Secure default DNS server - no censoring, no logging, encryption

[breznak]

The PR #240 suggests to be able to switch DNS resolver (from current google's 8.8.8.8).

I think we should improve privacy and security by having a privacy-minded default DNS. Here's a list with suggestions: https://www.doileak.com/blog-DNS%20Server%20for%20privacy.html

The features to look for:

• no logging (promised)
• encryption (DNSSEC/DNSCrypt)
• no censorship

A possible further improvement would be spinning our local recursive DNS, such as unbound for example: https://www.unbound.net/

TODO:

• [ ] add CI unit-test for DNS resolution
• [ ] replace google's 8.8.8.8 with some of the "privacy oriented" DNS resolvers
• [ ] test local DNS cache (unbound, pdnsd,...) Document docker/unbound image and how to connect to it
  • [ ] document -n option to change DNS
  • [ ] add hardened docker-compose setup that chains openvpn + unbound,...

[buchdag]

I ran a local DNS cache with DNSSEC / DNSCrypt and open / uncensored / privacy oriented resolvers for a while because my ISP DNS resolver was censoring. Bottom line : absolute pain to setup, recurrent request timeouts no matter the setup or servers I picked.

Maybe I wasn't up to the task, but I ended up dumping the DNSSEC / DNSCrypt part because it was creating way too much issues.

I'm still using a local pdnsd cache with OpenNIC resolvers (six of them queried in parallel, IPv4 and IPv6) and I still end up getting request timeouts once in a while and having to replace some resolvers in the pdnsd configuration because they're down for an extended period (days) despite having supposedly three 9s uptime.

I'd like to be proven wrong by someone more comfortable with those technologies than I managed to be, but I personally think they aren't reliable / straightforward enough (yet) to serve as a default here.

[breznak]

I ran a local DNS cache ... absolute pain to setup, recurrent request timeouts no matter ...

The thing is if we get it right once here, it'd be usable for anyone. I hope we can "steal" the configuration from some security-minded distro, such as Tails?

I'm still using a local pdnsd cache with OpenNIC resolvers ... and I still end up getting request timeouts once in a while

I don't have experience with OpenNIC, but I'm using some of the privacy-focused resolvers successfully. I also have/had the local unbound running.

I'm adding some TODO to the issue.

[buchdag]

I think people wanting a super private and secure DNS for their openvpn container should be running it in another container (with secns/unbound for instance).

IMO this is a whole separate project by itself and feels quite out of the scope of this one.

[bebehei]

The PR #240 suggests to be able to switch DNS resolver (from current google's 8.8.8.8).

You're always able to switch DNS resolvers. When you're running ovpn_genconfig, you just have to add the -n, which will overwrite the default dns. If you've got concerns about the google DNS server, it's ok, but you have the choice to change it.

So, the DNS is not hardcoded, it's just the default, which is. That's all #240 had been about.

I have to admit, the -n-option is undocumented and the standard user won't find it easily. You may want to add a new PR!

A possible further improvement would be spinning our local recursive DNS, such as unbound for example: https://www.unbound.net/

It's very easy: Run an unbound container on your host and point the dns-resolvers via ovpn_genconfig -n [...] your hosts' IP. Chain the things together via docker-compose and the work is done. There is no need to run it additionally inside the image.

I think we should improve privacy and security by having a privacy-minded default DNS.

The projects' goals are not about privacy. This project wants to deliver a working OpenVPN container. I'd rather use a DNS server, which is stable and not so private than something I don't even know. The google's DNS servers well established and can be taken safely as default. As long it's changeable, it's ok.

You may want to improve the docs how to run this container in paranoid mode.

[breznak]

Thanks for the clarifications, @bebehei ! I've changed the issue to reflect that.

You may want to improve the docs how to run this container in paranoid mode.

I'll try it and then document. If that's in scope for this project, I'd like to create some hardened config for docker-compose that would automate the process in the docs/paranoid.md

[kylemanna]

Thanks @bebehei for summing up a number of important details of this project:

the DNS is not hardcoded, it's just the default

The projects' goals are not about privacy. This project wants to deliver a working OpenVPN container. I'd rather use a DNS server, which is stable and not so private than something I don't even know. The google's DNS servers well established and can be taken safely as default. As long it's changeable, it's ok.

You may want to improve the docs how to run this container in paranoid mode.

[MatthewVance]

Be sure to check DNSCrypt container if you haven't already. It'll likely be the easiest and most reliable method of running a secure DNS container.