Discussion:
[Dnsmasq-discuss] Improve privacy by randomly selecting DNS server from a whitelist
Sam Kuper
2016-10-10 13:52:20 UTC
Permalink
Dear Dnsmasq folk,

This is my first foray onto the mailing list, and I am not very
experienced with Dnsmasq or indeed DNS, so please be gentle.

I was setting up an OpenWRT router recently, and wanted to be able to
improve the privacy of DNS requests made from that router and from the
PCs on the LAN.

By handing off all the requests to *one* DNS provider, whether that
provider is the ISP, or Google, or someone else, privacy is obviously
compromised: that provider can very easily record *all* the DNS
requests sent via that router (except, perhaps, in cases where the
client is configured to not to seek a DNS forwarder on the LAN).

Unfortunately, there are no public DNS providers who I trust not to
record this sort of information for longer than necessary, nor any
whom I trust never to abuse that sort of information. (Perhaps you
think my feelings about this are wrong, but please bear with me.)

Fortunately, there are numerous public DNS servers that I trust, more
or less, to return accurate results to DNS queries. I'll call this the
"semi-trusted set".

Therefore, it occurred to me that a better option than simply relying
on *one* provider, would be to supply the router with a list of IP
addresses for the servers in the semi-trusted set, and then, for each
DNS query the router cannot answer from its own DNS cache, have the
router send the query to a randomly selected DNS server from that
list. That way, the clients would (I hope) receive trustworthy
replies, and none of the providers would be able to record more than a
random subset of the requests. This might come at the cost of slightly
slower average response times for DNS queries, but for my use case,
this would be perfectly acceptable.

While searching for a way to do this, I learned that Dnsmasq is
included by default in OpenWRT. Learning, in turn, about Dnsmasq, made
me optimistic that it might be possible to configure or extend Dnsmasq
to achieve the desired functionality described above.

I would be grateful to know:

whether, and if so, why, the desiderata I described are a Bad Idea. (I
hope not, but it's always good to have a sanity check.)
whether anyone on this list knows of a way to achieve the desired
functionality by configuring existing software available within
OpenWRT, and if so, how. (Maybe there's a package, or a setting, that
does exactly what I'm after, and I've just never heard of it.) Please
reply to me off-list if the answer is not relevant to Dnsmasq.
whether, if the desired functionality is not currently readily
available within OpenWRT, but could be made available by extending
Dnsmasq, any of you on the list would be keen to implement that
functionality (Simon Kelley, maybe?), or to donate funds towards such
an effort.

Many thanks.
Sam Kuper
2016-10-10 13:53:44 UTC
Permalink
Dear Dnsmasq folk [...]
Apologies, some of the formatting went awry in my previous message.
Let me try that again.


Dear Dnsmasq folk,

This is my first foray onto the mailing list, and I am not very
experienced with Dnsmasq or indeed DNS, so please be gentle.

I was setting up an OpenWRT router recently, and wanted to be able to
improve the privacy of DNS requests made from that router and from the
PCs on the LAN.

By handing off all the requests to *one* DNS provider, whether that
provider is the ISP, or Google, or someone else, privacy is obviously
compromised: that provider can very easily record *all* the DNS
requests sent via that router (except, perhaps, in cases where the
client is configured to not to seek a DNS forwarder on the LAN).

Unfortunately, there are no public DNS providers who I trust not to
record this sort of information for longer than necessary, nor any
whom I trust never to abuse that sort of information. (Perhaps you
think my feelings about this are wrong, but please bear with me.)

Fortunately, there are numerous public DNS servers that I trust, more
or less, to return accurate results to DNS queries. I'll call this the
"semi-trusted set".

Therefore, it occurred to me that a better option than simply relying
on *one* provider, would be to supply the router with a list of IP
addresses for the servers in the semi-trusted set, and then, for each
DNS query the router cannot answer from its own DNS cache, have the
router send the query to a randomly selected DNS server from that
list. That way, the clients would (I hope) receive trustworthy
replies, and none of the providers would be able to record more than a
random subset of the requests. This might come at the cost of slightly
slower average response times for DNS queries, but for my use case,
this would be perfectly acceptable.

While searching for a way to do this, I learned that Dnsmasq is
included by default in OpenWRT. Learning, in turn, about Dnsmasq, made
me optimistic that it might be possible to configure or extend Dnsmasq
to achieve the desired functionality described above.

I would be grateful to know:

- whether, and if so, why, the desiderata I described are a Bad Idea.
(I hope not, but it's always good to have a sanity check.)

