Saturday, June 23, 2018

Configuring DNS Server For Privacy & Security

Technitium DNS Server is an open source tool that can be used for blocking Internet Ads using DNS Sinkhole, self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

With the release of Technitium DNS Server version 1.3 which adds support for DNS-over-TLS & DNS-over-HTTPS forwarders, it is now a good solution to be used by anyone concerned with privacy & security for domain name resolution on their Internet connection for Windows 10, Linux or macOS.

If you are not clear about what DNS is then read on. Domain Name System (DNS) is a decentralized system that allows you to find out the Internet Protocol (IP) address of any website (like www.technitium.com). So, when you enter a website domain name into your web browser, the web browser uses DNS to find out the IP address of that website. Once the IP address is known, the web browser can then connect to the web server on that IP address using TCP/IP protocols and download webpages and other embedded resources to display on to your screen. DNS servers don't just store IP address records but also store different types of records like mail exchange (MX) records which tell email servers where to deliver email for the recipient user of a given domain.

DNS servers and client use UDP or TCP protocol to exchange requests and responses which are not encrypted. This allows anyone on the network to see those requests and even hijack requests by sending back spoofed responses. There have been many instances reported in media of DNS hijacking done by malware, hacked home wifi routers or even by many Internet Service Providers (ISPs). ISPs in certain places have been found to redirect users to "custom" search pages instead of Google Search or even blatantly injecting Ads on websites that are not using HTTPS security. In some countries, ISPs often use their DNS servers to block websites to enforce government censorship orders.

To mitigate these issues, DNS-over-TLS and DNS-over-HTTPS protocols have been developed and are currently available to be used by a few DNS providers notably Cloudflare, Google and Quad9. But, currently, no operating system, applications or web browsers have built in support for these protocols.

With Technitium DNS Server installed on your computer (or on your network), you can make all your applications indirectly use these DNS providers with the new secure protocols hiding all your DNS traffic from your ISP. Lets see how to configure the DNS Server to use these services to take control and secure domain name resolution on your computer or private networks.

Technitium DNS Server is not configured out-of-the-box with these settings since you have to make a choice yourself of which DNS provider to use. All public DNS providers have their own privacy policies that you must understand before choosing it.

Cloudflare privacy policy promises that DNS query logs are only maintained for 24 hours with not personally identifiable data. They also promise to not sell the data to 3rd parties.

Google's privacy policy claims to maintain a temporary log for 24 to 48 hours which contains user's full IP address details. And a permanent log which redacts the personally identifiable data. There are no details mentioned how this data is used or whom its shared with.

Quad9's privacy policy promises that they do not keep any logs but, only anonymized statistical data on specific domain names which contains things like domain name, timestamp, geolocation, total hits, etc.

Below is a list of DNS providers grouped by the protocol they support. You can configure one or more DNS providers as forwarders but they must use the same protocol.

DNS-over-TLS protocol providers:
  • Cloudflare IPv4 {cloudflare-dns.com (1.1.1.1:853), cloudflare-dns.com (1.0.0.1:853)}
  • Cloudflare IPv6 {cloudflare-dns.com ([2606:4700:4700::1111]:853), cloudflare-dns.com ([2606:4700:4700::1001]:853)}
  • Google IPv4 {dns.google (8.8.8.8:853), dns.google (8.8.4.4:853)}
  • Google IPv6 {dns.google ([2001:4860:4860::8888]:853), dns.google ([2001:4860:4860::8844]:853)}
  • Quad9 Secure IPv4 {dns.quad9.net (9.9.9.9:853)}
  • Quad9 Secure IPv6 {dns.quad9.net ([2620:fe::fe]:853))

DNS-over-HTTPS protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query)
  • Google (https://dns.google/dns-query)
  • Quad9 Secure (https://dns.quad9.net/dns-query)

DNS-over-HTTPS (JSON) protocol providers:
  • Cloudflare (https://cloudflare-dns.com/dns-query)
  • Google (https://dns.google/resolve)
  • Quad9 Secure (https://dns.quad9.net/dns-query)

To make the configuration quick, easy and error free, there is Quick Select drop down list available which lists all the above options. Just selecting the desired option in the Quick Select list will populate the settings automatically for you.

See these examples below to know how the configuration looks like:

DNS-over-TLS Using Cloudflare
DNS-over-TLS Using Cloudflare

DNS-over-TLS Using Quad9 For IPv6 Internet
DNS-over-TLS Using Quad9 For IPv6 Internet

DNS-over-HTTPS Using Cloudflare
DNS-over-HTTPS Using Cloudflare

DNS-over-HTTPS (JSON) Using Google

As you may have noticed, Cloudflare provides support for all three protocols. Not only that, it is possible to use Cloudflare DNS over Tor hidden service too! Technitium DNS Server v1.3 adds support for configuring proxy server which can of course be made to use Tor running on your computer and use Cloudflare DNS hidden service because WHY NOT?!

You just need to configure dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion hidden service address as forwarder and since all hidden service requests over Tor network are inherently end-to end encrypted, you can use DNS-over-TCP protocol with it. Tor is not included with the software so you will need to install Tor separately and configure it as a SOCKS5 proxy.

This option hides your query from your ISP as well as hides your identity from Cloudflare. But seriously, if you are really that paranoid, just use Tor Browser for all your web browsing.

DNS-over-Tor Config For Cloudflare DNS Hidden Service
DNS-over-Tor Config For Cloudflare DNS Hidden Service

Once you have configured forwarders, make use of the DNS Client on the web console to test the setup by making a test query to "this-server". If everything is configured correctly, you will see the IP address for the test domain you entered inside the "Answers" section of the JSON formatted output.

