DNS-over-TLS with DNSSEC

Write tutorials here
There are more tutorials here http://community.linuxmint.com/tutorial/welcome
Forum rules
Please don't add support questions to tutorials,start your own thread in the appropriate sub-forum instead. Before you post please read this
Post Reply
User avatar
mollydarknet
Level 1
Level 1
Posts: 14
Joined: Tue Feb 12, 2019 6:57 pm
Location: The Matrix

DNS-over-TLS with DNSSEC

Post by mollydarknet » Thu Mar 14, 2019 9:44 pm

I'm going to show you know to encrypt DNS traffic. Warning the 'unbound' DNS package from 'apt' does not support validating certificates, if you need certificate validation you must build 'unbound' from source.

Using encrypted DNS does slow load times but Unbound also caches requests and prefetches; you can use dig to confirm this. You're trading speed for privacy.

More info on DNS privacy https://dnsprivacy.org/wiki/display/DP/ ... he+Problem

If you have manually disabled ipv6 through sysctl make sure 'net.ipv6.conf.lo.disable_ipv6 = 0'
you can issue this command to be sure

Code: Select all

cat /proc/sys/net/ipv6/conf/lo/disable_ipv6
Should Return 0

First install the required packages

Code: Select all

sudo apt install unbound openresolv
Then enable unbound

Code: Select all

sudo systemctl enable unbound.service unbound-resolvconf.service
Disable systemd DNS

Code: Select all

sudo systemctl disable systemd-resolved.service
If you're using Network Manager then issue this command

Code: Select all

printf "[main]\ndns=none" | sudo tee /etc/NetworkManager/conf.d/dns.conf
Then we need to configure openresolv

Code: Select all

sudo sed -i 's/^#name_servers=127.0.0.1/name_servers="127.0.0.1 ::1"/' /etc/resolvconf.conf
Now we will configure unbound

Code: Select all

sudo nano /etc/unbound/unbound.conf.d/dns-over-tls.conf
Copy the code below and paste into nano Shift-Ctrl-V. Close and save Crtrl-X then hit Y and press Enter key.

Code: Select all

server:
    qname-minimisation: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    harden-algo-downgrade: no # false positives with improperly configured zones
    use-caps-for-id: no # makes lots of queries fail
    hide-identity: yes
    hide-version: yes
server:
    prefetch: yes
    prefetch-key: yes
    msg-cache-size: 128k
    msg-cache-slabs: 2
    rrset-cache-size: 8m
    rrset-cache-slabs: 2
    key-cache-size: 32m
    key-cache-slabs: 2
    cache-min-ttl: 3600
    num-threads: 2
server:
    interface: 127.0.0.1
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.1/32 allow

forward-zone:
    name: "."
    # Cloudflare DNS
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853
REBOOT

The three big companies that use encrypted DNS are cloudflare, quad9, and Google. I chose cloudflare because it has been the most reliable, doesn't record ip adresses, and dumps logs ever 24hours. I've had reliability issues using quad9. I have not used Google because... well it's Google.

Thanks,
Molly

###############################################################

Don't like the new setup? This is how to go back to using systemd-resolved.

First disable unbound

Code: Select all

sudo systemctl disable unbound.service unbound-resolvconf.service
Enable systemd-resolved

Code: Select all

sudo systemctl enable systemd-resolved.service
Remove NetworkManger directive to not manage /etc/resolv.conf

Code: Select all

sudo rm /etc/NetworkManager/conf.d/dns.conf
REBOOT

Also if you'd like you can remove/purge unbound

Code: Select all

sudo apt remove --purge unbound openresolv
Thanks Molly
Last edited by mollydarknet on Fri Mar 15, 2019 9:03 pm, edited 1 time in total.
I'm just a glitch in the matrix...
friends don't let friends use Google

User avatar
catweazel
Level 19
Level 19
Posts: 9820
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: DNS-over-TLS with DNSSEC

Post by catweazel » Fri Mar 15, 2019 6:22 am

mollydarknet wrote:
Thu Mar 14, 2019 9:44 pm
I'm going to show you know to encrypt DNS traffic.
Nice. The only thing preventing me from doing a backup and trying it is the lack of instructions on how to undo it without having to resort to a backup.

Cheers.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.

