DNS over TLS – Thoughts and Implementation (opens in new tab)

(sagi.io)

65 pointskedmi7y ago86 comments

86 comments

Pretty much there are 3 competing implementations for DNS resolution encryption (won't call it security):

  * DNSCrypt
  * DNS over TLS
  * DNS over HTTPS

If you are looking for something well tested and well supported, check out DNSCrypt (and the awesome DNSCrypt-proxy):

https://github.com/jedisct1/dnscrypt-proxy

It doesn't get a much love as it should, but it is probably the best way to secure encrypt your DNS requests right now. The protocol was initially developed by OpenDNS, but many resolvers support it right now (cisco, cleanbrowsing, etc). The list of supporting services is impressive:

https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-...

On the other hand, DNS over [HTTPS|TLS] are pretty new and don't have as much support, except for a few players. A good list if here as well:

https://www.reddit.com/r/sysadmin/comments/976aj2/updated_li...

dagenix7y ago

Prediction: DNS-over-TLS won't win. I don't think it's going to be able to get around the non-standard port issue.

Instead, I think DNS-over-HTTP is gonna be the champ. The overhead of HTTP is a minor issue, but, I think using a standard port more than makes up for it. I think the real inflection point is going to be once QUIC is more widely deployed. Combined with TLS's 0-RTT connection setup, we'll be able to get back to answering a DNS query in a single round trip (like today), but with assurances that the data wasn't monitored or tampered with between the client and the recursive resolver.

nykolasz7y ago

I hope you are wrong. We don't need one more protocol tunneled through HTTP.

djsumdog7y ago

I kinda agree on this. It's like pumping everything into an electron app. Not everything needs to be pumped through 80/443.

1 more reply

dagenix7y ago

Why? What's the specific harm? AIUI, as long as the request still fits into a single frame, its not anymore inneficient.

2 more replies

kromem7y ago

Yeah, DNS over HTTP/2, (or the inevitable DNS over upcoming connection protocols) will definitely succeed.

I think the big paradigm shift is "let's decouple DNS interactions from a specific transport" - and once you open up to that concept, the option of having multiple transports for different use-cases as things move forward seems practical.

fanf27y ago

I deployed DNS-over-TLS on Cambridge University’s central recursive DNS servers last week, and they immediately started receiving traffic from Android P users - not very much traffic, a few queries per second, but not negligible. I did some followup investigation of how Android behaves in the wild and posted them to the IETF DoH list (and the dprive list but for some reason those copies did not go through) - see https://mailarchive.ietf.org/arch/msg/doh/I-ytiO6ykbt9krrC9F... and the corrections and further information in the replies.

I still need to verify that TCP fast open is working, to minimize the DoT latency.

amaccuish7y ago

Is there a new dhcp option to indicate availability, or is it opportunistic, when the device notices port 853 is open?

fanf27y ago

Android 9 Pie is opportunistic: it tries to connect to port 853 and sends a probe query to make sure the server behaves plausibly well. Other clients need explicit configuration.

tssva7y ago

Article starts by stating that DNS doesn't provide a means to guarantee integrity of the returned DNS data.

Then mentions DNSSEC as a protocol which exists to provide such guarantee and promptly dismisses it along with DNSCURVE and DNSCRYPT as protocols which have been so infrequently deployed as to be non-existent.

Further on states that DNS over TLS and DNS over HTTPS don't solve the integrity problem but that is ok because DNSSEC will provide that.

My head is spinning.

tptacek7y ago

There's two ways to ensure the authenticity of data delivered over the Internet. You can authenticate the content or you can authenticate the channel.

Overwhelmingly, practical security schemes on the Internet rely on channel security. We rely on TLS to ensure the integrity of the DOM on websites; we don't cryptographically sign the pages themselves.

All things being equal, you'd like to be doing both things. You'd like to have cryptographically signed web page DOMs, for instance (among other things, it would make web crypto a lot more useful).

But all things aren't equal: content authentication is difficult to manage in practice, and every security protocol we adopt has a cost.

