MatthewVance
commented
5 years ago In short, I haven't fully yet. Like you, I have run those same tests and been puzzled by the results.
I have wondered if the reason some of the tests fail is because this setup doesn't run directly on the computer where the web browser is accessing the sites and because of the Unbound cache. This may make it difficult for the remote test to determine exactly what the traffic leaving your network looks like.
I have looked at dig results to verify DNSSEC is working. I don't recall the exact command, but it was a simple dig flag and a check of the results.
The only good way I know to verify the traffic is truly encrypted in transit is to run a network sniffer like tcpdump. I'd like to do it sometime to verify everything really is working the way it's designed.
If you test this before I do, please post the results here and the methodology. An automated test would be even better.
On Sat, Dec 22, 2018, 5:06 PM Tyler Pace <notifications@github.com wrote:
I'm playing around with ways to verify that DNS over TLS and DNSSEC are engaged when pumping my DNS traffic through stubby-docker. The easiest way to do this verification that I know if is to use a couple of test pages provided by Cloudflare.
https://1.1.1.1/help https://www.cloudflare.com/ssl/encrypted-sni/
I get some interesting results from those two pages when playing around with different DNS options.
DNS via unbound via stubby (e.g., unmodified stubby-docker) serving up Cloudflare DNS.
- 1.1.1.1/help is unable to detect a connection to 1.1.1.1.
- 1.1.1.1/help is unable to detect DNS over TLS.
- Cloudflare SNI test is unable to detect DNS over TLS.
- Cloudflare SNI test is able to detect DNSSEC.
DNS via stubby (manually exposed port, skipping unbound in stubby-docker) serving up Cloudflare DNS.
- 1.1.1.1/help is able to detect a connection to 1.1.1.1.
- 1.1.1.1/help is able to detect DNS over TLS.
- Cloudflare SNI test is able to detect DNS over TLS.
- Cloudflare SNI test is unable to detect DNSSEC.
DNS via the cloudflared proxy https://github.com/visibilityspots/dockerfile-cloudflared (DNS over HTTPS) serving up Cloudflare DNS.
- 1.1.1.1/help is able to detect a connection to 1.1.1.1.
- 1.1.1.1/help is able to detect DNS over TLS.
- Cloudflare SNI test is able to detect DNS over TLS.
- Cloudflare SNI test is able to detect DNSSEC.
I'm not surprised that a tool that Cloudflare provides (their proxy) passes all of their tests, but I am curious as to what causes unbound+stubby or solo stubby to fail some of the tests. I'm assuming some of the additional features enabled in unbound must interfere with whatever tests Cloudflare has created to check DNS setting.
How are you testing your setup to verify that you have the protection that you think you have?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/MatthewVance/stubby-docker/issues/5, or mute the thread https://github.com/notifications/unsubscribe-auth/ACjDuuegpv5mhUFrNXHxwuactfd0SVT9ks5u7rsHgaJpZM4ZfpKX .
tylerpace
I'm playing around with ways to verify that DNS over TLS and DNSSEC are engaged when pumping my DNS traffic through stubby-docker. The easiest way to do this verification that I know if is to use a couple of test pages provided by Cloudflare.
https://1.1.1.1/help https://www.cloudflare.com/ssl/encrypted-sni/
I get some interesting results from those two pages when playing around with different DNS options.
DNS via unbound via stubby (e.g., unmodified stubby-docker) serving up Cloudflare DNS.
DNS via stubby (manually exposed port, skipping unbound in stubby-docker) serving up Cloudflare DNS.
DNS via the cloudflared proxy (DNS over HTTPS) serving up Cloudflare DNS.
I'm not surprised that a tool that Cloudflare provides (their proxy) passes all of their tests, but I am curious as to what causes unbound+stubby or solo stubby to fail some of the tests. I'm assuming some of the additional features enabled in unbound must interfere with whatever tests Cloudflare has created to check DNS setting.
How are you testing your setup to verify that you have the protection that you think you have?