drmike
100% Tier-1 Gogent
Securing DNS Lookups via Encrypted DNS - DNSCrypt
Normal computer traffic route involving DNS works like this:
1. Request for DNS lookup (from browser, FTP, etc.)
2. System gets DNS information for the domain from a list of remote DNS servers - often these are auto-configured by your internet provider (which is often bad and results in use of a monitored DNS provider that could be doing anything with your lookup date).
3. IP information is returned to your browser, FTP, etc.
That process is simple and is all done in plaintext. Meaning your requests are seen by the end server fulfilling the request as well as the upstream internet provider and networks the packets travel through. That is bad. The NSA is watching, the FBI is watching, foreign intelligence might be watching, your wife may be watching and hackers could be watching. DNS lookups tell a good amount about your life (where you are eating, products you are researching, your porn habits, etc.)
What Can we Do to Secure DNS Lookups?
Simply, encrypt the DNS requests. Doing so however is severely limited. There is no SSL-like standard and hardly anyone is on board with a recent effort by free DNS company OpenDNS.
The solution, for now, is OpenDNS and their DNSCrypt.
Recap of the DNS Lookup Workflow:
browser ---> remote DNS server
---- plaintext unencrypted = BAD!!!!! -----
Revised DNS Lookup Workflow:
browser ---> DNSCrypt ---> remote server
---- encrypted = GOOD!!!! ----
What you will need:
1. A computer running Debian or derivatives (Ubuntu should work). Desktop will work fine, a remote VPS or dedicated server should be fine.
2. Available port 53 - no existing DNS server running
3. gcc+ for doing compile
4. make and automake
Howto Debian Installation of DNSCrypt
1. Become root:
su
(enter root password)
Make a new user that isn't root:
2. mkdir /home/dnscrypt; chown dnscrypt:dnscrypt /home/dnscrypt -R
Back to being root
3. cd ~ ; mkdir dnscrypt; cd dnscrypt
Let's get the DNSCrypt source
4. wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.gz
5. tar xzvf dnscrypt-proxy-1.3.2.tar.gz
6. cd dnscrypt-proxy-1.3.2
We need libsodium for this to work, let's get it and compile/install
7. mkdir libsodium
8. cd libsodium
9. wget http://download.libsodium.org/libsodium/releases/libsodium-0.4.2.tar.gz
10. tar xzvf libsodium-0.4.2.tar.gz; cd libsodium-0.4.2
11. ./configure
12. make && make check && make install
Now back to DNSCrypt compile/install
13. cd ../..
14. ./configure && make -j2
(get an error here? like this:
"configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'."
maybe libc isn't installed, do the following:
apt-get --reinstall libc6-dev
ldconfig
./configure && make -j2 (work now?)
)
15. make install
You should be installed now.
16. ls -l /usr/local/sbin/dnscrypt-proxy (see the file?)
Let's run dnscrypt-proxy:
17. dnscrypt-proxy --daemonize --user=dnscrypt (did that work? I hope so)
ps -aux | grep dnscrypt
(if you don't see it, something else is probably running on port 53 ---> tail /var/log/syslog for error messages)
If you have this running add this so it runs at startup:
18. crontab -e
Add:
@reboot dnscrypt-proxy --daemonize --user=dnscrypt
We need to activate this for it to work by adding new info to /etc/resolv.conf:
19. nano /etc/resolv.conf
REMOVE or comment out any nameserver that exists:
#nameserver 4.2.2.2
ADD:
nameserver 127.0.0.1
Save and exit.
Try a lookup:
20. nslookup vpsboard.com
You *SHOULD* be getting an IP, something like this:
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: vpsboard.com
Address: 209.141.39.223
If so, it works and you are DONE! Congrats, your DNS requests now are fed to OpenDNS over an encrypted channel. Do I trust OpenDNS? Only a bit more than all the big companies that were outed for spying on web users recently. DNS is pretty much all OpenDNS does, so if they botch it or do wrong by users, they will lose their company in spectacular fashion.
This is a start to a solution, not the entire solution. In the future hopefully more DNS providers support DNSCrypt.
Enhancements for this would be local caching (perhaps DNSMASQ), addition of other remote servers (currently only other compatible server is in Australia = high latency for many), and coming up with a DNS pass through chain so requests can be processed and scoured as needed (i.e. DNSMasq ---> DNSCrypt) --- currently not easily doable since /etc/resolv.conf doesn't support entries with ports.
