Fedora - Use DNS over TLS - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Computers (https://www.sickgaming.net/forum-86.html) +--- Forum: Linux, FreeBSD, and Unix types (https://www.sickgaming.net/forum-88.html) +--- Thread: Fedora - Use DNS over TLS (/thread-96128.html) |
Fedora - Use DNS over TLS - xSicKxBot - 07-11-2020 Use DNS over TLS <div style="margin: 5px 5% 10px 5%;"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/07/use-dns-over-tls.png" width="1024" height="651" title="" alt="" /></div><div><div class="wp-block-group"> <div class="wp-block-group__inner-container"> <p>The <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/Domain_Name_System" target="_blank" rel="noreferrer noopener">Domain Name System (DNS)</a> that modern computers use to find resources on the internet was designed <a aria-label="undefined (opens in a new tab)" href="https://tools.ietf.org/html/rfc1035" target="_blank" rel="noreferrer noopener">35 years ago</a> without consideration for user privacy. It is exposed to security risks and attacks like <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/DNS_hijacking" target="_blank" rel="noreferrer noopener">DNS Hijacking</a>. It also allows <a aria-label="undefined (opens in a new tab)" href="https://en.wikipedia.org/wiki/Internet_service_provider" target="_blank" rel="noreferrer noopener">ISPs</a> to intercept the queries.</p> <p>Luckily, <a href="https://en.wikipedia.org/wiki/DNS_over_TLS" target="_blank" rel="noreferrer noopener">DNS over TLS</a> and <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions" target="_blank" rel="noreferrer noopener">DNSSEC</a> are available. DNS over TLS and DNSSEC allow safe and encrypted end-to-end tunnels to be created from a computer to its configured DNS servers. On Fedora, the steps to implement these technologies are easy and all the necessary tools are readily available.</p> <p> <span id="more-31361"></span> </p> <p>This guide will demonstrate how to configure DNS over TLS on Fedora using systemd-resolved. Refer to the <a href="https://www.freedesktop.org/wiki/Software/systemd/resolved/" target="_blank" rel="noreferrer noopener">documentation</a> for further information about the systemd-resolved service.</p> </div> </div> <h2>Step 1 : Set-up systemd-resolved</h2> <p>Modify <em>/etc/systemd/resolved.conf</em> so that it is similar to what is shown below. Be sure to enable DNS over TLS and to configure the IP addresses of the DNS servers you want to use.</p> <pre class="wp-block-preformatted"><strong>$ cat /etc/systemd/resolved.conf</strong> [Resolve] DNS=1.1.1.1 9.9.9.9 DNSOverTLS=yes DNSSEC=yes FallbackDNS=8.8.8.8 1.0.0.1 8.8.4.4 #Domains=~. #LLMNR=yes #MulticastDNS=yes #Cache=yes #DNSStubListener=yes #ReadEtcHosts=yes</pre> <p>A quick note about the options:</p> <ul> <li><strong>DNS</strong>: A space-separated list of IPv4 and IPv6 addresses to use as system DNS servers</li> <li><strong>FallbackDNS</strong>: A space-separated list of IPv4 and IPv6 addresses to use as the fallback DNS servers.</li> <li><strong>Domains</strong>: These domains are used as search suffixes when resolving single-label host names, <em>~.</em> stand for use the system DNS server defined with DNS= preferably for all domains.</li> <li><strong>DNSOverTLS:</strong> If true all connections to the server will be encrypted. Note that this mode requires a DNS server that supports DNS-over-TLS and has a valid certificate for it’s IP.</li> </ul> <blockquote class="wp-block-quote"> <p><em>NOTE: The DNS servers listed in the above example are my personal choices. You should decide which DNS servers you want to use; being mindful of whom you are asking IPs for internet navigation</em>.</p> </blockquote> <h2>Step 2 : Tell NetworkManager to push info to systemd-resolved</h2> <p>Create a file in <em>/etc/NetworkManager/conf.d</em> named <em>10-dns-systemd-resolved.conf</em>.