{"id":115243,"date":"2020-07-10T08:00:00","date_gmt":"2020-07-10T08:00:00","guid":{"rendered":"https:\/\/fedoramagazine.org\/?p=31361"},"modified":"2020-07-10T08:00:00","modified_gmt":"2020-07-10T08:00:00","slug":"use-dns-over-tls","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2020\/07\/10\/use-dns-over-tls\/","title":{"rendered":"Use DNS over TLS"},"content":{"rendered":"<div class=\"wp-block-group\">\n<div class=\"wp-block-group__inner-container\">\n<p>The <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_Name_System\" target=\"_blank\" rel=\"noreferrer noopener\">Domain Name System (DNS)<\/a> that modern computers use to find resources on the internet was designed <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/tools.ietf.org\/html\/rfc1035\" target=\"_blank\" rel=\"noreferrer noopener\">35 years ago<\/a> without consideration for user privacy. It is exposed to security risks and attacks like <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/DNS_hijacking\" target=\"_blank\" rel=\"noreferrer noopener\">DNS Hijacking<\/a>. It also allows <a aria-label=\"undefined (opens in a new tab)\" href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_service_provider\" target=\"_blank\" rel=\"noreferrer noopener\">ISPs<\/a> to intercept the queries.<\/p>\n<p>Luckily, <a href=\"https:\/\/en.wikipedia.org\/wiki\/DNS_over_TLS\" target=\"_blank\" rel=\"noreferrer noopener\">DNS over TLS<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Domain_Name_System_Security_Extensions\" target=\"_blank\" rel=\"noreferrer noopener\">DNSSEC<\/a> are available. DNS over TLS and DNSSEC allow safe and encrypted end-to-end tunnels to be created from a computer to its configured DNS servers. On Fedora, the steps to implement these technologies are easy and all the necessary tools are readily available.<\/p>\n<p> <span id=\"more-31361\"><\/span> <\/p>\n<p>This guide will demonstrate how to configure DNS over TLS on Fedora using systemd-resolved. Refer to the <a href=\"https:\/\/www.freedesktop.org\/wiki\/Software\/systemd\/resolved\/\" target=\"_blank\" rel=\"noreferrer noopener\">documentation<\/a> for further information about the systemd-resolved service.<\/p>\n<\/div>\n<\/div>\n<h2>Step 1 : Set-up systemd-resolved<\/h2>\n<p>Modify <em>\/etc\/systemd\/resolved.conf<\/em> so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ cat \/etc\/systemd\/resolved.conf<\/strong>\n[Resolve]\nDNS=1.1.1.1 9.9.9.9\nDNSOverTLS=yes\nDNSSEC=yes\nFallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4\n#Domains=~.\n#LLMNR=yes\n#MulticastDNS=yes\n#Cache=yes\n#DNSStubListener=yes\n#ReadEtcHosts=yes<\/pre>\n<p>A quick note about the options:<\/p>\n<ul>\n<li><strong>DNS<\/strong>: A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers<\/li>\n<li><strong>FallbackDNS<\/strong>: A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers.<\/li>\n<li><strong>Domains<\/strong>: These domains are used as search suffixes when resolving single-label host names, <em>~.<\/em> stand for use the system DNS server defined with DNS= preferably for all domains.<\/li>\n<li><strong>DNSOverTLS:<\/strong> If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate for it&#8217;s IP.<\/li>\n<\/ul>\n<blockquote class=\"wp-block-quote\">\n<p><em>NOTE: The DNS servers listed in the above example are my personal choices. You should decide which DNS servers you want to use; being mindful of whom you are asking IPs for internet navigation<\/em>.<\/p>\n<\/blockquote>\n<h2>Step 2 : Tell NetworkManager to push info to systemd-resolved<\/h2>\n<p>Create a file in <em>\/etc\/NetworkManager\/conf.d<\/em> named <em>10-dns-systemd-resolved.conf<\/em>.<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ cat \/etc\/NetworkManager\/conf.d\/10-dns-systemd-resolved.conf<\/strong>\n[main]\ndns=systemd-resolved<\/pre>\n<p>The setting shown above (<em>dns=systemd-resolved<\/em>) will cause NetworkManager to push DNS information acquired from DHCP to the systemd-resolved service. This will override the DNS settings configured in <em>Step 1<\/em>. This is fine on a trusted network, but feel free to set <em>dns=none<\/em> instead to use the DNS servers configured in <em>\/etc\/systemd\/resolved.conf<\/em>.<\/p>\n<h2>Step 3 : start &amp; restart services<\/h2>\n<p>To make the settings configured in the previous steps take effect, start and enable <em>systemd-resolved<\/em>. Then restart <em>NetworkManager<\/em>.