Saturday, September 28, 2019

Analyzing DNS-over-HTTPS And DNS-over-TLS Privacy and Security Claims

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are two new protocol options available for secure DNS transport. Of which DoH has been pretty controversial with strong opposition from notable people in the DNS community. There have been questions raised for even the existence of IETF DoH standard when DoT standard was already an option.

Firefox has builtin DoH support with Cloudflare DNS configured that is being rolled out as a default for all users in the USA. This has consequences of subverting local network policies of organizations or private networks. Firefox has announced a canary domain name that can be blocked locally to prevent Firefox to use DoH by default making the entire effort vulnerable to downgrade attacks.

There have been serious concerns raised about DoH as a means for centralization of the DNS infrastructure. There are only a few public DoH and DoT service providers and thus it attempts to centralize the DNS infrastructure. Sending a handful of DNS providers all your DNS traffic does not really improve your overall privacy. It is a trade-off that each user needs to decide on his/her own.

DNS is one important control planes in a network. It essentially allows network administrators to block content based on domain names making it quite useful tool in the arsenal. It is being widely used to provide content filtering services, parental controls, and to block known malware command and control. Its so popular that a lot of people install a locally running DNS server on their home networks to block Internet Ads using block lists.

Applications or devices using DoH by default will bypass all the local control measures configured by the network administrator. The argument for applications to use DoH is that it allows users to bypass censorship, and provide security and privacy. However, this might not be what the user expects without a consent.

But, are users of DoT or DoH really being protected? Lets first understand the default DNS-over-UDP/TCP (Do53), DoH and DoT protocols in technical terms.

Do53 is the core protocol that is used by the entire DNS infrastructure. By default all DNS queries use UDP protocol since it is more efficient for simple request/response queries. TCP is usually used only when the response is expected to be large enough to not be suitable for UDP. Do53 does not provide any security or privacy as anyone on network path can see all DNS requests and even manipulate responses essentially doing a man-in-the-middle attack. This has been exploited in many malware attacks that compromise routers and change DNS settings to use attacker's DNS server to spread further or to compromise users further. Many ISPs have also tried to hijack DNS to show advertisements when user enters a non-existent domain name in the web browser.

DoT protocol is really just DNS-over-TCP tunneled inside TLS. Thus it provides all the features from the core protocol with addition of on path security and privacy. DoT uses default TCP 853 port and thus is easy to block with any network firewall.

DoH uses HTTPS protocol to send and receive DNS data in wire format. This means that DoH server is really a standard web server with a back end web application reading the DNS requests and proxying them to a configured DNS server. DoH can also be directly supported by a DNS server using a built in web server. DoH, just like DoT, also provides on path security and privacy. Since DoH uses the same TCP 443 port that HTTPS uses, it becomes almost impossible to block it with a network firewall since firewall cannot distinguish between normal HTTPS traffic and DoH.

Since both DoT and DoH use TLS for security, they essentially look similar over network. In fact, if DoT is configured on port 443 instead of its default port 853, it too would become difficult to block with a network firewall. Thus the only benefit of DoH seems to be that it allows the service to be hosted using a standard web server where the same IP address and port is shared with multiple other HTTPS websites.

Even though both DoT and DoH claim to provide security and privacy there are multiple catches. Both DoT and DoH provide security only from client to the recursive DNS server thus they do not provide any end-to-end security. Client is essentially trusting a configured recursive DNS server.

Even when DNS requests are encrypted, you are still leaking domain names of website you visit due to TLS Server Name Indication (SNI) extension. SNI essentially allows a web server running on a single IP address to host multiple HTTPS websites. SNI extension includes the domain name of the website you visit so that the web server can use correct SSL/TLS certificate that is configured for that domain name. SNI thus can reliably be used as an option to block websites combined with DNS based filtering.

SNI extension is being upgraded to Encrypted SNI (ESNI) that will encrypt the entire SNI extension in the TLS request. But practically speaking, even when ESNI becomes generally available on all web servers and web browsers, it will take many many years before significant amount of HTTPS websites configure ESNI for their domain name. Its been more than 3 year now that free SSL/TLS certificates are available to be used by any website but still there are a lot of websites that do not have HTTPS deployed (link requires login).

Even when DNS request are encrypted and TLS ESNI extension is used, most websites can still be identified by the IP address they are hosted on. Thus privacy provided by all these measures is still inadequate.

