Thursday, April 05, 2018

Better DNS Security



This is a practical article to discuss DNS and Security and to show you how to practically upgrade the PiHole DNS Server and advertisement Blocker than I discussed earlier

Why Bother?
(& Can I Bother?)
Via this Blog, Social media and multiple public sources Marcus and Agata selectively share aspects of their lives not just techy information.

The key is selectively.

We are increasingly aware of the arms race between us the users and websites and applications and even Internet of Things devices in our own home trying to extract information from us.  We want to control what is shared and given away for free.

Here are three ways to approach computer security

00
I'm not that technical but don't take any active security measures.  I don't have time to do anything but I have plenty of excuses.  And if I get hacked of compromised I am sure it is somebody else's fault

01
I am wealthy.   I pay somebody a lot of money, they come around and install a terrific security and privacy infrastructure.  (If this is you, you are about to call us right :-)

02
We have a home and we personally setup an increasingly elaborate computer infrastructure to protect our privacy, automate our home and defend it physically and digital from nasty people

Marcus and Agata self identify as category 02

We now discuss a way to enhance the security of your DNS name resolution so that all data passed to the Internet outside from your Home and Home Router is done using Encryption and not as is the current standard in plain text.

And of course that those DNS name resolutions be done not via a DNS server of your local Internet Service Provider who could and may be under a duty to record all such transactions to provide a log to governments upon request of all websites that you have visited.


Simple Setup
You have one or more client computers e.g. desktops, laptops, smarphones

They talk to a custom Pi-Hole DNS Server which is a small 10 GBP Raspberry Pi Computer running inside your home

That Pi-Hole server is now modified to incorporate DNSCrypt 2.0

As such, any names that need to be resolved on the Internet are sent using a secure protocol not in plaintext

The DNS server makes the secure request via the Router then returns the DNS lookup IP address back to the requesting client

The Client then uses the IP address to browse the web, talk to the destination etc.


Complex Setup

Having a secure DNS setup is just one part of a secure Computer Infrastructure.  Above is a more accurate representation of Marcus and Agata's home network.

First we suggest multiple networks NET1, NET2, NET3 ... which serve different purposes.  They are isolated from each other by a Hardware Firewall.

The Hardware Firewall is programmed to allow access from more secure e.g. NET2 to NET1, but disallow from less secure to more e.g  NET1 to NET2

Every Client such as a Laptop also runs its own Firewall and Anti Malware and Anti Virus software wherever possible

Clients can choose to use a TOR anonymiser.  Actually this is still in testing, but this can further hide your identity from those who could snoop on your network packets et al

As before, any client using a DNS name e.g. majzel.blogspot.com needs name resolution and this occurs in the manner I already detailed in the Simple Setup section.

With the Modified PiHole we will build below you can be confident that all outbound DNS requests to the Internet are made securely because the PiHole is configured with DNSCrypt 2.0 to always do so

The client application having got its DNS goes out its Client Firewall, out the Hardware Firewall and then to the MikroTik Router.    This also contains a further firewall!  MikroTik also contains rules to pass the request out to one of many Internet connections (3 are shown).

This finally gets to our 4G router and then out to the Internet and back.  Oh, and each 4G router also contains a firewall.




PiHole Setup
I covered this very recently 

https://majzel.blogspot.co.uk/2018/03/down-pi-hole.html

DNSCrypt Modifications to PiHole

I followed the instructions given in article  
https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0 to implement DNSCrypt, but there are things to know

- Level set.   The PiHole for us is running on a Raspberry Pi Zero W computer.

- The instructions talked about downloading dnscrypt-proxy files.  I thought rubbish and tried using apt-get install dnscrypt-proxy.   This does not work :-( as the installed proxy level is too low!  Don't go there, I also had to cleanup and eat humble pie.

So lets see what I actually did that worked

Install and Configure DNSCrypt 2.0

# All the action takes place on the PiHole Raspberry Pi Zero W computer
# install the latest code and dont use apt-get
# remember Raspberry Pi runs a 32bit not a 64 bit Operating System
# You will be installing into /opt/dnscrypt-proxy
# Like all good techies I am root for this proceude

# ksh is installed via apt-get install ksh so
sudo ksh


# get the code
mkdir /opt

cd /opt
wget https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.8/dnscrypt-proxy-linux_arm-2.0.8.tar.gz
tar -xvpf dnscrypt-proxy-linux_arm-2.0.8.tar.gz
mv linux-arm dnscrypt-proxy
cd /opt/dnscrypt-proxy

# now configure
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
vi /opt/dnscrypt-proxy/dnscrypt-proxy.toml

# Some of the lines that I changed are below (in bold)

# this command lists all the possible based on your config
# ./dnscrypt-proxy --list-all
# server_names = ['scaleway-fr', 'google', 'yandex']

server_names = ['cloudflare' ]

# 20180404 mwb was: listen_addresses = ['127.0.0.1:53', '[::1]:53']
listen_addresses = ['127.0.0.1:53210', '[::1]:53210']

# Server must support DNS security extensions (DNSSEC)
# 20180404 mwb was: require_dnssec = false

require_dnssec = true

## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
# lb_strategy = 'p2'

lb_strategy = 'fastest'

## log file for the application

log_file = '/opt/dnscrypt-proxy/dnscrypt-proxy.log'

fallback_resolver = '1.1.1.1:53'

ignore_system_dns = true


# end of my changes to config file

# Install the Proxy service
/opt/dnscrypt-proxy/dnscrypt-proxy -service install


# finally start the service
/opt/dnscrypt-proxy/dnscrypt-proxy -service start


Tell PiHole to use only DNSCrypt

# Remove existing servers from PiHole configuration
vi /etc/dnsmasq.d/01-pihole.conf

# comment out with # hash character all lines
# of the form    server = 
# so lines are now like  # server = ...


# Tell PiHole to use DNSCrypt20
vi /etc/dnsmasq.d/02-dnscrypt.conf


# The file contains the single line (bold)

server=127.0.0.1#53210




Check it

# Commands entered as root on pihole/dnscrypt system

# Restart dnscrypt
/opt/dnscrypt-proxy/dnscrypt-proxy -service restart

#In another shell window tail logfile
tail -f /opt/dnscrypt-proxy/dnscrypt-proxy.log
[2018-04-04 20:59:43] [NOTICE] Stopped.
[2018-04-04 20:59:43] [NOTICE] Service restarted
[2018-04-04 20:59:43] [NOTICE] Source [public-resolvers.md] loaded
[2018-04-04 20:59:43] [NOTICE] dnscrypt-proxy 2.0.8
[2018-04-04 20:59:43] [NOTICE] Now listening to 127.0.0.1:53210 [UDP]
[2018-04-04 20:59:43] [NOTICE] Now listening to 127.0.0.1:53210 [TCP]
[2018-04-04 20:59:43] [NOTICE] Now listening to [::1]:53210 [UDP]
[2018-04-04 20:59:43] [NOTICE] Now listening to [::1]:53210 [TCP]
[2018-04-04 20:59:46] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2018-04-04 20:59:57] [NOTICE] [cloudflare] OK (DoH) - rtt: 59ms

[2018-04-04 20:59:57] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 59ms)


# check resolution
# /opt/dnscrypt-proxy/dnscrypt-proxy -resolve majzel.blogspot.com
Resolving [majzel.blogspot.com]

Domain exists:  probably not, or blocked by the proxy
Canonical name: blogspot.l.googleusercontent.com.

IP addresses:   216.58.201.33, 2a00:1450:4009:812::2001


Summary
I now run a PiHole DNS server on a Raspberry Pi Zero W

It is modified to talk to the Internet DNS servers only via dnscrypt

All clients in my home network point to this humble 10 GBP computer to resolve any and all DNS queries

We also employ other security features including a lot of firewalls, TOR anonymisers, and isolated networks.

The combination makes for a more secure system :-)






Links
1.1.1.1 meets 8.8.8.8 and 9.9.9.9

DNS Privacy Project
What is DNS over TLS