Saturday, June 23, 2018

Configuring DNS Server For Privacy & Security

Technitium DNS Server is an open source tool that can be used for self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

With the release of Technitium DNS Server version 1.3 which adds support for DNS-over-TLS & DNS-over-HTTPS forwarders, it is now a good solution to be used by anyone concerned with privacy & security for domain name resolution on their Internet connection for Windows 10, Linux or macOS.

If you are not clear about what DNS is then read on. Domain Name System (DNS) is a decentralized system that allows you to find out the Internet Protocol (IP) address of any website (like www.technitium.com). So, when you enter a website domain name into your web browser, the web browser uses DNS to find out the IP address of that website. Once the IP address is known, the web browser can then connect to the web server on that IP address using TCP/IP protocols and download webpages and other embedded resources to display on to your screen. DNS servers don't just store IP address records but also store different types of records like mail exchange (MX) records which tell email servers where to deliver email for the recipient user of a given domain.

DNS servers and client use UDP or TCP protocol to exchange requests and responses which are not encrypted. This allows anyone on the network to see those requests and even hijack requests by sending back spoofed responses. There have been many instances reported in media of DNS hijacking done by malware, hacked home wifi routers or even by many Internet Service Providers (ISPs). ISPs in certain places have been found to redirect users to "custom" search pages instead of Google Search or even blatantly injecting Ads on websites that are not using HTTPS security. In some countries, ISPs often use their DNS servers to block websites to enforce government censorship orders.

To mitigate these issues, DNS-over-TLS and DNS-over-HTTPS protocols have been developed and are currently available to be used by a few DNS providers notably Cloudflare, Google and IBM (Quad9). But, currently, no operating system, applications or web browsers have built in support for these protocols.

With Technitium DNS Server installed on your computer (or on your network), you can make all your applications indirectly use these DNS providers with the new secure protocols. Lets see how to configure the DNS Server to use these services to take control and secure domain name resolution on your computer or private networks.

Technitium DNS Server is not configured out-of-the-box with these settings since you have to make a choice yourself of which DNS provider to use. Below is a list of DNS providers grouped by the protocol they support. You can configure one or more DNS providers as forwarders but they must use the same protocol. If you have IPv6 internet access, use the given IPv6 services addresses and make sure that you keep those square brackets as-is while configuring.

DNS-over-TLS protocol providers:
  • Cloudflare IPv4 (1.1.1.1:853, 1.0.0.1:853) 
  • Cloudflare IPv6 ([2606:4700:4700::1111]:853, [2606:4700:4700::1001]:853)
  • Quad9 Secure IPv4 (9.9.9.9:853)
  • Quad9 Secure IPv6 ([2620:fe::fe]:853)

DNS-over-HTTPS protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query)

DNS-over-HTTPS (JSON) protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query)
  • Google (https://dns.google.com/resolve)

Select a protocol and DNS provider, and use the address given in brackets to configure them as forwarders in your DNS Server Settings tab. You can use a single provider or use multiple providers for a given protocol. See examples below to know how it looks like:

DNS-over-TLS Using Cloudflare & Quad9

DNS-over-TLS Using Cloudflare For IPv6 Internet

DNS-over-HTTPS Using Cloudflare

DNS-over-HTTPS (JSON) Using Cloudflare & Google

As you may have noticed, Cloudflare provides support for all three protocols. Not only that, it is possible to use Cloudflare DNS over Tor hidden service too!

Technitium DNS Server v1.3 adds support for configuring proxy server which can of course be made to use Tor running on your computer and use Cloudflare DNS hidden service because WHY NOT?! You just need to configure dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion hidden service address as forwarder and since all hidden service requests over Tor network are inherently encrypted and secure, you can use DNS-over-TCP protocol with it. But seriously, if you are really that paranoid, just use Tor Browser for all your web browsing.

DNS Server Proxy Config For Tor With Cloudflare Hidden Service Forwarder

Once you have configured forwarders, make use of the DNS Client on the web console to test the setup by making a test query to "this-server". If everything is configured correctly, you will see the IP address for the test domain you entered inside the "Answers" section of the JSON formatted output.

Finally, to make all your computers and applications to use Technitium DNS Server, you need to configure it on your Ethernet or WiFi network adapter. You just need to setup loopback IP address (127.0.0.1 for IPv4 & ::1 for IPv6) as DNS Server in your network adapter settings as shown below:

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

For more queries, write comments below or send an email to support@technitium.com.

No comments:

Post a Comment