</p> <pre class="wp-block-preformatted"><strong>$ cat /etc/NetworkManager/conf.d/10-dns-systemd-resolved.conf</strong> [main] dns=systemd-resolved</pre> <p>The setting shown above (<em>dns=systemd-resolved</em>) will cause NetworkManager to push DNS information acquired from DHCP to the systemd-resolved service. This will override the DNS settings configured in <em>Step 1</em>. This is fine on a trusted network, but feel free to set <em>dns=none</em> instead to use the DNS servers configured in <em>/etc/systemd/resolved.conf</em>.</p> <h2>Step 3 : start & restart services</h2> <p>To make the settings configured in the previous steps take effect, start and enable <em>systemd-resolved</em>. Then restart <em>NetworkManager</em>.</p> <p><strong>CAUTION</strong>: This will lead to a loss of connection for a few seconds while NetworkManager is restarting.</p> <pre class="wp-block-preformatted">$ sudo systemctl start systemd-resolved $ sudo systemctl enable systemd-resolved $ sudo systemctl restart NetworkManager</pre> <blockquote class="wp-block-quote"> <p><em>NOTE: Currently, the systemd-resolved service is disabled by default and its use is opt-in. <a href="https://fedoraproject.org/wiki/Changes/systemd-resolved" target="_blank" rel="noreferrer noopener">There are plans</a> to enable systemd-resolved by default in Fedora 33.</em></p> </blockquote> <h2>Step 4 : Check if everything is fine</h2> <p>Now you should be using DNS over TLS. Confirm this by checking DNS resolution status with:</p> <pre class="wp-block-preformatted"><strong>$ resolvectl status</strong> MulticastDNS setting: yes DNSOverTLS setting: yes DNSSEC setting: yes DNSSEC supported: yes Current DNS Server: 1.1.1.1 DNS Servers: 1.1.1.1 9.9.9.9 Fallback DNS Servers: 8.8.8.8 1.0.0.1 8.8.4.4</pre> <p>/etc/resolv.conf should point to 127.0.0.53</p> <pre class="wp-block-preformatted"><strong>$ cat /etc/resolv.conf</strong> # Generated by NetworkManager search lan nameserver 127.0.0.53 </pre> <p>To see the address and port that systemd-resolved is sending and receiving secure queries on, run:</p> <pre class="wp-block-preformatted"><strong>$ sudo ss -lntp | grep '\(State\|:53 \)'</strong> State Recv-Q Send-Q Local Addressort Peer Addressort Process LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users("systemd-resolve",pid=10410,fd=18))</pre> <p>To make a secure query, run:</p> <pre class="wp-block-preformatted"><strong>$ resolvectl query fedoraproject.org</strong> fedoraproject.org: 8.43.85.67 -- link: wlp58s0 8.43.85.73 -- link: wlp58s0 [..] -- Information acquired via protocol DNS in 36.3ms. -- Data is authenticated: yes </pre> <h2>BONUS Step 5 : Use Wireshark to verify the configuration</h2> <p>First, install and run <a href="https://www.wireshark.org/" target="_blank" aria-label="undefined (opens in a new tab)" rel="noreferrer noopener">Wireshark</a>:</p> <pre class="wp-block-preformatted">$ sudo dnf install wireshark $ sudo wireshark</pre> <p>It will ask you which link device it have to begin capturing packets on. In my case, because I use a wireless interface, I will go ahead with <em>wlp58s0</em>. Set up a filter in Wireshark like <em>tcp.port == 853</em> (853 is the DNS over TLS protocol port). You need to flush the local DNS caches before you can capture a DNS query:</p> <pre class="wp-block-preformatted">$ sudo resolvectl flush-caches</pre> <p>Now run:</p> <pre class="wp-block-preformatted">$ nslookup fedoramagazine.org</pre> <p>You should see a TLS-encryped exchange between your computer and your configured DNS server:</p> <div class="wp-block-image"> <figure class="aligncenter size-large"><img src="https://www.sickgaming.net/blog/wp-content/uploads/2020/07/use-dns-over-tls.png" alt="" class="wp-image-31363" /></figure> </div> <p class="has-text-align-right has-small-font-size">— <em>Poster in Cover Image Approved for Release by NSA on 04-17-2018, FOIA Case # 83661</em> —</p> </div> https://www.sickgaming.net/blog/2020/07/10/use-dns-over-tls/ |