Long story short: if you can protect the channels used by DNS lookups, you can get by without protecting the content. That's roughly the idea behind DoH and DoTLS.

The reality though is that all you really need is "DNS over TCP" (which, of course, we've had since basically the beginning). Practical forgery attacks against TCP DNS are difficult enough as to not be worth the trouble.

seabee7y ago

Practical forgery attacks against an arbitrary client are hard, but configuring a public WiFi AP to intercept your favourite repeating-digit DNS server is trivial. Lots of people use public WiFi!

In such a scenario a VPN is a more secure answer than DNS-over-TLS, but this isn’t a realistic answer for the average user. It has to be something that is free and easy to enable.

bluejekyll7y ago

You're correct DNSSEC and DNS-over-TLS/DoH (DNS-over-HTTPS) both provide different, and necessary, aspects of securing records in DNS.

DNSSEC == authentication of records. DNS-over-TLS/DoH == privacy, and authenticity of the server/client.

Both are independently useful and enforce different things for us. The biggest issue with DNSSEC is that since it's not been widely adopted, what should you do with records that either are not signed, or are incorrectly signed? Most software doesn't really have a great way of raising DNS issues to the application in a way that users or something else could provide a security exception.

auslander7y ago

I recently configured my OPNsense router, for DNS over TLS with Quad9, with certificate domain validation. It uses included Unbound resolver. Not sure what I achieved, but it does feel good :)

https://forum.opnsense.org/index.php?topic=9197.msg41265#msg...

Fnoord7y ago

I've done the very same thing, on an EdgeRouter Lite [1].

Quad9 also supports DNSSEC.

[1] https://www.chameth.com/2017/12/17/dns-over-tls-on-edgeroute...

js27y ago

Switching to unbound seems like extra work. I kept dnsmasq on my EdgeRouter and just pointed it at doh-client from [0] which is trivial to cross-compile. I’m using Google’s dns servers as upstream.

[0] https://github.com/m13253/dns-over-https/tree/master/doh-cli...

2 more replies

auslander7y ago

Well done !

How secure is this EdgeRouter lite? Is it open source? For what it's worth, I found one blog with VPNFilter botnet and Ubiquiti on the same page :)

1 more reply

auslander7y ago

Project dnsprivacy-monitoring, auto updated table of supported security features by DNS provider:

https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

bogomipz7y ago

I used Stubby and Quad9 for a few months last year but I found the latency pretty terrible unfortunately. I would be curious to hear what other people are using and what their experience has been.

ggm7y ago

I used SSH SOCKS tunnels with stubby to keep myself online inside China's state firewall two recent trips. commercial VPN are routinely slowed down or blocked, if you have the luxury of an SSH enabled host "outside" you can use, Stubby and this are good, to get around DNS rewriting tricks and port/ip filters.

Yes, you have have slower paths, trombone paths. But in the circumstances I was in, Stubby was a godsend.

Also check out the dns security option in Android Pie.

computerfriend7y ago

This is surprising, as I've had my SSH connection throttled from within China.

bogomipz7y ago

Interesting. Can I ask what you used for your SSH host so that latency was bearable?

1 more reply

bwoodcock7y ago

Did you open a ticket? What AS and city are you originating from, and which Quad9 location were your queries going to?

bubblethink7y ago

Try cloudflare ? I found it beats quad9 in latency by a margin.

nykolasz7y ago

Really? They both have anycast pops all over the world - and in my tests, very close performance (couple of ms of difference - if that) to be felt by anyone.

ex: https://medium.com/@nykolas.z/dns-resolvers-performance-comp...

