Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Fedora - Use DNS over TLS

#1
Use DNS over TLS

<div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/07/use-dns-over-tls.png" width="1024" height="651" title="" alt="" /></div><div><div class="wp-block-group">
<div class="wp-block-group__inner-container">
<p>The <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/Domain_Name_System" target="_blank" rel="noreferrer noopener">Domain Name System (DNS)</a> that modern computers use to find resources on the internet was designed <a aria-label="undefined (opens in a new tab)" href="https://tools.ietf.org/html/rfc1035" target="_blank" rel="noreferrer noopener">35 years ago</a> without consideration for user privacy. It is exposed to security risks and attacks like <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/DNS_hijacking" target="_blank" rel="noreferrer noopener">DNS Hijacking</a>. It also allows <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/Internet_service_provider" target="_blank" rel="noreferrer noopener">ISPs</a> to intercept the queries.</p>
<p>Luckily, <a href="https://en.wikipedia.org/wiki/DNS_over_TLS" target="_blank" rel="noreferrer noopener">DNS over TLS</a> and <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" target="_blank" rel="noreferrer noopener">DNSSEC</a> are available. DNS over TLS and DNSSEC allow safe and encrypted end-to-end tunnels to be created from a computer to its configured DNS servers. On Fedora, the steps to implement these technologies are easy and all the necessary tools are readily available.</p>
<p> <span id="more-31361"></span> </p>
<p>This guide will demonstrate how to configure DNS over TLS on Fedora using systemd-resolved. Refer to the <a href="https://www.freedesktop.org/wiki/Software/systemd/resolved/" target="_blank" rel="noreferrer noopener">documentation</a> for further information about the systemd-resolved service.</p>
</div>
</div>
<h2>Step 1 : Set-up systemd-resolved</h2>
<p>Modify <em>/etc/systemd/resolved.conf</em> so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.</p>
<pre class="wp-block-preformatted"><strong>$ cat /etc/systemd/resolved.conf</strong>
[Resolve]
DNS=1.1.1.1 9.9.9.9
DNSOverTLS=yes
DNSSEC=yes
FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4
#Domains=~.
#LLMNR=yes
#MulticastDNS=yes
#Cache=yes
#DNSStubListener=yes
#ReadEtcHosts=yes</pre>
<p>A quick note about the options:</p>
<ul>
<li><strong>DNS</strong>: A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers</li>
<li><strong>FallbackDNS</strong>: A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers.</li>
<li><strong>Domains</strong>: These domains are used as search suffixes when resolving single-label host names, <em>~.</em> stand for use the system DNS server defined with DNS= preferably for all domains.</li>
<li><strong>DNSOverTLS:</strong> If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate for it’s IP.</li>
</ul>
<blockquote class="wp-block-quote">
<p><em>NOTE: The DNS servers listed in the above example are my personal choices. You should decide which DNS servers you want to use; being mindful of whom you are asking IPs for internet navigation</em>.</p>
</blockquote>
<h2>Step 2 : Tell NetworkManager to push info to systemd-resolved</h2>
<p>Create a file in <em>/etc/NetworkManager/conf.d</em> named <em>10-dns-systemd-resolved.conf</em>.</p>
<pre class="wp-block-preformatted"><strong>$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf</strong>
[main]
dns=systemd-resolved</pre>
<p>The setting shown above (<em>dns=systemd-resolved</em>) will cause NetworkManager to push DNS information acquired from DHCP to the systemd-resolved service. This will override the DNS settings configured in <em>Step 1</em>. This is fine on a trusted network, but feel free to set <em>dns=none</em> instead to use the DNS servers configured in <em>/etc/systemd/resolved.conf</em>.</p>
<h2>Step 3 : start &amp; restart services</h2>
<p>To make the settings configured in the previous steps take effect, start and enable <em>systemd-resolved</em>. Then restart <em>NetworkManager</em>.</p>
<p><strong>CAUTION</strong>: This will lead to a loss of connection for a few seconds while NetworkManager is restarting.</p>
<pre class="wp-block-preformatted">$ sudo systemctl start systemd-resolved
$ sudo systemctl enable systemd-resolved
$ sudo systemctl restart NetworkManager</pre>
<blockquote class="wp-block-quote">
<p><em>NOTE: Currently, the systemd-resolved service is disabled by default and its use is opt-in. <a href="https://fedoraproject.org/wiki/Changes/systemd-resolved" target="_blank" rel="noreferrer noopener">There are plans</a> to enable systemd-resolved by default in Fedora 33.</em></p>
</blockquote>
<h2>Step 4 : Check if everything is fine</h2>
<p>Now you should be using DNS over TLS. Confirm this by checking DNS resolution status with:</p>
<pre class="wp-block-preformatted"><strong>$ resolvectl status</strong>
MulticastDNS setting: yes DNSOverTLS setting: yes DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 1.1.1.1 DNS Servers: 1.1.1.1 9.9.9.9 Fallback DNS Servers: 8.8.8.8 1.0.0.1 8.8.4.4</pre>
<p>/etc/resolv.conf should point to 127.0.0.53</p>
<pre class="wp-block-preformatted"><strong>$ cat /etc/resolv.conf</strong>
# Generated by NetworkManager
search lan
nameserver 127.0.0.53
</pre>
<p>To see the address and port that systemd-resolved is sending and receiving secure queries on, run:</p>
<pre class="wp-block-preformatted"><strong>$ sudo ss -lntp | grep '\(State\|:53 \)'</strong>
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=10410,fd=18))</pre>
<p>To make a secure query, run:</p>
<pre class="wp-block-preformatted"><strong>$ resolvectl query fedoraproject.org</strong>
fedoraproject.org: 8.43.85.67 -- link: wlp58s0 8.43.85.73 -- link: wlp58s0 [..] -- Information acquired via protocol DNS in 36.3ms.
-- Data is authenticated: yes
</pre>
<h2>BONUS Step 5 : Use Wireshark to verify the configuration</h2>
<p>First, install and run <a href="https://www.wireshark.org/" target="_blank" aria-label="undefined (opens in a new tab)" rel="noreferrer noopener">Wireshark</a>:</p>
<pre class="wp-block-preformatted">$ sudo dnf install wireshark
$ sudo wireshark</pre>
<p>It will ask you which link device it have to begin capturing packets on. In my case, because I use a wireless interface, I will go ahead with <em>wlp58s0</em>. Set up a filter in Wireshark like <em>tcp.port == 853</em> (853 is the DNS over TLS protocol port). You need to flush the local DNS caches before you can capture a DNS query:</p>
<pre class="wp-block-preformatted">$ sudo resolvectl flush-caches</pre>
<p>Now run:</p>
<pre class="wp-block-preformatted">$ nslookup fedoramagazine.org</pre>
<p>You should see a TLS-encryped exchange between your computer and your configured DNS server:</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/07/use-dns-over-tls.png" alt="" class="wp-image-31363" /></figure>
</div>
<p class="has-text-align-right has-small-font-size">— <em>Poster in Cover Image Approved for Release by NSA on 04-17-2018, FOIA Case # 83661</em> —</p>
</div>


https://www.sickgaming.net/blog/2020/07/...-over-tls/
Reply



Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB Theme © iAndrew 2016