Encrypted DNS and DNS over HTTP (DOH)

in #security5 years ago

DNS - aka how we locate the server addresses on internet is one of the weakest links of privacy and security. This is often used by the ISPs and others for DPI (Deep Packet Inspection), censorship and various types of traffic shaping.

The DNS system is generally a UDP traffic send to port 53 of various DNS servers. Named seems to the the major DNS server used everywhere. Recently much attention is provided on how to encrypt the DNS traffic. Perhaps the first such effort was from OpenDNS with DNSCrypt. There are numerous servers which provides DNScrypt now.

Encrypting DNS traffic

client -----> DNS server

The traffic can be easily encrypted preventing someone like an ISP to track and log the DNS queries and use the same for say ad-targeting.

For a fairly advanced user on both MacOS and Linux, its quite easy to setup the DNS encryption using DNSCrypt-Proxy.

DOH aka DNS over HTTPS

In the recent times, ie in 2019 Mozilla Firefox entered news for activating DOH. This itself shows much the DNS is exploited right now. Its a fairly simple mechanism where DNS traffic is sent encapsulated as encrypted HTTPS traffic making it difficult to trace. Well, the SNI aka Server Name Indication (https://en.wikipedia.org/wiki/Server_Name_Indication_ ) could be a deal breaker - and honestly I am not well aware of how SNI impacts DoH.

How to ensure secure DNS ?

While this is in no way a 100% secure mechanism, enabling DoH in Firefox and other browsers that supports it a good starting point.

Zdnet has a detailed article on enabling DoH : http://web.archive.org/web/20190927221427/https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/

A better mechanism

A safer, more efficient mechanism is to setup a local DNSCrypt-Proxy to both speed up the DNS & secure it even further.

An excellent how-to on the topic is below.

http://web.archive.org/web/20191006133407/https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/

A sneak-peak:

First DNS query of the day / TTL period:

;; ANSWER SECTION:
slashdot.org.       599 IN  A   216.105.38.15

;; Query time: 53 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 06 19:14:03 IST 2019
;; MSG SIZE  rcvd: 140

Second Query, yay! zero milliseconds

; ANSWER SECTION:
slashdot.org.       473 IN  A   216.105.38.15

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Oct 06 19:16:10 IST 2019
;; MSG SIZE  rcvd: 128
Sort:  

This post has been rewarded with 100% upvote from @indiaunited-bot community account. We are happy to have you as one of the valuable member of the community.

If you would like to delegate to @IndiaUnited you can do so by clicking on the following links: 5SP, 10SP, 15SP, 20SP 25SP, 50SP, 100SP, 250SP. Be sure to leave at least 50SP undelegated on your account.

Please contribute to the community by upvoting this comment and posts made by @indiaunited.

MacOS instructions are here https://news.ycombinator.com/item?id=16729705

[2019-10-09 17:26:26] [CRITICAL] Unable to retrieve source [public-resolvers]: [No IP found for [download.dnscrypt.info]]
[2019-10-09 17:26:26] [FATAL] No IP found for [download.dnscrypt.info]

https://github.com/DNSCrypt/dnscrypt-proxy/issues/866

Congratulations @bobinson! You have completed the following achievement on the Steem blockchain and have been rewarded with new badge(s) :

You distributed more than 23000 upvotes. Your next target is to reach 24000 upvotes.

You can view your badges on your Steem Board and compare to others on the Steem Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Do not miss the last post from @steemitboard:

SteemFest⁴ commemorative badge refactored
Vote for @Steemitboard as a witness to get one more award and increased upvotes!

Coin Marketplace

STEEM 0.15
TRX 0.16
JST 0.028
BTC 67340.80
ETH 2419.68
USDT 1.00
SBD 2.35