This is a general DNS security thread for anyone willing to discuss, help newbies or learn more about DNS security in general.
Who among you are using DNSSEC [1, 2] already? Why do you use it? What do you use it for? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?
Perhaps you don't like DNSSEC and instead use DNSCrypt [6] or DNSCurve [7] for encryption of your queries?
Share your thoughts!
Newbies section:
Here are some very basic, newbie friendly, introductory DNSSEC videos:
https://www.youtube.com/watch?v=lTABuMxO2AM
https://www.youtube.com/watch?v=qlto6GfZEvA
DNSSEC uses asymmetric cryptography [8] to securely sign all resource record sets (RRsets) on all authoritative name servers that support DNSSEC. Your local DNSSEC enabled resolver then validates the authenticity of your DNS queries to make sure your query has not been tampered with. This thwarts attacks trying to, for example, redirect you to malicious and compromised servers instead.
If you're thinking about registering your own domain, check if your registrar offers DNSSEC. Some registrars automatically sign your zone, which means you most likely can already add your TLSA RRs and such. Other registrars offer to upload your Delegation Signer (DS) RR, or your public zone signing key (ZSK) / public key signing key (KSK) instead. That's also nice if you wish to just host your own authoritative name server.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/rfc7929
[6] https://www.dnscrypt.org/
[7] https://dnscurve.org/
[8] https://en.wikipedia.org/wiki/Public-key_cryptography
>>60678027
apt-get install dnscrypt-proxy
do I need more?
>>60678115
Really depends on what your goal is here. For DNSCrypt, you completely rely on the server of your choosing.
>>60678304
You can choose to use multiple server
I have set up my router to use DNScrypt + unbound for caching, bretty comfy
>>60678115
>dnscrypt-proxy
I tried using this once, but it lagged my online games to hell. Don't know why.
Went back to google's dns immediately.
>>60678422
lol wut? how can dns-lookups slow down games?
>>60678027
>DNSCrypt
this is actually very useful.
>>60678422
how long did your dns queries take? also, what game were you playing that relied on so many dns queries that it actually slowed down?
>>60678438
I don't know. I tried using different servers that it offered but none helped.
Usually I got around 30ms, but with dnscrypt it was 150~200ms.
>>60678461
Left 4 Dead 2, though this was +3 years ago
>>60678400
Do you also use Unbound to validate DNSSEC queries through your DNSCrypt tunnel?
>>60678469
https://wiki.archlinux.org/index.php/DNSCrypt#Redundant_DNSCrypt_providers
helps if you find a server close to you, i get 9ms
>>60678480
ofc, i would guess it's kinda redundant
>>60678501
Not necessarily redundant, but it does show that for many people confidentiality is missing in DNSSEC's design. However, if your goal is to stop your ISP or anyone else from snooping, a VPN would make more sense instead of only protecting your DNS queries with DNSCrypt.
>>60678469
my dnscrypt resonses have basically the same response time as non dnscrypt.
maybe you just chose a server with horrible latency, try a different dns erver
>>60678546
i have a VPN, but rarely use it except on my seedbox. The ISPs are required to block torrentsites, so they do it by DNS (kinda stupid, but ok)
>>60678580
>we dont like this business so we arent going to publish its telephone number in our phonebook
How can I host my own DNSCrypt server? I don't want to rely on anything third-party. Can Unbound do it?
>>60678669
What's your goal? Yes, you can install DNSCrypt on a VPS and install the client on your local system(s). Unbound has nothing to do with DNSCrypt, though, but you can run it through the DNSCrypt tunnel. Still, I'm not sure what you want to accomplish here.
>>60679916
My goal is to deploy a DNSCrypt server on a CentOS VPS so I don't have to use any of the provided ones, and forward my DNS queries to that using Unbound.
>>60680589
For what purpose? To obfuscate your traffic? You'll still connect directly to the IP address once resolved, which anyone in between can see.
>>60680649
It's more just to prove to myself that it can be done
>>60680710
You can, and it's fun to play around with it, that's for sure. :)
We have our own recursors for network use (with a custom "cache warmer" because ~30 users don't keep the cache filled)
We run DNSSEC on our authoritative servers for customer domains
We put IPsec keys and SSH fingerprints in DNS
We have configured SPF for mail
>>60678422
that makes no sense unless your game is looking up new DNS queries constantly..
did it have 1000s of ads?
>>60678400
>>60678304
It's good to use a separate server as your own DNS and hook up your friends with the IP and then use one of the main dnscrypt servers for that server for confidentiality
>>60681004
How would one go about implementing a cache warmer? Like a cronjob that sends queries at intervals less than cache-min-ttl?
Is it possible to set up unbound so that it logs the most requested domains or do I need to script that too?