<\/p>\n<p><strong>CAUTION<\/strong>: This will lead to a loss of connection for a few seconds while NetworkManager is restarting.<\/p>\n<pre class=\"wp-block-preformatted\">$ sudo systemctl start systemd-resolved\n$ sudo systemctl enable systemd-resolved\n$ sudo systemctl restart NetworkManager<\/pre>\n<blockquote class=\"wp-block-quote\">\n<p><em>NOTE: Currently, the systemd-resolved service is disabled by default and its use is opt-in. <a href=\"https:\/\/fedoraproject.org\/wiki\/Changes\/systemd-resolved\" target=\"_blank\" rel=\"noreferrer noopener\">There are plans<\/a> to enable systemd-resolved by default in Fedora 33.<\/em><\/p>\n<\/blockquote>\n<h2>Step 4 : Check if everything is fine<\/h2>\n<p>Now you should be using DNS over TLS. Confirm this by checking DNS resolution status with:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ resolvectl status<\/strong>\nMulticastDNS setting: yes DNSOverTLS setting: yes DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 1.1.1.1 DNS Servers: 1.1.1.1 9.9.9.9 Fallback DNS Servers: 8.8.8.8 1.0.0.1 8.8.4.4<\/pre>\n<p>\/etc\/resolv.conf should point to 127.0.0.53<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ cat \/etc\/resolv.conf<\/strong>\n# Generated by NetworkManager\nsearch lan\nnameserver 127.0.0.53\n<\/pre>\n<p>To see the address and port that systemd-resolved is sending and receiving secure queries on, run:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ sudo ss -lntp | grep '\\(State\\|:53 \\)'<\/strong>\nState Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:((\"systemd-resolve\",pid=10410,fd=18))<\/pre>\n<p>To make a secure query, run:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ resolvectl query fedoraproject.org<\/strong>\nfedoraproject.org: 8.43.85.67 -- link: wlp58s0 8.43.85.73 -- link: wlp58s0 [..] -- Information acquired via protocol DNS in 36.3ms.\n-- Data is authenticated: yes\n<\/pre>\n<h2>BONUS Step 5 : Use Wireshark to verify the configuration<\/h2>\n<p>First, install and run <a href=\"https:\/\/www.wireshark.org\/\" target=\"_blank\" aria-label=\"undefined (opens in a new tab)\" rel=\"noreferrer noopener\">Wireshark<\/a>:<\/p>\n<pre class=\"wp-block-preformatted\">$ sudo dnf install wireshark\n$ sudo wireshark<\/pre>\n<p>It will ask you which link device it have to begin capturing packets on. In my case, because I use a wireless interface, I will go ahead with <em>wlp58s0<\/em>. Set up a filter in Wireshark like <em>tcp.port == 853<\/em> (853 is the DNS over TLS protocol port). You need to flush the local DNS caches before you can capture a DNS query:<\/p>\n<pre class=\"wp-block-preformatted\">$ sudo resolvectl flush-caches<\/pre>\n<p>Now run:<\/p>\n<pre class=\"wp-block-preformatted\">$ nslookup fedoramagazine.org<\/pre>\n<p>You should see a TLS-encryped exchange between your computer and your configured DNS server:<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2020\/07\/use-dns-over-tls.png\" alt=\"\" class=\"wp-image-31363\" \/><\/figure>\n<\/div>\n<p class=\"has-text-align-right has-small-font-size\">\u2014 <em>Poster in Cover Image Approved for Release by NSA on 04-17-2018, FOIA Case # 83661<\/em> \u2014<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Domain Name System (DNS) that modern computers use to find resources on the internet was designed 35 years ago without consideration for user privacy. It is exposed to security risks and attacks like DNS Hijacking. It also allows ISPs to intercept the queries. Luckily, DNS over TLS and DNSSEC are available. DNS over TLS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":115244,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[239,1085,1086,606,45,46,47,303,52],"class_list":["post-115243","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-fedora-os","tag-dns","tag-dns-over-tls","tag-dnssec","tag-faqs-and-guides","tag-fedora","tag-magazine","tag-news","tag-privacy","tag-security"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/115243","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=115243"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/115243\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/115244"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=115243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=115243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=115243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}