Privacy Hardening with DNSSEC, TLS 1.3 and Encrypted SNI for your Browser

The amount of private data being collected through networked devices is astounding. Profiles compiled from this information are leveraged to optimize active marketing campaigns. There is little that can be done as an individual in attempt to back peddle against this current. We should be more protective of our personal data as in the wrong hands, it can be used against us.

Added privacy and security in DNS is very useful should you find yourself operating remotely using unknown or shared connections (think coffee shops and airports). In many countries ISPs are required by law to harvest data on their customers and retain it for a period of time. If users implemented DNSSEC & DoT (DNS over TLS) or DoH (DNS over HTTPS) in combination with encrypted SNI, the amount of collected usable data in these situations will decrease drastically. Below we will take a brief look at what the visible data would look like before and after implementing these features.

Plain DNS

When visiting a website, your browser executes a series of requests:

Examining the above captures, we can see a lookup for cloudflare.com. This is performed using plain DNS. Both the DNS server used, and the hostname being resolved are shown in plain text.

Once the lookup completes, we open an HTTPS connection to the server, entering an SSL/TLS channel of encrypted communication. Anyone monitoring the network would be able to easily see which sites are being loaded and browsed.

DNSSEC prevents altering of your transmitted/received data.
DNS over TLS (DoT) prevents anyone from seeing what you are resolving.
The DNS server used to perform look ups will remain visible.

DNSSEC, DNS over TLSv1.3 with Encrypted sni

With these features enabled, your DNS requests will be sent over a TLSv1.3 channel with encrypted SNI leaving significantly less readable data to any observer.

As you can see, if someone was monitoring the traffic, they would only be able to tell that you are using DNSSEC with TLS, and querying Cloudflare’s DNS server.

Once the lookup is complete, we establish an SSL/TLS channel with the destination web server and safely transmit/receive data. In this case we have established a TLS session.

Keep in mind that the source and destination IP addresses of this traffic remain visible. Since most sites use shared hosting, this would make it difficult to determine which sites exactly are visited, however that is not always the case.

This can be circumvented in a number of ways, the most common one being using a VPN. This would replace the visible destination with your VPN server’s IP address.

In order to make use of DNSSEC we will install Unbound; a validating, recursive and caching DNS resolver.

Installing unbound

Gentoo
# emerge -va net-dns/unbound
Arch
# pacman -S unbound
Ubuntu
# apt-get install unbound
Centos
# yum install unbound
OpenBSD
# pkg_add -i unbound
FreeBSD
# pkg install unbound

configure and start unbound

The only configuration that you should have to do for unbound is to enable the use of the auto-trust-anchor-file. Most distributions will provide this file with the install, if it is missing, the contents should be as follows:

 ; autotrust trust anchor file
 ;;id: . 1
 ;;last_queried: 1580199736 ;;Tue Jan 28 03:22:16 2020
 ;;last_success: 1580199736 ;;Tue Jan 28 03:22:16 2020
 ;;next_probe_time: 1580241085 ;;Tue Jan 28 14:51:25 2020
 ;;query_failed: 0
 ;;query_interval: 43200
 ;;retry_time: 8640
 .       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1579048110 ;;Tue Jan 14 19:28:30 2020

Gentoo
Edit /etc/unbound/unbound.conf and un-comment or add:
auto-trust-anchor-file: “/etc/unbound/var/root-anchors.txt”

Start the service
# rc-service unbound start
Set the service to start automatically
# rc-update add unbound default

Ubuntu
In /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf and un-comment or add:
auto-trust-anchor-file:”/var/lib/unbound/root.key”

Start the service
# systemctl start unbound
Set the service to start automatically
# systemctl enable unbound

Set your dns server

Gentoo
# echo -e ‘nameserver 127.0.0.1\nnameserver ::1’ > /etc/resolv.conf
Ubuntu
# nano /etc/network/interfaces
Add the below entry, or modify an existing one to use your loopback address.
dns-nameservers 127.0.0.1

configuring firefox

Go to the about:config page and set the following options:
network.security.esni.enabled = true
network.trr.mode = 2

If you wish to change your trusted recursive resolver from Cloudflare to one of the other options, modify network.trr.uri to one of the following:

Google: https://dns.google.com/experimental
Quad9: https://dns.quad9.net/dns-query

Testing the setup

Visit the Cloudflare test page and see if you pass the checks.
If you modified the value of network.trr.uri to a trusted recursive resolver other than Cloudflare, their test will report the result of Secure DNS as unknown, as they do not have visibility to test the other resolvers. This is expected, everything else should pass the validation.

Cloudflare's Secure DNS/DNSSEC/TLS 1.3/Encrypted SNI test page.

Leave a Reply

Your email address will not be published. Required fields are marked *