What about DNSSEC? DNSSEC is designed to provide security such that a recursive DNS server can validate responses before responding to client requests. It does not provide end-to-end security as clients never really perform validations and rely totally on the configured recursive DNS server. Another issue with DNSSEC is that its not widely deployed with only a small percentage of domain names have it configured. Most popular websites on the internet still do not have DNSSEC deployed making DNSSEC not really useful for most end users.

With all these technical issues in mind, its clear that both DoT and DoH are not really safe to be used by people to bypass censorship. Anyone with serious concerns with privacy is better off using Tor Browser or use a decent VPN service.

DoT and DoH are still useful as they protect users from man-in-the-middle attacks by on path network attackers. DoH however is really designed with an aim to bypass local network policies. Both are capable from hiding your DNS traffic on private network or from ISP.

A better way for many people is to run their own local DNS server that does recursive resolution. Locally running recursive DNS server will cache most common name servers records which usually have long TTL values configured in days and only query them when records are required or expired. This prevents DNS queries from going to centralized networks and avoid getting logged on ISP DNS server. Having authoritative DNS servers support DoT by default will add much value to running recursive DNS servers as it will dramatically improve security and privacy over the network.

All major ISPs deploying DoT and major Operating Systems (OS) supporting DoT will significantly help improve privacy and security as well as maintain the decentralization. Newer Android mobile devices have already started supporting DoT. Once the entire ecosystem supports and deploys DoT, it will improve the current state that DNS is in.


Tuesday, January 1, 2019

Turn Raspberry Pi Into Network Wide DNS Server

Turn your Raspberry Pi into a network wide DNS server for security, privacy and blocking Internet Ads on your private network!

Raspberry Pi 3 Model B+

With Technitium DNS Server version 2.2 release, it is now possible to run it on Raspberry Pi (Raspbian Stretch) using .NET Core and we have a single line automatic installer ready to make it easy to get it running.

Install DNS Server

Just connect to your Raspberry Pi using SSH and run the command below to install the DNS server:

curl -sSL https://download.technitium.com/dns/install-raspi.sh | sudo bash

You can install the software manually too if you do not wish to directly run the install script. You will need to first manually install .NET Core on your Raspberry Pi and then use these steps to install the DNS Server.

Once the installation is complete, open the DNS Server web console to view the dashboard and customize the settings.

Technitium DNS Server web console on Raspberry Pi 3 Model B+

Configure Your Router

To use it as a network wide DNS server, you need to configure your network router's DHCP settings and add your Raspberry Pi's IP address as a custom DNS server. You may also need to configure the WAN settings to override the default ISP provided DNS servers with your Raspberry Pi one. Check your router's manual for the configuration details.

Do make sure that your Raspberry Pi has a static IP address so that it does not change later causing issues with failed domain resolutions on the entire network. Also make sure to install heat sinks for your Raspberry Pi to prevent overheating issues since you will be running it round the clock.

If you have any queries or feedback, do comment below to let me know. You can also email your queries to support@technitium.com.

Quick And Easy Guide To Install .NET Core On Raspberry Pi

.NET Core is a cross-platform runtime available for x64 and ARM processors that can be used to run ASP.NET Core web applications and standalone .NET Core console applications on Windows, Linux and macOS.

Installing .NET Core is straight forward for most Desktop platforms with clear instructions available on the download website. However, many would find it trickier to install it on something like Raspberry Pi which uses ARM based processor. So, here is a quick and easy guide to install .NET Core 2.2 on Raspberry Pi 3 Model B+ with the latest Raspbian that is based on Debian 9 (Stretch).

Connect to your Raspberry Pi using SSH and get started!

Raspberry Pi 3 Model B+

Installing Dependencies

First you need to install a few dependencies required by the .NET Core runtime:

sudo apt-get -y update
sudo apt-get -y install curl libunwind8 gettext apt-transport-https

Installing .NET Core

Go to the .NET Core download page and download the Linux ARM32 runtime. Or you could just copy the download URL from there to use with wget like I did and follow these steps:

wget https://download.visualstudio.microsoft.com/download/pr/860e937d-aa99-4047-b957-63b4cba047de/da5ed8a5e7c1ac3b4f3d59469789adac/aspnetcore-runtime-2.2.0-linux-arm.tar.gz
sudo mkdir -p /opt/dotnet
sudo tar -zxf aspnetcore-runtime-2.2.0-linux-arm.tar.gz -C /opt/dotnet
sudo ln -s /opt/dotnet/dotnet /usr/bin

Now just enter dotnet on the command line to confirm.

Its Done!

Now you are ready to run ASP.NET Core or .NET Core console apps on your Raspberry Pi!