DNS-over-TLS with DNSSEC

[mollydarknet]

I'm going to show you know to encrypt DNS traffic. Warning the 'unbound' DNS package from 'apt' does not support validating certificates, if you need certificate validation you must build 'unbound' from source.

Using encrypted DNS does slow load times but Unbound also caches requests and prefetches; you can use dig to confirm this. You're trading speed for privacy.

More info on DNS privacy https://dnsprivacy.org/wiki/display/DP/ ... he+Problem

If you have manually disabled ipv6 through sysctl make sure 'net.ipv6.conf.lo.disable_ipv6 = 0'
you can issue this command to be sure

Code: Select all

cat /proc/sys/net/ipv6/conf/lo/disable_ipv6

Should Return 0

First install the required packages

Code: Select all

sudo apt install unbound openresolv

Then enable unbound

Code: Select all

sudo systemctl enable unbound.service unbound-resolvconf.service

Disable systemd DNS

Code: Select all

sudo systemctl disable systemd-resolved.service

If you're using Network Manager then issue this command

Code: Select all

printf "[main]\ndns=none" | sudo tee /etc/NetworkManager/conf.d/dns.conf

Then we need to configure openresolv

Code: Select all

sudo sed -i 's/^#name_servers=127.0.0.1/name_servers="127.0.0.1 ::1"/' /etc/resolvconf.conf

Now we will configure unbound

Code: Select all

sudo nano /etc/unbound/unbound.conf.d/dns-over-tls.conf

Copy the code below and paste into nano Shift-Ctrl-V. Close and save Crtrl-X then hit Y and press Enter key.

Code: Select all

server:
    qname-minimisation: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    harden-algo-downgrade: no # false positives with improperly configured zones
    use-caps-for-id: no # makes lots of queries fail
    hide-identity: yes
    hide-version: yes
server:
    prefetch: yes
    prefetch-key: yes
    msg-cache-size: 128k
    msg-cache-slabs: 2
    rrset-cache-size: 8m
    rrset-cache-slabs: 2
    key-cache-size: 32m
    key-cache-slabs: 2
    cache-min-ttl: 3600
    num-threads: 2
server:
    interface: 127.0.0.1
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.1/32 allow

forward-zone:
    name: "."
    # Cloudflare DNS
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853

REBOOT

The three big companies that use encrypted DNS are cloudflare, quad9, and Google. I chose cloudflare because it has been the most reliable, doesn't record ip adresses, and dumps logs ever 24hours. I've had reliability issues using quad9. I have not used Google because... well it's Google.

Thanks,
Molly

###############################################################

Don't like the new setup? This is how to go back to using systemd-resolved.

First disable unbound

Code: Select all

sudo systemctl disable unbound.service unbound-resolvconf.service

Enable systemd-resolved

Code: Select all

sudo systemctl enable systemd-resolved.service

Remove NetworkManger directive to not manage /etc/resolv.conf

Code: Select all

sudo rm /etc/NetworkManager/conf.d/dns.conf

REBOOT

Also if you'd like you can remove/purge unbound

Code: Select all

sudo apt remove --purge unbound openresolv

Thanks Molly

[catweazel]

I'm going to show you know to encrypt DNS traffic.

Nice. The only thing preventing me from doing a backup and trying it is the lack of instructions on how to undo it without having to resort to a backup.

Cheers.

[mollydarknet]

I'm going to show you know to encrypt DNS traffic.

Nice. The only thing preventing me from doing a backup and trying it is the lack of instructions on how to undo it without having to resort to a backup.

Cheers.

I've Included how to remove unbound and go back to systemd-resolved in the original post.

Thanks,
Molly

[catweazel]

Thanks,
Molly

And thank you. I knew that that's how to reverse it I just felt it was best if you stated it.

Cheers.

[phd21]

Hi mollydarknet,

That's nice to provide help for others. Nice tutorial.

I really like the DNS over TLS option and I think people who are not encrypting their DNS searches should consider using it.

FYI: I did not have to make the editing changes to files you show for DNS over TLS to work. I followed the instructions from the link below. I already had openresolv and unbound installed for using my VPN provider servers.

Code: Select all

sudo apt install unbound openresolv

How to Protect Your DNS Privacy on Ubuntu 18.04 with DNS over TLS
https://www.linuxbabe.com/ubuntu/ubuntu ... s-over-tls
.

[majpooper]

It seems DoT is the way things are going and is the industry accepted standard where as DoH and DNScrypt, other DNS encryption are not. Even so, for now, I am using DNS over HTTPS (DoH) on my PiHole server with Cloudflare (1.1.1.1) - at the end of the day you are forced to trust somebody. According to people who know way more than me, "DoH has the advantage of being harder to block or detect, because the DNS traffic is encapsulated inside of HTTPS traffic destined for port 443. This is also a slight disadvantage due to the additional traffic overhead of the HTTPS headers, which makes DoH somewhat slower than DoT". Never the less it is possible to configure DoT on PiHole, if you choose to go that route.
https://bartonbytes.com/posts/configure ... -over-tls/
The nice thing about PiHole is . . . it "functions similarly to a network firewall, meaning that adverts and tracking domains are blocked for all devices behind it, whereas traditional advertisement blockers only run in a user's browser, and remove adverts only on the same machine" This can make things a little snappier (is that even a word ?) because the adverts and trackers are blocked before they even hit your browser.

[way12go]

I checked encrypted dns status visiting this website

https://www.cloudflare.com/ssl/encrypted-sni/

and this website says dns is not secured.

Can you please specify what went wrong?

[phd21]

Hi way12go,

You must be much more specific. What method of using encrypted DNS did you choose and how did you implement that, what instructions?

FYI: I use DNS over TLS. When I am connected to a VPN server and I go to the Cloudlfare test web page it shows that I may not be using encrypted DNS, when I know that I am. If I disconnect from the VPN server, refresh or reload the Cloudflare test web page, it then shows that it is encrypted.


Hope this helps ...