1 more reply

bwoodcock7y ago

Again, if that's the case, you should open a trouble ticket, so the problem can be fixed. It won't get fixed if there isn't a work ticket and nobody knows where your traffic is coming from or going to.

gsich7y ago

You need to keep the connection open.

bogomipz7y ago

Can't that only be done for a max of 10 seconds though? So beyond 10 seconds, you have the connection overhead all over again no?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby

2 more replies

alecbenzer7y ago

What's the point of confidentiality for DNS? Can't an attacker pretty easily get IP-to-DNS mappings to discover who you're talking to? I guess not in the case of VPNs/TOR?

nykolasz7y ago

DNS hijacking is real and very annoying. The main benefit of these protocols is in the integrity of the DNS resolution data. It allows you to use any DNS server you want, without having your ISP modifying their responses.

Here is my story why I tried dnscrypt: https://medium.com/@nykolas.z/ending-dns-hijacking-with-dnsc...

kromem7y ago

Not in the case of Tor, but also not in the case of almost all/most cloud hosted services.

For example, consider that Cloudflare proxies about 10% of the Internet. Well, if you request a site they proxy, and DNS is in the clear, it's obvious who you are connecting to.

But if you request a site and the DNS is encrypted, you could be visiting any one of 10% of the sites out there.

Similarly, if hosting on AWS or Google Cloud platform, there's a LOT of other services hosted in those IP blocks, and IPs change frequently, so there's a significant degree of ambiguity.

This is all in addition to fixing the threat of DNS leakage for VPN/Tor connections.

auslander7y ago

> Cloudflare proxies about 10% of the Internet

... and strips SSL off on their side, so 10% of internet is, in fact, MITMed.

2 more replies

dagenix7y ago

... except that SNI isn't encrypted.

3 more replies

j / k navigate · click thread line to collapse

86 comments

nykolasz7y ago

Pretty much there are 3 competing implementations for DNS resolution encryption (won't call it security):

  * DNSCrypt
  * DNS over TLS
  * DNS over HTTPS

If you are looking for something well tested and well supported, check out DNSCrypt (and the awesome DNSCrypt-proxy):

https://github.com/jedisct1/dnscrypt-proxy

https://download.dnscrypt.info/dnscrypt-resolvers/v2/public-...

On the other hand, DNS over [HTTPS|TLS] are pretty new and don't have as much support, except for a few players. A good list if here as well:

https://www.reddit.com/r/sysadmin/comments/976aj2/updated_li...

dagenix7y ago

Prediction: DNS-over-TLS won't win. I don't think it's going to be able to get around the non-standard port issue.

nykolasz7y ago

I hope you are wrong. We don't need one more protocol tunneled through HTTP.

djsumdog7y ago

I kinda agree on this. It's like pumping everything into an electron app. Not everything needs to be pumped through 80/443.

1 more reply

dagenix7y ago

Why? What's the specific harm? AIUI, as long as the request still fits into a single frame, its not anymore inneficient.

2 more replies

kromem7y ago

Yeah, DNS over HTTP/2, (or the inevitable DNS over upcoming connection protocols) will definitely succeed.

fanf27y ago

I still need to verify that TCP fast open is working, to minimize the DoT latency.

amaccuish7y ago

Is there a new dhcp option to indicate availability, or is it opportunistic, when the device notices port 853 is open?

fanf27y ago

Android 9 Pie is opportunistic: it tries to connect to port 853 and sends a probe query to make sure the server behaves plausibly well. Other clients need explicit configuration.

tssva7y ago

Article starts by stating that DNS doesn't provide a means to guarantee integrity of the returned DNS data.

Further on states that DNS over TLS and DNS over HTTPS don't solve the integrity problem but that is ok because DNSSEC will provide that.

My head is spinning.

tptacek7y ago

There's two ways to ensure the authenticity of data delivered over the Internet. You can authenticate the content or you can authenticate the channel.

All things being equal, you'd like to be doing both things. You'd like to have cryptographically signed web page DOMs, for instance (among other things, it would make web crypto a lot more useful).

But all things aren't equal: content authentication is difficult to manage in practice, and every security protocol we adopt has a cost.

Long story short: if you can protect the channels used by DNS lookups, you can get by without protecting the content. That's roughly the idea behind DoH and DoTLS.

seabee7y ago

Practical forgery attacks against an arbitrary client are hard, but configuring a public WiFi AP to intercept your favourite repeating-digit DNS server is trivial. Lots of people use public WiFi!

