In my previous post, I talked about how you can set up a local DNS resolver using a Raspberry Pi and how that device can utilize DNSSEC to validate the integrity of domain records as they pass through the intenets. In this post, I would like to share with you my experience in configuring randomhack.com's DNS provider and registrar to support the feature.
As you can see from the short video, the process is relatively straightforward. Cloudflare.com does a pretty good job of making the setup easy. If I have time over the weekend I'll run through the same process on my Google Cloud DNS to compare.
Friday, July 13, 2018
Thursday, July 5, 2018
Secure your DNS with DNS over HTTPS and CloudFlare
So I recently set up a spare Raspberry Pi at my house in order to act as a local DNS server which blocks requests based on ad-lists and rules. The software that does this is called, appropriately, Pi-Hole and is fully open source. This has been great because it works across all devices on the network without having to install ad-blockers on each device.
After running this setup for a while and having it use the standard Google Public DNS servers at 8.8.8.8, I found an article about a new public DNS service hosted by CloudFlare on 1.1.1.1, which is a much faster server. Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!
In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS. (Google Also offers this service) This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort. In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)
In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol. The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.
The guide that I used for configuring the DNS over HTTPS proxy can be found here:
https://bendews.com/posts/implement-dns-over-https/
Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using. DNSSEC adds signature verification to detect and prevent tampering with the records in transit. It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole. (just make sure to turn it on, as it's off by default!)
After running this setup for a while and having it use the standard Google Public DNS servers at 8.8.8.8, I found an article about a new public DNS service hosted by CloudFlare on 1.1.1.1, which is a much faster server. Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!
In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS. (Google Also offers this service) This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort. In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)
In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol. The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.
The guide that I used for configuring the DNS over HTTPS proxy can be found here:
https://bendews.com/posts/implement-dns-over-https/
Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using. DNSSEC adds signature verification to detect and prevent tampering with the records in transit. It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole. (just make sure to turn it on, as it's off by default!)
Subscribe to:
Posts (Atom)