DNS is going to be secured/transport crypted in the coming future.
What community thinks about this way to… reduce vulnerability footprint?
Hi
I’ve been seen as a DNS Guru for ages - starting with Novell NDS/eDir over MS AD and Bind.
DNS is actually quite simple, forward and reverse. It’s one of the older protocolls on TCP/IP, like for example SNMP (Simple Network management Protocoll), also ages old… SNMP, despite it’s name isn’t easy to comprehend, the DOD Background can be quite confusing to the younger generation who can’t remember the starts of the Internet as a DARPA (Defense Advanced Research Project…).
In those Days, Networks were “trusted”, so were System Admins - they were all in the end US State employees…
Nowadays that’s different. North Korea has DNS, so does Russia and China. But the Root Server “A” (I am the Internet!) is in the USA, at a non disclosed spot. Yet it all works instantly. A database with literally millions of Administrators, many not on speaking or communication Terms with any others - yet it works better and more reliably than almost any commercial Database!
The Information behind DNS is public knowledge, agreed! There are no “secret” records on a public DNS Server. The case for an Internal DNS Server is a different animal…
So why the fuss?
DNS - for redundancy purposes was one of the first protocolls in the TCP stack besides Mail / SMTP which had redundancy thoughts / ideas behind them. Primary and Secondary DNS Servers…
The primary DNS Server is the Master, defined by the SOA Record in DNS. The others are slaves - or in human concept, something like a parrot, they just have the same knowledge and can repeat what the Primary DNS has to say. They get their Information from the primary.
In the beginning, this was open communication. Then came closed group communication. Still not enough…
The problem is, if you can feed the slaves enough bullsh*t, they will give out this information. Say for NethServer.org, the slaves would point nethserver.org and www.nethserver.org to my.compromised.server.org. People would put in their data, try to log in and so on. Now, NethServer.org isn’t really a shop, there aren’t much “critical” data there. That isn’t always the case. It could be just as well my-big-bank.com or something else…
Then all you would need to do is “take down” the primary DNS using say a DDOS (Distributed Denial of Service), then the slaves will awnser any queries. But they will give out compromised information, looking like the real thing!
That’s one of the reasons DNS has to move forward…
I’ve tried to make a complex szenario understandable for non-experts. But this isn’t out of a storybook nowadays, it’s sad reality!
My 2 cents!
Andy
2 Likes
There are no “secret” i can agree, but the integrity and the trustfulness of the information is quite necessary today…
Into DNS Servers are now publicly readable some policies related to mail delivery, public keys, expire time. Now Internet is the backbone of the data for most civil world, not a happy party for few and tech-conscious people.
Therefore, DoH and DNSSEC are proposing to avoid data forgery and MITM attacks, at least among other things.
RFC about DNSSEC are already public (according to https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) and are running on the public internet (IpFire rely on DNSSec and looks for data validation), DoH is still experimental, according to wikipedia
https://en.wikipedia.org/wiki/DNS_over_HTTPS
but by my perspective there’s a “flaw” into DoH concept: is built by organization that designs internet browser, and only this kind of application.
I don’t think that Google and Mozillla Foundation are newbyes but… maybe they look for only the own needs, not a network related needs…
I found this page on WIkipedia for public DNS servers and some “options” for DNS are explicited for every Public DNS service.
Some of these are:
- DNS over UDP
- DNSSEC
- DNS over TLS
- DNS over HTTPS
- DNSCrypt
Four of these option are integrity-and-safety related but still no winning standard seems aproaching…
Continuing the discussion, it seems that doh (dns over https) could be used for your network with a docker container
This is a cloudfare client for DOH : https://hub.docker.com/r/visibilityspots/cloudflared/
There is also a good article to use DOH and pihole : https://visibilityspots.org/dockerized-cloudflared-pi-hole.html
Cloudfare is maybe not the company I could trust first, but I think it is something to study
The problem is with the ISP’s. Especially in the (overly money driven) USA, ISP’s sell the browse history of their clients for big money. You don’t eliminate this with DoH unless you choose a DoH provider that does not store DoH logs. And still, you will need another gateway than your ISP, so a VPN is more or less mandatory in addition of a privacy friendly DoH provider. This could be done by NethServer if you host NethServer outside the network of your ISP, for instance on a VPS)
1 Like
Even with DoH… In any case the ISP knows every server and page you lookup for…
They know the IPs you’re using, but as long as the traffic is via HTTPS (which, really, everything should be any more–the only reason not to be using HTTPS is that you’re using shitty, customer-hostile web hosting that charges extra for HTTPS for no good reason), they don’t know domain names, paths, submitted data, or page content.
Maybe i am telling the biggest nonsense of the community, but https encrypts data, not the URL…
I’m afraid you’re mistaken here. When using HTTPS, the TLS session is established (with TLS 1.2 and earlier, the certificate is sent in the clear, so a MITM (like your ISP) can tell which domains are part of that cert; with TLS 1.3, even that traffic is encrypted), encrypting all further communications. Everything else that’s sent–including the request URL–is encrypted. See below for a more detailed resource:
Not if you use a VPN outside the ISP network…