your settings file e.g. Adguard, 176.103.130.130
and 176.103.130.131
or Cloudflare, 1.1.1.1
and 1.0.0.1
.
4.1 Ubuntu
First, I must configure my DNS settings. (I need to do this if I want to use VPN on linux apparently.)
If I want to encrypt, see Linuxbabe on DNS-over-TLS for Ubuntu using some app called stubby
. I presume it is doing something to improve my confidentiality.
In practice installing it is easy. On e.g. Ubuntu, this is as simple as
Settings go in a text file /etc/stubby/stubby.yml
; there is no settings GUI. The default settings work, but are slow. Then I am running your own DNS thingy on 127.0.0.1
(IPv4) or 0::1
(IPv6) on port 53 which will in turn forward queries to the DNS-over-TLS servers I configured.
Now! We have an easy-to-remember secure DNS server to put into the ‘dns server’ box of the wifi settings window.
Shortcoming: the GUI config for network settings in Ubuntu seems to want me to configure it anew for every different Wifi network, for both IPv4 and IPv6. Needs a universal workaround. I think this is achievable via manually editing resolve.conf
.
Having done that, I also needed to flush out the bad old records
4.2 macOS
Changing the default DNS is obvious —system settings. Making it specifically do something secure…
Lazy mode: macos config to set the system to use as much encrypted stuff as possible with the 9.9.9.9
resolver, using a .mobileconfig
: Setup: MacOS and DNS over HTTPS or DNS over TLS – Quad9 Internet Security & Privacy
For encrypted DNS, see Dan Pfiffer on DNS-over-TLS for macOS who walks through knot-resolver
. (watch out, there is was a typo in his config file and the identity keys don’t match the ones I got). (alt version.)
DNS flush command keeps changing, eh? I think this is the latest:
AFAICT this flushes more than the DNS cache — the dscacheutil
commands control Directory Services cache, which is a lot of stuff.
4.3 Windows
4.4 Android
🤷♂
4.5 iOS
One simple way seems to be the app dnscloak?
4.6 Fancy stubby config
Pro-tip: if you use stubby and you want faster DNS, don’t rotate through the long default list of slow servers settle on a short list of fast servers and rotate through them, disabling the others. e.g. Adguard and Cloudflare:
upstream_recursive_servers:
# Adguard servers
- address_data: 176.103.130.130
tls_auth_name: "dns.adguard.com"
- address_data: 176.103.130.131
tls_auth_name: "dns.adguard.comcloudflare-dns.com"
#CloudFlare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
You can choose whether to rotate through them constantly or not with the following parameter:
There is a (more) fully secure version of DNS-over-TLS where you verify the server’s keys, presumably over a trusted network, to ensure you are connecting to the correct server. To find the encryptey verify key whatsit for e.g. 1.1.1.1
I am told you do this:
echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | \
openssl x509 -pubkey -noout | \
openssl pkey -pubin -outform der |\
openssl dgst -sha256 -binary | \
openssl enc -base64
Surely this step is in itself vulnerable to spoofing, because I need to trust some set of intermediate certificates? Anyway, this should at least detect server identity changes hereafter? Probably?
If we do that, we get the following config. (You can copy this from me, but obviously it would be wiser to verify for yourself because if our identifiers differed it would mean we were being messed with).
upstream_recursive_servers:
# Adguard servers
- address_data: 176.103.130.130
tls_auth_name: "dns.adguard.com"
tls_pubkey_pinset:
- digest: "sha256"
value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- address_data: 176.103.130.131
tls_auth_name: "dns.adguard.com"
tls_pubkey_pinset:
- digest: "sha256"
value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
# The Cloudflare servers
- address_data: 1.1.1.1
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
- address_data: 1.0.0.1
tls_auth_name: "cloudflare-dns.com"
tls_pubkey_pinset:
- digest: "sha256"
# You probably also want to avoid little accidents by configuring IPv6 also?
# Adguard servers - address_data: 2a00:5a60::ad1:0ff
tls_auth_name: "dns.adguard.com"
tls_pubkey_pinset:
- digest: "sha256"
value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
- address_data: 2a00:5a60::ad2:0ff
tls_auth_name: "dns.adguard.com"
tls_pubkey_pinset:
- digest: "sha256"
value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
5 Flushing {#flush]
5.1 Ubuntu
6 Registering domains
For bog-standard purposes, a cheap registrar is fine. I use GANDI (and that is my affiliate link, use it to give me 5 Euros please).
For privacy-enhanced tinfoil-hat business, one might wish to anonymously own a domain. I am not sure about all the mechanics of this, but here are some recommendations I was given when I was curious about it:
We’re not actually a domain name registration service, we’re a customer to these. We sit in between the domain name registration service and you, acting as a privacy shield.
When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.
PRQ is a 1337-lookin’ Swedish domain registrar that hosts weird hacker stuff.
Vindo offers anonymous domain registration as part of its hosting.