In such a scenario a VPN is a more secure answer than DNS-over-TLS, but this isn’t a realistic answer for the average user. It has to be something that is free and easy to enable.

bluejekyll7y ago

You're correct DNSSEC and DNS-over-TLS/DoH (DNS-over-HTTPS) both provide different, and necessary, aspects of securing records in DNS.

DNSSEC == authentication of records. DNS-over-TLS/DoH == privacy, and authenticity of the server/client.

auslander7y ago

I recently configured my OPNsense router, for DNS over TLS with Quad9, with certificate domain validation. It uses included Unbound resolver. Not sure what I achieved, but it does feel good :)

https://forum.opnsense.org/index.php?topic=9197.msg41265#msg...

Fnoord7y ago

I've done the very same thing, on an EdgeRouter Lite [1].

Quad9 also supports DNSSEC.

[1] https://www.chameth.com/2017/12/17/dns-over-tls-on-edgeroute...

js27y ago

[0] https://github.com/m13253/dns-over-https/tree/master/doh-cli...

2 more replies

auslander7y ago

Well done !

How secure is this EdgeRouter lite? Is it open source? For what it's worth, I found one blog with VPNFilter botnet and Ubiquiti on the same page :)

1 more reply

auslander7y ago

Project dnsprivacy-monitoring, auto updated table of supported security features by DNS provider:

https://dnsprivacy.org/jenkins/job/dnsprivacy-monitoring/

bogomipz7y ago

I used Stubby and Quad9 for a few months last year but I found the latency pretty terrible unfortunately. I would be curious to hear what other people are using and what their experience has been.

ggm7y ago

Yes, you have have slower paths, trombone paths. But in the circumstances I was in, Stubby was a godsend.

Also check out the dns security option in Android Pie.

computerfriend7y ago

This is surprising, as I've had my SSH connection throttled from within China.

bogomipz7y ago

Interesting. Can I ask what you used for your SSH host so that latency was bearable?

1 more reply

bwoodcock7y ago

Did you open a ticket? What AS and city are you originating from, and which Quad9 location were your queries going to?

bubblethink7y ago

Try cloudflare ? I found it beats quad9 in latency by a margin.

nykolasz7y ago

Really? They both have anycast pops all over the world - and in my tests, very close performance (couple of ms of difference - if that) to be felt by anyone.

ex: https://medium.com/@nykolas.z/dns-resolvers-performance-comp...

1 more reply

bwoodcock7y ago

gsich7y ago

You need to keep the connection open.

bogomipz7y ago

Can't that only be done for a max of 10 seconds though? So beyond 10 seconds, you have the connection overhead all over again no?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby

2 more replies

alecbenzer7y ago

What's the point of confidentiality for DNS? Can't an attacker pretty easily get IP-to-DNS mappings to discover who you're talking to? I guess not in the case of VPNs/TOR?

nykolasz7y ago

Here is my story why I tried dnscrypt: https://medium.com/@nykolas.z/ending-dns-hijacking-with-dnsc...

kromem7y ago

Not in the case of Tor, but also not in the case of almost all/most cloud hosted services.

For example, consider that Cloudflare proxies about 10% of the Internet. Well, if you request a site they proxy, and DNS is in the clear, it's obvious who you are connecting to.

But if you request a site and the DNS is encrypted, you could be visiting any one of 10% of the sites out there.

Similarly, if hosting on AWS or Google Cloud platform, there's a LOT of other services hosted in those IP blocks, and IPs change frequently, so there's a significant degree of ambiguity.

This is all in addition to fixing the threat of DNS leakage for VPN/Tor connections.

auslander7y ago

> Cloudflare proxies about 10% of the Internet

... and strips SSL off on their side, so 10% of internet is, in fact, MITMed.

2 more replies

dagenix7y ago

... except that SNI isn't encrypted.

3 more replies

j / k navigate · click thread line to collapse