DNS security

>>60601489
thanks for this OP

>posting an actual technology thread on /g/
what the fuck are you doing

>>60601489
DNSSEC and DNSCurve are DNS validators, DNSCrypt is for DNS encryption.

I think even if you use DNSSEC you would still have to use DNSCrypt.

>>60601489
Bump for relevance.

>>60601897
I correct myself, just read this

"DNSSEC allows a resolver to verify the records received from authoritative servers. It ensures that these records are identical to what whoever controls the zone actually configured.

DNSCrypt allows a client to verify the records received from a resolver. It ensures that these records are identical to what the resolver sent.

If you are running a DNSSEC-validating resolver locally, and only sending queries to DNSSEC-signed domains, DNSCrypt is useless.

Problem is that DNSSEC is not widely deployed yet".

I would go for DNSCrypt all the way.

>>60601489

I use DNSCrypt, I also disable UDP for DNS and I have a list of server randomizes I manually rotate from time to time.

What about browser DNS caching? I usually increase it (firefox about:config).

Another interesting tangentially related issue are automatic connections. They imply DNS calls the user might not be aware of. See:
https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

No idea how to manage both browser issues above at other browsers.

>>60601897
>>>60601489 (OP) (You)
>DNSSEC and DNSCurve are DNS validators, DNSCrypt is for DNS encryption.
DNSSEC is not a validator in itself. Authoritative name servers can make use of DNSSEC to host DNSSEC secured zones, which a name resolver can verify its answers from.
>I think even if you use DNSSEC you would still have to use DNSCrypt.
You're not reliant on DNSCrypt for DNSSEC. You can readily start using it.

I usually lurk bc don't really know whats going on but will bump for promising thread, checking out the opies links now

>>60601963
>>>60601897
>I correct myself, just read this
>"DNSSEC allows a resolver to verify the records received from authoritative servers. It ensures that these records are identical to what whoever controls the zone actually configured.
Yes!
>DNSCrypt allows a client to verify the records received from a resolver. It ensures that these records are identical to what the resolver sent.
It only adds confidentiality at this point (which is a good start), but without a trusted root anchor it's meaningless unless you fully trust your resolver.
>If you are running a DNSSEC-validating resolver locally, and only sending queries to DNSSEC-signed domains, DNSCrypt is useless.
It's not, DNSCrypt itself would add confidentiality.
>Problem is that DNSSEC is not widely deployed yet".
The very real problem with DNSSEC is that it did not add confidentiality as part of its core design in consideration. It's a big misconception that DNS traffic is supposed to be public data to begin with.
>I would go for DNSCrypt all the way.
DNSCrypt isn't any more popular than DNSSEC, and both aren't mutually exclusive. Most often you're just blindly trusting a(n untrusted) third party for all of your DNS queries.

How realistic is the risk of DNS hijacking? As far as I know, the attacker would have to be extremely close to intercept, forge fraudulent answers and return the answer ahead of the actual request using UDP for it to work. Are there other methods?

>>60602170
That's one scenario, yes, where the attacker has not compromised your DNS resolver, but tries to lead you to malicious servers anyway. Another scenario would be that your DNS resolver is actively blocking websites (censorship; a lot of ISPs do this), or worse, your DNS resolver is indeed compromised and redirecting you to a malicious website directly.

>>60602272
If the ISP itself is trying to censor or block the address, what good will it do to be able to resolve the address from an external source? The ISP would block the direct connection either way.

>>60602348
Sure they could block the address as well, but at other times the ISP itself would not even care for enforcing the block. We had a case here that an ISP would only comply to a government policy (specific website block) by just blocking the name resolving (works for most normies anyway). You could still get there via direct IP, proxy, or using a different name resolver.

>>60601489
Make use of DNSSEC for my workplace a few months ago, making use of DANE, SSHFP, and OPENPGPKEY as well.

Also setup our Postfix to make use of DANE as well.

Went pretty smoothly, however needed to change our domain register as our previous one didn't support DNSSEC.

>>60602468
You, we desperately need more people like you.

>>60601977
Default DNS cache time for Firefox is 60 seconds which seems really low to me... It's not like websites change their IP that often. If anyone's interested then

network.dnsCacheExpiration

is the time in seconds a record should be cached while

network.dnsCacheEntries

controls how many entries should be stored in cache. Set these to whatever you feel is appropriate.

>>60602514
Thanks. I just wish more registers (at least in my country) would make use of DNSSEC. The ones that do, you have to pay a bit extra for.

I feel that the average business wouldn't justify extra the $5 per year for "something that works fine already".

File: 1444603478972.jpg (72KB, 648x590px) Image search: [Google]

72KB, 648x590px

You've already covered everything there is to know. What left are you expecting to get out of this thread? DNS is a very simple.

What about OSCP servers?

I want to use DNSCrypt, since I like the idea of hiding DNS queries from my ISP, but apparently that's not an out-of-the-box sort of thing on pfSense. So I just picked some DNSSEC-supporting servers, ticked the box to enable validation, and called it good enough.

>>60602401
as far as I know most website blocks are done this way. Changing the DNS records is much simpler and much less dangerous than fucking with actual routing, for the ISP. I remember seeing a news report showing graffiti in Turkey saying "DNS 8.8.8.8" after Erdogan ordered some social-media crackdown.

So is this security on our side or The DNS servers side

>>60602891
If you only need it client side, just setup dnscrypt-proxy, redirect your DNS queries to localhost and done. If on windows I would also recommend disabling the systemwide dns client service.

>>60602698
You are very simple

File: !!!.jpg (25KB, 500x376px) Image search: [Google]

25KB, 500x376px

>use VPN
>Test for DNS leaks
>shows ISP and VPN
>rerun test
>does not show real ISP until I restart VPN
What's going on?

Who OpenNIC here?

File: 1471027576115.png (708KB, 670x424px) Image search: [Google]

708KB, 670x424px

>>60603017
This is true

>>60602897
Depends on what you call our side. A lower tier server could also benefit, particularly local institutional servers.

File: a shit (shithole).jpg (25KB, 499x499px) Image search: [Google]

25KB, 499x499px

>>60603099
>trusting some random anon to reliably handle all your DNS queries on babby's first server and handle your privacy with reasonable discretion

>>60603196
You're retarded if you think I'm forwarding all my queries to OpenNIC. It's only used for their top level domains.

>>60603494
Sadly, many /g/entooman nowadays are stupid enough to do this. I've seen it.

>>60601489
Just what we needed, another general.

I use DNSCrypt, am I good to go?

>>60603581
DNSCrypt is more for security, not so much privacy. If that's your ultimate goal, then yes, you done good, anon.

>>60603616

If he uses d0wn's dns servers, then he should be good to go in both instances. d0wn also hosts opennic servers as well, but I use his romanian dnscrypt server, which is plenty fast.

File: JPEG_20170526_230055.jpg (320KB, 1632x1224px) Image search: [Google]

320KB, 1632x1224px

Guys, how is this connecter called, it is for ethernet?

>inb4 clean that shit
Not mine

>>60604736
Yes. The port folds down, allowing a cable to be plugged in.

I'm hosting my own BIND server for my domain, with DNSSEC & DANE all working.

Can anyone recommend some script or tool I can use to automatically resign once the RRSIG records expire?

>>60601489
DNSSEC is a joke. Don't even bother.
You can run your own DNS server you know, it's very simple to set up with any BSD and just run a VPN to your VPS hosting the DNS, dnscrypt not needed.

dnscrypt is however a great alternative to dnssec but most of the implementations are shit, djb has said this himself.

>>60604943
Which is the cable name?

>>60605174
Ethernet / RJ45. I don't believe that the drop down causes it to be named different.

>>60605094
>DNSSEC is a joke. Don't even bother.
You want to expand on this, as it seems to me that you have no idea what DNSSEC is about.

>>60605209
It's about udp race condition attacks. dj Bernstein has dozens of IETF crypto working group posts slamming it and so does phk from FreeBSD who's done numerous talks on what a bag of shit dnssec is, and dane junk

>>60605266
Without DNSSEC & DANE, there is absolutely no way for me to send your an e-mail (or vice versa) without the possibility of it to be intercepted.

Sure, this is an SMTP problem (and it sucks) but it ain't going anywhere.

See this article too which tackles a number of criticisms about it; https://www.easydns.com/blog/2015/08/06/for-dnssec/