User avatar
mollydarknet
Level 1
Level 1
Posts: 14
Joined: Tue Feb 12, 2019 6:57 pm
Location: The Matrix

Re: DNS-over-TLS with DNSSEC

Post by mollydarknet » Fri Mar 15, 2019 9:04 pm

catweazel wrote:
Fri Mar 15, 2019 6:22 am
mollydarknet wrote:
Thu Mar 14, 2019 9:44 pm
I'm going to show you know to encrypt DNS traffic.
Nice. The only thing preventing me from doing a backup and trying it is the lack of instructions on how to undo it without having to resort to a backup.

Cheers.
I've Included how to remove unbound and go back to systemd-resolved in the original post.

Thanks,
Molly
I'm just a glitch in the matrix...
friends don't let friends use Google

User avatar
catweazel
Level 19
Level 19
Posts: 9820
Joined: Fri Oct 12, 2012 9:44 pm
Location: Australian Antarctic Territory

Re: DNS-over-TLS with DNSSEC

Post by catweazel » Fri Mar 15, 2019 9:14 pm

mollydarknet wrote:
Fri Mar 15, 2019 9:04 pm
Thanks,
Molly
And thank you. I knew that that's how to reverse it :) I just felt it was best if you stated it.

Cheers.
"There is, ultimately, only one truth -- cogito, ergo sum -- everything else is an assumption." - Me, my swansong.

User avatar
phd21
Level 19
Level 19
Posts: 9516
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: DNS-over-TLS with DNSSEC

Post by phd21 » Fri Mar 15, 2019 10:34 pm

Hi mollydarknet,

That's nice to provide help for others. Nice tutorial.

I really like the DNS over TLS option and I think people who are not encrypting their DNS searches should consider using it.

FYI: I did not have to make the editing changes to files you show for DNS over TLS to work. I followed the instructions from the link below. I already had openresolv and unbound installed for using my VPN provider servers.

Code: Select all

sudo apt install unbound openresolv
How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS
https://www.linuxbabe.com/ubuntu/ubuntu ... s-over-tls
.
Phd21: Mint 19.2 Cinnamon & xKDE (Xfce) & KDE Neon 64-bit Awesome OS's, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, 256gb SDD, only Intel 4 Graphics. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
majpooper
Level 5
Level 5
Posts: 979
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: DNS-over-TLS with DNSSEC

Post by majpooper » Sat Mar 16, 2019 6:04 pm

It seems DoT is the way things are going and is the industry accepted standard where as DoH and DNScrypt, other DNS encryption are not. Even so, for now, I am using DNS over HTTPS (DoH) on my PiHole server with Cloudflare (1.1.1.1) - at the end of the day you are forced to trust somebody. According to people who know way more than me, "DoH has the advantage of being harder to block or detect, because the DNS traffic is encapsulated inside of HTTPS traffic destined for port 443. This is also a slight disadvantage due to the additional traffic overhead of the HTTPS headers, which makes DoH somewhat slower than DoT". Never the less it is possible to configure DoT on PiHole, if you choose to go that route.
https://bartonbytes.com/posts/configure ... -over-tls/
The nice thing about PiHole is . . . it "functions similarly to a network firewall, meaning that adverts and tracking domains are blocked for all devices behind it, whereas traditional advertisement blockers only run in a user's browser, and remove adverts only on the same machine" This can make things a little snappier (is that even a word ?) because the adverts and trackers are blocked before they even hit your browser.

way12go
Level 1
Level 1
Posts: 1
Joined: Tue Sep 03, 2019 8:28 pm

Re: DNS-over-TLS with DNSSEC

Post by way12go » Tue Sep 03, 2019 9:16 pm

I checked encrypted dns status visiting this website

https://www.cloudflare.com/ssl/encrypted-sni/

and this website says dns is not secured.

Can you please specify what went wrong?

User avatar
phd21
Level 19
Level 19
Posts: 9516
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: DNS-over-TLS with DNSSEC

Post by phd21 » Thu Sep 05, 2019 1:10 pm

Hi way12go,

You must be much more specific. What method of using encrypted DNS did you choose and how did you implement that, what instructions?

FYI: I use DNS over TLS. When I am connected to a VPN server and I go to the Cloudlfare test web page it shows that I may not be using encrypted DNS, when I know that I am. If I disconnect from the VPN server, refresh or reload the Cloudflare test web page, it then shows that it is encrypted.


Hope this helps ...
Phd21: Mint 19.2 Cinnamon & xKDE (Xfce) & KDE Neon 64-bit Awesome OS's, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram, 256gb SDD, only Intel 4 Graphics. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Post Reply

Return to “Tutorials”