Finally, to make all your computers and applications to use Technitium DNS Server, you need to configure it on your Ethernet or WiFi network adapter. You just need to setup loopback IP address (127.0.0.1 for IPv4 & ::1 for IPv6) as DNS Server in your network adapter settings as shown below:

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

For more queries, write comments below or send an email to support@technitium.com.

21 comments:

  1. can i create my tld on dns server?

    ReplyDelete
    Replies
    1. Yes, you can create any domain or TLD on the DNS Server. You can delegate a zone too to specific name servers by creating NS records that point to those servers.

      Delete
  2. how to create NS records that point to those servers?

    ReplyDelete
    Replies
    1. You dont need to create NS records. You just need to configure them as forwarder from the Settings tab.

      Delete
    2. There is a Setting tab to the right end. In there you will need to scroll down a bit and you will find Forwarders textbox. In there, you can use the Quick Select dropdown to select one of the popular public DNS services.

      Delete
  3. How can I point any request to a specific IP? Example, google.com or facebook.com -> 192.168.1.100 (captive portal)

    ReplyDelete
    Replies
    1. You just need to switch to the Zone tab in the DNS Server web console and add a new zone "google.com". In that zone, add a Type A Record, name as blank or '@' and enter the IP address as the value. You will need to add another CNAME type record with name as 'www' and value as 'google.com. CNAME record will make 'www.google.com' point to 'google.com' and the IP address assigned to 'google.com' will be used automatically.

      Do these steps for any domain you want to redirect to a local web server.

      Delete
    2. Use the DNS Client tab in the web console to query the zone to confirm if its working correctly.

      Delete
    3. Thank you for explanation, it was very helpful I appreciate it. But I mean if its possible to point ANY domain request to an specific IP. Whatever user type redirects to my captive portal. Thanks in advance.

      Delete
  4. DNS catchall or something like that, pointing every single domain to a specific ip.

    ReplyDelete
    Replies
    1. You could achieve it using wildcard subdomain entry. For this, you will need to create a zone for each top level domain (TLD) like com, net, org, uk, us, in, etc. Lets say you create a 'com' zone, you can then add a Type A record with name as '*' and value as your local server IP address. This will catch all sub domains for 'com'. Likewise you will need to create a zone for all top level domains. A root level wildcard zone is not supported.

      Delete
  5. Please explain PROTOCOLS options from SETTINGS page with example. Also tell what should be the path for TLS certificate file. Can I use self-signed cert for this? What will be the local address for DNSoverTLS and DNSoverHTTPS?

    ReplyDelete
    Replies
    1. These protocols are optional and only to be enabled if you have specific applications that can use these protocols. Like if you wish to host the DNS Server on a VPS and then use its DNS-over-TLS or DNS-over-HTTPS protocol services with your web browser like Firefox or on your Android Mobile. For usual home network usage, there is no need to enable these protocols.

      If you wish to use the protocols with public DNS providers like Cloudflare, Google or Quad9 then you need to configure their addresses as forwarder in the settings (at the bottom). You can use the Quick Select dropdown to select popular public DNS providers.

      If you want to host your own DNS Server with these protocols then read below:

      The TLS Certificate used cannot be self signed if you want the applications to be able to use the service. You can get a free certificate for your domain name using Lets Encrypt and then use the cert with the DNS Server.

      The TLS Certificate path in settings is the path where the cert .pfx file is stored on the server. It can be any path on the server where you have the cert files saved. The TLS Certificate password is the .pfx file password. You can create .pfx file from a .crt file using openssl command (just google for the syntax).

      The address for DNS-over-TLS will be the TLS certificate domain name combined with port 853: domain-name:853

      The address for DNS-over-HTTPS will be TLS certificate domain name as a url: https://domain-name/dns-query

      Delete
  6. Hi there,

    I have a question. I just need to solve Server name on the wireless devices..
    they access to a intranet webpage like:

    https://server01/page.apsx

    what i need to do to resolve server01??
    thanks in advanced.

    ReplyDelete
    Replies
    1. Windows does not use DNS to resolve computer names. Instead it will use NBNS, mDNS and LLMNR protocols. If you wish to use DNS names then you can create something like server01.local zone and then configure the webserver with the domain name and then try to use it. Better way is to use the actual production domain name of the website to create zone on the DNS server and then use the enable/disable options on the zone to switch between staging and production.

      Delete
    2. The devices are android.. but the server is windows!
      I install DNS Server on windows with:
      Zone: server01
      - A @ 192.168.xxx.xxx and TTL 10
      Settings:
      DNS Server domain: server01
      address: 127.0.0.1
      ::1

      with everything default!

      the android devices dns to server IP .. but nothing!!
      The devices does not know where is the server01!!
      Can you help?

      Delete
    3. You need to make sure that the andriod device is able to resolve IP address. If its not getting the right IP address then you will see DNS_PROBE_FINISHED_NXDOMAIN.

      If its able to find the address and still you get some other error from web server then make sure your website is using the same domain name or is running as a default website. Also, you need to make sure that the Windows Firewall is configured correctly.

      If you are still unable to find the issue then do send screenshot of the error message and details of config to support@technitium.com.

      Delete
  7. Hey when adding a txt dkim record the following message appears: "Error! Value was either too large or too small for an unsigned byte." Would be great to find a way around it! Otherwise great and easy to use.

    ReplyDelete
    Replies
    1. This is due to the size limitation of TXT record. The TXT record can contain at max 255 character string. So, for a long DKIM record, you will need to split it into multiple records manually add the TXT records.

      Check out these links for more details:
      https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns
      http://hack.limbicmedia.ca/how-to-split-dns-dkim-records-properly/

      Delete
  8. https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns
    answered Mar 22 at 19:30 Johannes Winter <- This!

    ReplyDelete