petition: support for dns-over-tls

General questions.
Post Reply
parker_lewis
Posts: 9
Joined: July 23rd, 2018, 7:24 am

petition: support for dns-over-tls

Post by parker_lewis » October 3rd, 2018, 8:32 pm

Hey there everybody,

after some of us got lost in configuration trying to get DNS-over-TLS working I would like to propose a petition. Why that? Well the developers once had the feeling that there was no need for the feature. I would like to convince them that are not only 1 or 2 freaks who are willing to use something like that.

So if you'd like to join and support me asking the developers adding DNS-over-TLS support to IPFIRE so please reply with the following sentence(s):
-------------------
Dear developers,
please consider your decision that there's no need for DOT in IPFIRE. I'd like to use DOT too and I'm willing to test such a feature.

Thanks in advice,

Your Community
-------------------

RedneckMother
Posts: 90
Joined: June 21st, 2014, 1:34 am
Location: USA

Re: petition: support for dns-over-tls

Post by RedneckMother » October 3rd, 2018, 8:36 pm

+1 from me... trying to bypass my ISP's DNS obfuscation, maybe TLS is the answer.

User avatar
Deepcuts
Posts: 459
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: petition: support for dns-over-tls

Post by Deepcuts » October 4th, 2018, 12:04 am

I did not read too much on dns over tls, but my take on this, if you just want your ISP to not track you without a VPN, is that you cannot.
Even if you use a secured DNS and the website you are visiting is https, your ISP can still see that you visited that website.
You visit https://www.somenastysite.com your iSP sees that you visited https://www.somenastysite.com
You visit https://www.somenastysite.com/video/xxx.html your iSP sees that you visited https://www.somenastysite.com but not the full URL.

Again, I am not too literate on dns over tls but if you want to hide your tracks from your ISP, this is not your answer.
Image
Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5775
Joined: August 11th, 2005, 9:02 am

Re: petition: support for dns-over-tls

Post by MichaelTremer » October 4th, 2018, 12:22 pm

Err this petition is all nice and such things, but I am quite sure that nobody here needs to be convinced that there is a need for DNS-over-TLS.

The issue is rather that there is absolutely no development time left and people are busy with working on various things around the project and there is absolutely no desire to put more things on the TODO list than we can handle. If you want to see DNS-over-TLS in IPFire, there is other ways to support this than putting more pressure on people.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

firewell
Posts: 14
Joined: May 31st, 2018, 12:36 pm

Re: petition: support for dns-over-tls

Post by firewell » October 24th, 2018, 2:13 am

MichaelTremer wrote:
October 4th, 2018, 12:22 pm
If you want to see DNS-over-TLS in IPFire, there is other ways to support this than putting more pressure on people.
Are there any details on these other ways that we can use DoT on IPFire? We have another thread here where we tried to get DoT working and we cannot seem to get a functional configuration.

I would love to get this feature working. I'm not confusing DoT as a fix-all for security however, being able to use a DNS resolution that is not in plain text for the ISP to snoop on is always worthwhile. Unfortunately I've been forced to use another firewall solution because I cannot get IPFire to work on DoT. I would be very interested in testing this.

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5775
Joined: August 11th, 2005, 9:02 am

Re: petition: support for dns-over-tls

Post by MichaelTremer » October 25th, 2018, 9:48 am

Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

schnappi
Posts: 34
Joined: January 23rd, 2018, 11:15 pm

Re: petition: support for dns-over-tls

Post by schnappi » October 28th, 2018, 6:22 pm

Even if DNS is sent over TLS, HTTPS still shows the hostname of sites visted (which has already been stated.) For this reason, do not really see any benefit to DNS over TLS short of preventing DNS poisoning.

Time has to be triaged. Agree not best spent on DNS over TLS.
Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5775
Joined: August 11th, 2005, 9:02 am

Re: petition: support for dns-over-tls

Post by MichaelTremer » October 29th, 2018, 1:27 pm

schnappi wrote:
October 28th, 2018, 6:22 pm
For this reason, do not really see any benefit to DNS over TLS short of preventing DNS poisoning.
DNS over TLS does not prevent DNS (cache) poisoning
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

schnappi
Posts: 34
Joined: January 23rd, 2018, 11:15 pm

Re: petition: support for dns-over-tls

Post by schnappi » November 1st, 2018, 8:25 pm

If a network operator is intercepting port 53 traffic and "poisoning" DNS queries to redirect to "wrong" URL's then DNS over TLS would prevent DNS "poisoning," The initial query would be encrypted (barring an SSL man in the middle attack) to the local network.
Last edited by schnappi on November 1st, 2018, 10:41 pm, edited 1 time in total.
Image

User avatar
IpDeputy
Posts: 4
Joined: November 1st, 2018, 6:36 am

Re: petition: support for dns-over-tls

Post by IpDeputy » November 1st, 2018, 8:38 pm

+1 Love this idea.
Image
Image

schnappi
Posts: 34
Joined: January 23rd, 2018, 11:15 pm

Re: petition: support for dns-over-tls

Post by schnappi » November 1st, 2018, 10:44 pm

I actually do not. What is to stop the public DNS server from logging the queries once they reach the server intact/ encrypted? Anyone running an IPFire device already has control of the local network. Hence, vote for time to be triaged and spent on other things (like integrating Pi-hole since squid basically cannot block HTTPS domains).
Image

User avatar
MichaelTremer
Core Developer
Core Developer
Posts: 5775
Joined: August 11th, 2005, 9:02 am

Re: petition: support for dns-over-tls

Post by MichaelTremer » November 2nd, 2018, 9:15 am

schnappi wrote:
November 1st, 2018, 8:25 pm
If a network operator is intercepting port 53 traffic and "poisoning" DNS queries to redirect to "wrong" URL's then DNS over TLS would prevent DNS "poisoning," The initial query would be encrypted (barring an SSL man in the middle attack) to the local network.
I get what you mean, but that is not called poisoning. However, DNS-over-TLS would prevent that.
schnappi wrote:
November 1st, 2018, 10:44 pm
I actually do not. What is to stop the public DNS server from logging the queries once they reach the server intact/ encrypted? Anyone running an IPFire device already has control of the local network. Hence, vote for time to be triaged and spent on other things (like integrating Pi-hole since squid basically cannot block HTTPS domains).
Squid can block HTTPS very well. And as far as I know, nobody is working on integrating Pi-Hole.
Support the project with our Donation Challenge!

Get Commercial Support for IPFire and more from Lightning Wire Labs!

Image

schnappi
Posts: 34
Joined: January 23rd, 2018, 11:15 pm

Re: petition: support for dns-over-tls

Post by schnappi » November 8th, 2018, 3:42 am

Even if Squid can block HTTPS only machines setup to use a proxy can utilize Squid.
Image

Post Reply