Secure DNS-over-TLS alongside unbound?

[Rainmaker]

With many providers now supporting DNS over TLS (Cloudflare, Google etc), and support being added to Android and iOS soon, the issue of DNS query encryption is becoming more prominent. It's especially relevant for those in oppressive countries, and those users who care strongly about privacy. Even many Western nations have bad data laws now - for example the UK makes it a legal requirement for ISPs (and others) to store records of queries, website visits, interactions and calls/messages etc for a long period of time, so that they are available to intelligence, police and government agencies in the future.

Is there a roadmap or any plan at all to implement DNS over TLS in IPFire? For example, it's possible to compile and run Stubby (an open source DNS over TLS daemon depending on getdns) alongside unbound with DNSSEC.

Something like this would be really nice to see, if it's at all possible.I'd be willing to donate more to help it happen.

Edit: I should have added the alternative of DNS over HTTPS, which is being supported by some vendors over DNS over TLS. They argue HTTPS is faster, but generally the DNS providers (Cloudflare, Google etc) who offer it support both anyway. Alternatively there's always DNSCrypt, but I think that's restricted to OpenDNS and a couple of affiliated servers. Either way, I appreciate your thoughts.

[MichaelTremer]

Core Update 120 will bring unbound 1.7.0 which has support for DNS over TLS.

See also the discussion here: https://lists.ipfire.org/pipermail/deve ... 04211.html

DNSCrypt has been declared dead.

[ummeegge]

Hi all,
am not sure but i thought that TLS-Handshakes below TLSv1.3 are also not that save ( seems that there are also bigger discussions/negotiations with the new 1.3 standart in the background. Also some other infos causing that topic --> http://blog.fefe.de/?ts=a43ffcb6 --> https://www.kuketz-blog.de/tls-metadate ... n-aufruft/ ) ?

Greetings,

UE

[Rainmaker]

Core Update 120 will bring unbound 1.7.0 which has support for DNS over TLS.

See also the discussion here: https://lists.ipfire.org/pipermail/deve ... 04211.html

DNSCrypt has been declared dead.

That's great Michael. I saw the announce on Twitter - you guys have been busy! Is DoH supported too? Anyway I'll give it a try. Thanks!

[Rainmaker]

PS I can't find a link to download core 120, neither on Planet or in the download centre. The blog post says it's available to test, so could you please kindly point me to where I can find the serial console dd image?

Never mind, I RTFM. My apologies.

[extrasolar]

Hi Folks,

My network clients uses ipfire as the dns. In IP fire i use tls-aware dns servers, but I don't think ssl is activated/recognized in ipfire.
We like to use dns server with dns-over-tls. Any chance to bring this into the web-ui? I could imagine an additional column to add the tls-port for each dns server. The DNSSEC-validating tag could be complemented with a DNS-over-TLS tag alongside if the server is tls-aware. That would be great. Any comments or hints how to do this on the CLI? TIA!


regards,
Roman

[Rainmaker]

Hi Folks,

My network clients uses ipfire as the dns. In IP fire i use tls-aware dns servers, but I don't think ssl is activated/recognized in ipfire.
We like to use dns server with dns-over-tls. Any chance to bring this into the web-ui? I could imagine an additional column to add the tls-port for each dns server. The DNSSEC-validating tag could be complemented with a DNS-over-TLS tag alongside if the server is tls-aware. That would be great. Any comments or hints how to do this on the CLI? TIA!


regards,
Roman

I actually got around to trying to enable this on my own (home) IPFire router after seeing your post. I'm more used to administrating OpenBSD/FreeBSD in this context, but according to the man pages the setup is almost the same. Unfortunately though I just can't get it working. If I add the relevant options (and forward-addr) to /etc/unbound/unbound.conf and reboot I end up with no working DNS.

Michael (or anyone else in the know), if you could check my conf and see if there's something obvious I missed it would be much appreciated - and also then answer Roman's question at the same time.

As far as I can see this config would work perfectly on *BSD (and indeed I set one up just a few moments ago to verify). Apparently in this case I missed something? I'm on the latest release of IPFire/unbound btw, so it's not a version issue. TIA.

Code: Select all

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
        # Common Server Options
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"
        port: 53
        do-ip4: yes
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        so-reuseport: yes
        do-not-query-localhost: yes
        tls-upstream: yes
        tcp-upstream: yes

        # System Tuning
        include: "/etc/unbound/tuning.conf"

        # Logging Options
        verbosity: 1
        use-syslog: yes
        log-time-ascii: yes
        log-queries: no

        # Unbound Statistics
        statistics-interval: 0
        statistics-cumulative: yes
        extended-statistics: yes

        # Prefetching
        prefetch: yes
        prefetch-key: yes

        # Randomise any cached responses
        rrset-roundrobin: yes

        # Privacy Options
        hide-identity: yes
        hide-version: yes
        qname-minimisation: yes
        minimal-responses: yes

        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        val-permissive-mode: no
        val-clean-additional: yes
        val-log-level: 1

        # Hardening Options
        harden-glue: yes
        harden-short-bufsize: no
        harden-large-queries: yes
        harden-dnssec-stripped: yes
        harden-below-nxdomain: yes
        harden-referral-path: yes
        harden-algo-downgrade: no
        use-caps-for-id: yes

        # Listen on all interfaces
        interface-automatic: yes
        interface: 0.0.0.0

        # Allow access from everywhere
        access-control: 0.0.0.0/8 allow
        access-control: 127.0.0.0/8 allow
        access-control: 192.168.1.0/24 allow

        # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"

        # Include DHCP leases
        include: "/etc/unbound/dhcp-leases.conf"

        # Include any forward zones
        #include: "/etc/unbound/forward.conf"

remote-control:
        control-enable: yes
        control-use-cert: yes
        control-interface: 127.0.0.1
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"

forward-zone:
        name: "."
        forward-addr: 1.0.0.1@853
        forward-addr: 9.9.9.9@853

[MichaelTremer]

I guess that configuration looks fine.

We have been talking about this on the dev mailing list, but there was basically no support for DNS-over-TLS:

https://lists.ipfire.org/pipermail/deve ... 04211.html

The people who proposed it where not really up for testing anything which makes it a little bit of a waste of time to implement it and of courses causes us to release an error-prone solution. We talked about it at the dev telephone conference but there was again no real desire to implement it amongst the participants:

https://wiki.ipfire.org/devel/telco/2018-04-09

I enabled it on the Lightning Wire Labs DNS resolver a while ago but nobody has sent me any feedback about it:

https://lightningwirelabs.com/2018/05/0 ... -resolvers

[RedneckMother]

The problem I have with the current IPFire DNSSEC is that my ISP munges DNS packets.

Because the unbound startup uses dig to determine if DNSSEC is supported upstream, and dig doesn't support DNS/TLS, I've had to modify the startup (see https://gitlab.com/snippets/1706804)

I'd love to test unbound over DNS/TLS, should anyone provide supporting changes in the unbound startup and configuration files.

Paul

EDIT:
I'm using IPFire 2.19 (x86_64) - Core Update 120

[parker_lewis]

If there is interest, i would love to test a DoT integration in ipfire. I dont think thats the time to declare DoT dead or not important enough. I think it is an upcoming issue/task, it is just beginning.

[extrasolar]

Because the unbound startup uses dig to determine if DNSSEC is supported upstream, and dig doesn't support DNS/TLS, I've had to modify the startup (see https://gitlab.com/snippets/1706804)

Is it possible to patch unbound to use kdig instead of dig? AFAIK kdig is aware using TLS.