More Info:
http://www.opendns.com/technology/dnscrypt/
Introducing DNSCrypt (Preview Release)
Background: The need for a better DNS security
http://dnscrypt.org/
DNSCrypt
A tool for securing communications between a client and a DNS resolver
Normal computer traffic route involving DNS works like this:
1. Request for DNS lookup (from browser, FTP, etc.)
2. System gets DNS information for the domain from a list of remote DNS servers - often these are auto-configured by your internet provider (which is often bad and results in use of a monitored DNS provider that could be doing anything with your lookup date).
3. IP information is returned to your browser, FTP, etc.
That process is simple and is all done in plaintext. Meaning your requests are seen by the end server fulfilling the request as well as the upstream internet provider and networks the packets travel through. That is bad. The NSA is watching, the FBI is watching, foreign intelligence might be watching, your wife may be watching and hackers could be watching. DNS lookups tell a good amount about your life (where you are eating, products you are researching, your porn habits, etc.)
What Can we Do to Secure DNS Lookups?
Simply, encrypt the DNS requests. Doing so however is severely limited. There is no SSL-like standard and hardly anyone is on board with a recent effort by free DNS company OpenDNS.
The solution, for now, is OpenDNS and their DNSCrypt.
Recap of the DNS Lookup Workflow:
browser ---> remote DNS server
---- plaintext unencrypted = BAD!!!!! -----
Revised DNS Lookup Workflow:
browser ---> DNSCrypt ---> remote server
---- encrypted = GOOD!!!! ----
What you will need:
1. A computer running Debian or derivatives (Ubuntu should work). Desktop will work fine, a remote VPS or dedicated server should be fine.
2. Available port 53 - no existing DNS server running
3. gcc+ for doing compile
4. make and automake
Howto Debian Installation of DNSCrypt
1. Become root:
su
(enter root password)
Make a new user that isn't root:
2. mkdir /home/dnscrypt; chown dnscrypt:dnscrypt /home/dnscrypt -R
Back to being root
3. cd ~ ; mkdir dnscrypt; cd dnscrypt
Let's get the DNSCrypt source
4. wget http://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.3.2.tar.gz
5. tar xzvf dnscrypt-proxy-1.3.2.tar.gz
6. cd dnscrypt-proxy-1.3.2
We need libsodium for this to work, let's get it and compile/install
7. mkdir libsodium
8. cd libsodium
9. wget http://download.libsodium.org/libsodium/releases/libsodium-0.4.2.tar.gz
10. tar xzvf libsodium-0.4.2.tar.gz; cd libsodium-0.4.2
11. ./configure
12. make && make check && make install
Now back to DNSCrypt compile/install
13. cd ../..
14. ./configure && make -j2
(get an error here? like this:
"configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'."
maybe libc isn't installed, do the following:
apt-get --reinstall libc6-dev
ldconfig
./configure && make -j2 (work now?)
)
15. make install
You should be installed now.
16. ls -l /usr/local/sbin/dnscrypt-proxy (see the file?)
Let's run dnscrypt-proxy:
17. dnscrypt-proxy --daemonize --user=dnscrypt (did that work? I hope so)
ps -aux | grep dnscrypt
(if you don't see it, something else is probably running on port 53 ---> tail /var/log/syslog for error messages)
If you have this running add this so it runs at startup:
18. crontab -e
Add:
@reboot dnscrypt-proxy --daemonize --user=dnscrypt
We need to activate this for it to work by adding new info to /etc/resolv.conf:
19. nano /etc/resolv.conf
REMOVE or comment out any nameserver that exists:
#nameserver 4.2.2.2
ADD:
nameserver 127.0.0.1
Save and exit.
Try a lookup:
20. nslookup vpsboard.com
You *SHOULD* be getting an IP, something like this:
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: vpsboard.com
Address: 209.141.39.223
If so, it works and you are DONE! Congrats, your DNS requests now are fed to OpenDNS over an encrypted channel. Do I trust OpenDNS? Only a bit more than all the big companies that were outed for spying on web users recently. DNS is pretty much all OpenDNS does, so if they botch it or do wrong by users, they will lose their company in spectacular fashion.
This is a start to a solution, not the entire solution. In the future hopefully more DNS providers support DNSCrypt.
Enhancements for this would be local caching (perhaps DNSMASQ), addition of other remote servers (currently only other compatible server is in Australia = high latency for many), and coming up with a DNS pass through chain so requests can be processed and scoured as needed (i.e. DNSMasq ---> DNSCrypt) --- currently not easily doable since /etc/resolv.conf doesn't support entries with ports.
More Info:
http://www.opendns.com/technology/dnscrypt/
Introducing DNSCrypt (Preview Release)
Background: The need for a better DNS security
http://dnscrypt.org/
DNSCrypt
A tool for securing communications between a client and a DNS resolver
