Let me ask you something. When was the last time you wanted to access another computer on your ISP’s metropolitan network you’re connected to? Let’s go one step further. When was the last time you accessed an intranet server by an intranet domain name? For most of you, I bet the answer is never, and a long time ago (in a galaxy far, far away). If you work at a multinational giant or a university, and so are still using intranet services, let me expand that question — when was the last time you did that from your own portable computer, tablet or smartphone? I bet there aren’t too many hands left up in the room.
Most corporate assets are now on remote cloud servers, accessed through the open Internet. Network printers and local shares tend to be discovered and resolved through SMB and Bonjour. DNS is no longer for resolving local names. It’s for resolving remote names. So why are we still configuring DNS on our machines as if local resolution was a use case?
I certainly know why we shouldn’t be. I remember a Firefox TLS error when I was trying to access an infosec-themed site from an office guest wifi. The certificate was invalid, published by an unknown root level CA belonging to an antivirus company. The intrusion detection system was trying to MitM me through spoofed DNS records! Or when my mobile provider accidentally turned on parental content filtering on their default DNS servers, blocking access to social networks deemed unsafe for children, like… reddit.
And then we haven’t even talked about privacy yet. If you’ve set your browser up correctly, most of your traffic will go through https. This means everything — the content, the urls, even the domain name you’re accessing the remote site through — , is encrypted. However, if you go through your local DNS server, all your requests are known and likely logged, and can be matched to your https traffic. Of course, not going through your ISP’s DNS won’t hide your traces. While many IP addresses cannot be reverse resolved, many still can… and most DNS traffic is still plaintext. But there’s a difference between just going to an opposition rally, or asking your hotel receptionist how you can get there. They can still track you in the first case — in the second case, they don’t have to.
DNS resolution for non-hackers is stuck in the 1990s. DNSSEC, a DNS extension to validate responses and eliminate many DNS spoofing attack vectors has been out for twenty years… And yet, on most devices, including desktop Linux distros, it’s disabled by default. Encrypted DNS has been available for years, and still, most people haven’t heard of it. Taking control of name resolution requires going out of one’s way — on iOS, you need to download an app. Of course, that means you need to know that you have a problem to begin with. Even on a modern Linux machine, taking control is hard work. It’s not a simple flick of a switch. You need to tell NetworkManager not to manage name resolution — not through a GUI, through a config file… And then, reconfigure or uninstall systemd-resolved.
I personally went with the latter. Systemd-resolved is a nice, feature-rich piece of software, allowing for dynamically setting local search domains and nameservers, as well as acting as a proxy and DNSSEC validator, and supporting DNS over TLS… but after not such a long reading, I realized it’s too complicated and absolute overkill. As discussed before, 99 out of 100 computers shouldn’t ever need dynamic local search domains or nameservers.
I personally chose to install dnscrypt-proxy as the replacement of systemd-resolved. This is a caching DNS server that allows you to filter providers by security, spread your DNS queries over a number of providers, make use of DNSSEC validation and encrypted queries. Because why not? How is it that most DNS resolution is still plaintext, with DNSSEC turned off? Is it about latency? Do I really want to save 10 milliseconds, but expose myself to MitM attacks, and broadcast that I’m reading moderntranshormones.com? I mean, in many US states that could still (or once again?) potentially get me fired.
If you think about privacy and security online, you need to think about DNS. In the US, ISPs are free to sell your online behavior to ad agencies, and are required by law to share it with authorities. Using your ISP’s DNS server has no benefits, and carries enermous liabilities. Using your VPN provider’s DNS server is just as much a bad idea. Thankfully, there are more than enough public DNS servers, operated by Internet giants, NGOs, universities, security companies, etc. It’s like how 20 years ago, everyone used their ISP’s mail servers. Now, most of us don’t. It’s time to make the leap with DNS, too.
Tips accepted with gratitude at: