DNS Security

Document created by Vladimir Yakovlev on Apr 25, 2018
Version 1Show Document
  • View in full screen mode

Apologies in advance, since this document does not relate to Check Point directly, but I thought it may be useful.

 

 

 

After seeing numerous posts regarding ease of implementing secure DNS, some of them being patently wrong and misleading, I’d like to provide a brief clarification on this subject.

If you’ve read that changing your static DNS entries either on your PC or home router to the one provided by Cloudflare (1.1.1.1) or IBMs Quad9 (9.9.9.9) will provide you with a measure of privacy, these statements are incorrect.

You are simply running unencrypted query to the server(s) CAPABLE of secure communication. Your ISP, hotel, etc. will have no trouble at all collecting, analyzing, and selling your information if all you've done is specified 1.1.1.1 as your preferred DNS. If you are really trying to secure DNS, a bit more work is required.

 

 

Cloudflare does provide secure DNS services. It is misunderstanding of how it should be used that I have problem with.

If you simply define static IP as your DNS server, any upstream DNS Proxy will be able to log, intercept and reroute it.

DNSSEC can guarantee that the responses are valid but does not provide confidentiality.

DNS over HTTPS/TLS will do both but could either be blocked by upstream routers/firewalls because it is addressed to known servers (i.e. 1.1.1.1, 1.0.0.1, 9.9.9.9, etc...), or decrypted by MITM, if user trusts its certificate.

The only known good way to assure DNS security is to use DNSCRYPT with DNSSEC. This method using elliptic curve algorithm to encrypt DNS traffic, providing confidentiality and DNSSEC, assuring authenticity of replies.

This last one could be blocked, because you are still limited to the relatively short list of known servers, but you will know that someone is meddling with your DNS traffic.

If you want as close to complete security for DNS as you can get, use IPSEC VPN to a cloud-hosted DNS proxy that you've deployed yourself, that is in turn configured to use DNSCrypt with DNSSEC.

Additionally, be aware that the Windows 10 has, what is known as “DNS leakage”. Regardless of your VPN settings, it is going to broadcast DNS requests in the open to all DNS servers identified on all of its interfaces. I.e. if you are connected to an unsecured Wi-Fi and VPN and both supply your computer with DNS servers, queries will go out of both interfaces, the physical and the virtual and the fastest answer will be used for resolution.

Additional tinkering with the registry required to disable this behavior: https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8

 

Your comments, corrections and questions are, as always, welcome.

 

Vladimir Yakovlev

1 person found this helpful

Attachments

    Outcomes