The Living Thing / Notebooks :

DNS

On asking strangers for directions

Usefulness: 🔧
Novelty: 💡
Uncertainty: 🤪 🤪 🤪
Incompleteness: 🚧 🚧 🚧
Knowyourmeme.com

DNS determines where my devices go asking for directions on their way about the internet. My DNS setup thus has many impacts upon my security, safety and convenience. My default DNS from my ISP is subject to AFAICT the highly criticised within which your local council gets to know where you are browsing.

  1. I would like a DNS services that does not record where I browse, so that I am less easily tracked and profiled by corporate interests or nascent police states. One way to fix this is with a VPN, but if I don’t want that overhead, I can also encrypt my DNS queries with the right DNS server.
  2. I would like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from vimeo, I cannot without DNS hacks because otherwise I am redirected to a site which tells me that vimeo is pornographic (!). In China I understand this is one way they enforce the great firewall. One way around this is DNSSEC, which is a verified DNS standard which is somewhat painful to set up.
  3. I would like a DNS service that is deliberately broken and will simply not work for malevolent sites such as malware distributors and advertisers, because filtering this myself is becoming difficult with some browsers. Some people maintain their own blocklists, but I am happy to entrust a third party DNS provider with this power if they seem trustworthy.

Update: see DNS Privacy a site which has more information than you could possibly want about the privacy details.

Alternate DNS servers

Fancy

There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisers (and optionally “family unfriendly” content) by simply not resolving them and DNS-over-TLS.

Adguard is

176.103.130.130
176.103.130.131

or

2a00:5a60::ad1:0ff
2a00:5a60::ad2:0ff

Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What the risk and benefit profiles of these organisations I will leave you to decide for yourself.

Cisco’s opendns will do ad blocking, but not TLS-comaptible.

Vanilla, Australian

Public DNS list.

Whirlpool’s list of DNS Servers to use in Australia. AFAICT only your ISP is require to log your DNS usage, so presumably you improve privacy somewhat by using any DNS server that is not you ISP’s.

Vanilla, global

CCC’s recommended DNS servers globally:

Google DNS:

The Google Public DNS IP addresses (IPv4) are as follows:

The Google Public DNS IPv6 addresses are as follows:

Blocking some DNS records

You can do this yourself with dnsmaq plus much love and attention and OCD, but I’m not quite anal retentive enough to handle this myself. More comfortable might be to run a single board computer or vm as a net filter via pi-hole, which givs a nice GUI and monotoring system

Encrypting DNS for perivacy

This, de facto, means a standard called DNS-over-TLS.

There was also dnscrypt, which was abandoned so I guess you can ignore it.

The encrypted and verified DNS option is DNSSEC. Presumably we should all be using this, but it still looks painful, at least on macOS. The server app of choice seems to be unbound. However, this doesn’t seem convenient for any platform I’m using, so DNS-over-TLS is a good stopgap I guess, which means using stubby and/or knot-resolver, or dnsproxy.

DNS reconfiguring

So I’m going to reconfigure my DNS to be more secure. To do this I will update DNS servers to be some DNS-over-TLS servers. and flush out the old poisoned records.

Your OS can benefit from a DNS flush; but also the browser can keep stinky stale records around. Clearing browser DNS caches is also advised.

tldr you can and should use fancy encrypted DNS servers, but you can make life better by simply putting a new DNS service in your settings file e.g. Adguard, 176.103.130.130 and 176.103.130.131 or cloudflare, 1.1.1.1 and 1.0.0.1.

Ubuntu

First, configure your DNS settings. (You really need to do this is you want to use VPN on linux.)

At the basic level you can simply use one of the alternative

If you want to encrypt, see Linuxbabe on DNS-over-TLS for Ubuntu using some app called stubby.

In practice installing it is fairly easy. I presume it is doing something to improve my confidentiality..

On e.g. Ubuntu, this is as simple as

sudo apt install stubby

You put your settings in a text file /etc/stubby/stubby.yml; there is no settings GUI. The default settings work, but are not very fast. Then you will be running your own DNS thingy on 127.0.0.1 (IPvv) or 0::1 (IPv6) on port 53 which will in turn forward queries to the DNS-over-TLS servers you configured.

Now you have an easy-to-remember secure DNS server to put into the ‘dns server’ box of your wifi settings window.

Shortcoming: the GUI config for network settings in Ubuntu seems to want me to configure it anew for every different Wifi network, for both IPv4 and IPv6. Needs a universal workaround. I think this is achievable via manually editing resolve.conf.

Having done that, I also needed to flush out the bad old records. stackoverflow

sudo systemd-resolve --flush-cache
sudo systemd-resolve --statistics

macOS

Changing the default DNS is plain obvious (system settings).

For encrypted DNS, see Dan Pfiffer on DNS-over-TLS for macOS (watch out, there is a typo in his config file and the identity keys don’t match the ones I got.). (alt version.)

DNS flush command keeps changing, eh? I think this is the latest:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

Windows

unihost:

ipconfig /flushdns

Android

:shrug:

iOS

One simple way seems to be the app dnscloak?

Fancy stubby config

Pro-tip if you use stubby and you want faster DNS, don’t rotate through the default long list of slow servers settle on a short list of fast servers and rotate through them, disabling the others. e.g. Adguard and cloudflare:

upstream_recursive_servers:
# Adguard servers
  - address_data: 176.103.130.130
    tls_auth_name: "dns.adguard.com"
  - address_data: 176.103.130.131
    tls_auth_name: "dns.adguard.comcloudflare-dns.com"
#CloudFlare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"

You can choose whether to rotate though them constantly or not with the following parameter:

round_robin_upstreams: 0

There is a (more) fully secure version of DNS-over-TLS where you verify the server’s keys, presumably over a trusted network, to ensure you are connecting to the correct server. To find the encryptey verify key whatsit for e.g. 1.1.1.1 I am told you do this:

echo | openssl s_client -connect '1.1.1.1:853' 2>/dev/null | \
  openssl x509 -pubkey -noout | \
  openssl pkey -pubin -outform der |\
  openssl dgst -sha256 -binary | \
  openssl enc -base64

Surely this step is in itself vulnerable to spoofing, because I need to trust some set of intermediate certificates? Anyway, this should at least detect server identity changes hereafter? Probably?

If we do that, we get the following config. (You can copy this from me, but obviously it would be wiser to verify for yourself because if our identifiers differed it would mean we were being messed with).

upstream_recursive_servers:
# Adguard servers
  - address_data: 176.103.130.130
    tls_auth_name: "dns.adguard.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
  - address_data: 176.103.130.131
    tls_auth_name: "dns.adguard.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
# The Cloudflare servers
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
#You probably also want to avoid little accidents by configuring IPv6 also?
# Adguard servers
  - address_data: 2a00:5a60::ad1:0ff
    tls_auth_name: "dns.adguard.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc=
  - address_data: 2a00:5a60::ad2:0ff
    tls_auth_name: "dns.adguard.com"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=