[kwlug-disc] CCC talk about DNS(ystem)
Chris Irwin
chris at chrisirwin.ca
Thu Apr 9 10:20:57 EDT 2020
On Thu, Apr 09, 2020 at 06:57:54AM -0400, Doug Moen wrote:
>The question is: what if I don't rely on somebody else's DNS server,
>but instead run my own. Let's say I don't rely on my ISP's server, or
>on Google's 8.8.8.8 server, or on 1.1.1.1, or on CIRA's server, but
>instead run my own. Let's assume I am sophisticated enough to use the
>non consumer grade routers advocated by other KWLUG members, and that I
>am capable of running my own instance of BIND as a recursive DNS
>server.
Even if you're hitting roots and authoritative nameservers yourself,
that's still DNS to somewhere, just multiple somewheres instead of a
single forwarding DNS.
If that's still using plain-old-dns, you're still doing that in the
clear, with all the same caveats included (Potential MITM, leaking data,
theoretical bad ISP capturing all port-53 queries themselves)
Even if your BIND fully support TLS lookups, chances are a signficant
number of authoritative nameservers don't. Now you rely on everybody
else being up to date, configured, with certificates, to avoid falling
back to clear-text DNS for queries, on a per-domain basis.
I'll admit, I couldn't find any statistics on DoT takeup for
authoritative nameservers, but I didn't look very hard. I did notice the
first few "Domain DNS testers" didn't even list TLS as an line item to
be checked. Coupled with the fact that LetsEncrypt won't provide
certificates for an IP address, it's probably safe to assume any remote
domains that are not using large DNS hosting services don't have
authoritative DoT configured.
If you want all of your local outbound DNS to be encrypted, you need to
use forwarding DNS to a resolver that does DoT. Granted, those remote
DNS servers (cloudflare, cira, whoever) still have the problems related
to clear text lookup, but that's their problem to worry about now, and
doesn't get tied back to you.
The issue come back to to whether you trust that DNS resolver to provide
accurate and private results.
(my DNS terminology may be slightly incorrect. It's been over a decade
since I last looked at bind or configuring DNS in depth)
--
Chris Irwin
email: chris at chrisirwin.ca
xmpp: chris at chrisirwin.ca
web: https://chrisirwin.ca
More information about the kwlug-disc
mailing list