snork.ca ... making kittens cry since 2001

The DNS Thing 2018-08-07


The Problem Of DNS Privacy:

A couple days back I saw someone land on my dnscrypt.ca web site from the dd-wrt forums. Turns out someone mentioned me in this post here, and I thought it might be a good idea for me to whip up a post explaining part of what is going on with DNS. I signed up for an account and started typing, but I started to worry that maybe they'd be irritated that I necromanced and hijacked an eight month old thread. So I saved what I had typed so far and figured I'd put it here in case anyone cared. Here's some of what fizikz had said:

The problem I see with DNSCrypt is that it still requires trust in the one running the resolver or at least their server. There's no guarantee that person isn't keeping logs, or that unknown to them their server might be compromised, etc. So, the value of DNSCrypt is unclear to me, especially given the serious usability impact from potential resolver failures.

This is a good summary of DNS's privacy problem. The bottom line is that anyone who requires name resolution services (which is essentially anyone wishing to use the Internet) has to trust the privacy of their name resolution to somebody. There is no reasonable way to avoid this.

858 Jack Elam in Once Upon A Time In The West.

Here's Why:

There are generally three kinds of DNS servers...

A typical [somewhat simplified] fully recursive lookup might look like this:

On a typical "high speed" Internet connection this often happens in less than half a second. In most cases, all DNS traffic is clear text and readable by every hop along the way. Even with an encrypted provider, the traffic between recursive servers and the other various servers is clear text. Because of this, if you are doing name resolution (and you almost certainly are), then someone can "see" those DNS queries.

If you use your ISP's servers, then they can see your queries. If you run your own recursive server at home, your ISP can still see the plain text queries going to to the root and authoritative servers. If you use a VPS as your recursive server, your ISP can see the traffic to the VPS and the VPS provider can see the outbound traffic to the root and authoritative servers. If you use Google, Cloudflare, DNS.Watch, Hurricane Electric, or another public resolver then they can see your queries (and your ISP can too). If you use a VPN then your VPN provider can see your queries. If you use a DNSCrypt server, then your ISP can't see the queries, but the owner of the DNSCrypt server can. Additionally, network providers between the DNSCrypt server and the root/authoritative servers can also see the traffic (though not associated with you personally). If you use a DNS-over-TLS provider, the server owner can see your queries and the upstream recursive traffic is still plain text, just like DNSCrypt.

So What Is The Solution?:

Well, you could maybe use Tor, but my understanding is that if you just use Tor browser then perhaps DNS queries for your browsing would be routed through Tor, but your other applications won't be using it. My further understanding is that there is a way to pump all of your DNS queries through tor using socat, but it is a complicated mess that doesn't play well with DNSSEC.

If you use an encrypted solution such as DNSCrypt or DNS-over-TLS then the only the provider is able to associate a query with the actual source of the query. Any traffic beyond the provider is seen to be "coming from the provider" and is basically mixed-in with the queries of everyone else using the same provider. However, as others have pointed out, not all providers of encrypted DNS claim to be log-free, but those who do claim not to be logging could simply be lying.

If anyone has any alternatives I'd like to hear them, but as far as I can tell the fact that the root servers and authoritative servers all comminucate in clear text means that pseudo-anonymization via an encrypted provider is the closest we can get to DNS privacy.

Single Point Of Failure:

The problem of using one DNS server being a single point of failure is true whether you use an encrypted provider or not. Most modern operating systems are obviously capable of using multiple normal unencrypted resolvers without too much extra effort. I have been using a separate small Linux machine (not a dd-wrt router) on my network(s) with dnsmasq and multiple dnscrypt-proxy instances, and it has been very solid. As a result I have not looked at using dnscrypt with dd-wrt, but I imagine it might be possible. Ultimately, the issue of being a sigle point of failure is real, but perhaps not as important [to me] as DNS's privacy/security issues.

Made using Notepad++ & FastStone. Hosted on Devuan with nginx & php. Powered by North Korean mushrooms.