search

enigmagroup / enigmabox-openwrt

OpenWrt package feed for the Enigmabox software suite
https://en.enigmabox.net/
GNU General Public License v3.0
47 stars 12 forks source link

DNS: Do not use Google - consider OpenNIC; Use Encryption/Authentication (DNSCrypt, DNSSEC, ...) #7

Open ghost opened 8 years ago

ghost commented 8 years ago

Because of this commit I saw you also operate DNS servers. However you can still improve this: Do not use Google Public DNS or US-DNS servers like 4.2.2.1. (also not as a fallback like you seem to do currently) I think you know that they are not very keen on privacy and additionmally they may be located quite far away from Swizerland so the latency may be high, too.

So you already added your own DNS servers. This is good, but you should improve it:

  1. Maybe you have already heard of OpenNIC. OpenNIC is a project of some private DNS servers, who are an alternative DNS provider. The special about them also is that they have special TLDs, which are not registered by the ICANN, but can be used with an OpenNIC name server. So you may: 1.1. Also make your DNS servers part of OpenNIC and resolve their special (alternative) domains too. 1.2. Add some OpenNIC servers as a fallback (instead of the bad ones I mentioned above). When doing so please pay attention on what the servers say about anonymizing/not-keeping logs (see the tooltip when you hover your mouse over "log anon"). Also pay attention to the uptime, location and so on...
  2. As you also see on the OpenNIC site some servers offer "DNSCrypt". This is a system, which greatly improves the security and integrity of the DNS queries. Because currently you can use any DNS server you like, but as the DNS queries itself are neither encrypted nor authenticated (an exception is DNSSEC - more below) anyone who can intercept your traffic can modify them, hijack them and e.g. sent you to a different site or cause connection errors (aka DNS resolve errors) or similar things. Here is where DNSCrypt helps: DNSCrypt is a new protocol. Originally developed by OpenDNS* it is now an open-source community-project. The special thing about DNSCrypt is that it encrypts all traffic to the DNS server in and end-to-end-way. Additionally it uses the same basic encryption parts also cjdns uses: The protocol is based on the [NaCl] - a well-known cryptographic libary - whose ellipitic curve Curve25519 is also used (BTW you're also mentined there :smiley:) in cjdns. Look at their homepage for more information and clients and server software for downloading. Basically it would be nice if your own DNS servers and the Enigmabox would support DNSCrypt.
  3. Additionally you may support DNSSEC. It is a quite hierachical system, but it still improves the security as it adds validation information to the DNS system. Mostly this is only important to support on the (DNS) server side, so that the server validates DNSSEC and the path to the client (Enigmabox) is already secured by DNSCrypt. However obviously it would also be good if the client supports DNSSEC and validates it anyway, so you are secured if you e.g. fallback to other DNS servers (which support DNSSEC, but not DNSCrypt) or if the DNS servers are compromised they would still be unable to deliver bad replies.
  4. Just for completeness I also mention DNSCurve whcih is another Curve25519-encrypted protocol. But unlike DNSCurve it does not secure the channel from user -> DNS server, but from DNS server to authoritative servers. However as you would depend on the authoritative servers for supporting this - and AFAIK there are not many which do this yet - I think you can not use it yet.

BTW one last suggestion: You may also make the DNS server config avalible to the user via the webinterface. It would be nice if the user could at least select a server out of a pre-defined list.

Note: You can reply me in German if you want, but I wrote this in English so everyone can understand this.

* Attention: The name OpenDNS is misleading. It's neither open nor not-logging DNS queries or so and did bad things in the past. Nowaday it is also owned by Cisco FYI. The only advantage of their service is that it is quite reliable and offers DNSCrypt, so as the last (really the last!) fallback it may be adequate.

enigmagroup commented 8 years ago

Wow, thank you for that very detailed description! Wonderful.

Yea that thing with the DNS seems to be an everlasting line of worry. We started out with DNS servers from the Swiss Privacy Foundation. Suddenly, they shut em down without any warning or notice. It almost killed our network, because we had not used any [Google] fallback servers that are always online.

("Die DNS-Server der Swiss Privacy Foundation (77.109.138.45 und 77.109.139.29) wurden Mitte Juni 2015 abgestellt.").

http://www.privacyfoundation.ch/de/service/server.html

I don't want to base my DNS infrastructure on a kindergarden like the Swiss Prifucky Foundation anymore.

After using the not so open OpenDNS, cjd recommended me the Level 3 (4.2.2.*) servers. However, they redirect to a search site when a name is not resolved. This is also crap.

So, there is OpenNIC which I haven't known yet. Thank you for the hint! Well but... Most servers in tier 2 were recently added. Some are down already. Seems like a messy unstable kindergarden too. I'll only use Tier 1, should I decide to go for OpenNIC servers.

Regarding DNSSec: I've heard djb ranting about it, so this is lower on my list. And there are the other DNS crypto things that I first have to take a closer look into. At the moment, I have other important things to do.

But anyway, thanks again for the comprehensive overview! I'll keep it in my mind.

ghost commented 8 years ago

We started out with DNS servers from the Swiss Privacy Foundation. Suddenly, they shut em down without any warning or notice

Okay, at least they suggested alternative servers in the site you linked to: https://xiala.net/services/dns.html Based on their facts they also may be quite stable and reliable.

After using the not so open OpenDNS, cjd recommended me the Level 3 (4.2.2.*) servers. However, they redirect to a search site when a name is not resolved. This is also crap.

Indeed. :smile:

So, there is OpenNIC which I haven't known yet. Thank you for the hint! Well but... Most servers in tier 2 were recently added. Some are down already. Seems like a messy unstable kindergarden too. I'll only use Tier 1, should I decide to go for OpenNIC servers.

Well... you'll have to test them and watch them over a longer period of time. Possibly some servers may be likable. As they are operated by volunteers every single server can be different. You might also have a look at the DNSCrypt clients. They also have a list of DNS servers.

The thing about DNSSEC is okay, I would also priorisize DNSCrypt as you may deploy it more easily on your own servers and on the Enigmabox. I don't know of other "DNS crypto things" you may do except the ones I mentioned.

ghost commented 8 years ago

Another DNSCrypt server in Island: https://dnscrypt.is/

IzzySoft commented 7 years ago

If you're still in need of additional privacy-friendly candidates (no logging, no censorship) also take a look at:

DNSSEC is supported by all of them AFAIK (I'm sure about the first 2 at least).

gidTT commented 5 years ago

xiala.net announces on their home page, they'll pull the plug end of Nov. 2018.

alexhiggins732 commented 5 years ago

FYI, in FireFox gives the following warning when attempting to visit xiala.net 


Firefox detected a potential security threat and did not continue to xiala.net. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.
IzzySoft commented 5 years ago

@alexhiggins732 looks like they've misconfigured their certificate. Try www.xiala.net instead (that's covered by the cert, and nothing else – so calling just https://xiala.net/ results in a cert error SSL_ERROR_BAD_CERT_DOMAIN). The www. prefixed, I get no error in Waterfox (while without I do).

Apart from that: See the comment just before yours.