- whether anyone on this list knows of a way to achieve the desired
functionality by configuring existing software available within
OpenWRT, and if so, how. (Maybe there's a package, or a setting, that
does exactly what I'm after, and I've just never heard of it.) Please
reply to me off-list if the answer is not relevant to Dnsmasq.

- whether, if the desired functionality is not currently readily
available within OpenWRT, but could be made available by extending
Dnsmasq, any of you on the list would be keen to implement that
functionality (Simon Kelley, maybe?), or to donate funds towards such
an effort.

Many thanks.
/dev/rob0
2016-10-10 16:55:47 UTC
Permalink
Post by Sam Kuper
I was setting up an OpenWRT router recently, and wanted to be able
to improve the privacy of DNS requests made from that router and
from the PCs on the LAN.
By handing off all the requests to *one* DNS provider, whether
that provider is the ISP, or Google, or someone else, privacy is
obviously compromised: that provider can very easily record *all*
the DNS requests sent via that router
The ISP could, and they could do it regardless of the DNS forwarder
chosen. The ISP could even redirect all outbound queries to their
own resolver, and through the magic of NAT, reply as the destination
resolver.

Furthermore the ISP has access to the personal information of the
account holder. They have the ability to make an association of IP
address to customer.

I doubt it's so easy for Google to get personally identifying
information from Google Public DNS. I suspect that data is of
interest to them in determining site rankings, mostly. A side
benefit is to see the DNS attacks which are underway. I suspect
Google has multiple full-time analysts looking at those attacks.
(Perhaps I should say, I *hope* they do.)
Post by Sam Kuper
(except, perhaps, in cases where the client is configured to no
to seek a DNS forwarder on the LAN).
Redirection covers this. Just as with many hotels and hotspots,
enter ANY IP address as your resolver, and it will "work", through
the ISP's resolver.

There are ways to "defeat" such an attack (where "defeat" means to
detect it and to break your own ability to resolve names, so it's
certainly not a clear victory.) More on that below.
Post by Sam Kuper
Unfortunately, there are no public DNS providers who I trust not to
record this sort of information for longer than necessary, nor any
whom I trust never to abuse that sort of information. (Perhaps you
think my feelings about this are wrong, but please bear with me.)
Again I'd definitely be more concerned about the ISP than about el
Goog. I'm not speaking as a Google fanboy (I'm not one!), just
considering the technical issues. (For one thing, note that a DNS
query cannot identify why you were querying; perhaps it wasn't even
for HTTP.)

But, that's how it is for most of us: we have to deal with an ISP if
we want to get online.
Post by Sam Kuper
Fortunately, there are numerous public DNS servers that I trust,
more or less, to return accurate results to DNS queries. I'll call
this the "semi-trusted set".
Therefore, it occurred to me that a better option than simply
relying on *one* provider, would be to supply the router with a
list of IP addresses for the servers in the semi-trusted set, and
then, for each DNS query the router cannot answer from its own DNS
cache, have the router send the query to a randomly selected DNS
server from that list.
This functionality does not exist in dnsmasq at this time. But a
Linux-specific way to do it would be to DNAT some of the queries
using the "statistic" match. See "iptables -m statistic -h" and the
iptables-extensions(8) manual.
Post by Sam Kuper
That way, the clients would (I hope) receive trustworthy replies,
and none of the providers would be able to record more than a
random subset of the requests. This might come at the cost of
slightly slower average response times for DNS queries, but for my
use case, this would be perfectly acceptable.
While searching for a way to do this, I learned that Dnsmasq is
included by default in OpenWRT. Learning, in turn, about Dnsmasq,
made me optimistic that it might be possible to configure or extend
Dnsmasq to achieve the desired functionality described above.
- whether, and if so, why, the desiderata I described are a Bad
Idea. (I hope not, but it's always good to have a sanity check.)
It doesn't seem important to me, but I am a "full control" control
freak who runs his own recursive resolver. And that's how I defeat
the redirection attacks.

See, a recursive resolver makes queries directly to the various
authoritative NS hosts. Those queries do not have the "RD" bit
(recursion desired) set, and the resolver will only accept replies
which have the "AA" bit (authoritative) set.

Replies from a recursive resolver do not have AA, so when my ISP gets
that hare-brained idea again, to redirect queries to their broken
resolver, immediately, I know. (Because nothing resolves.)

DNSSEC validation also helps here. The root and most top-level zones
are signed, and if those signatures are missing or broken, again, I
will see that nothing resolves.
Post by Sam Kuper
- whether anyone on this list knows of a way to achieve the desired
functionality by configuring existing software available within
OpenWRT, and if so, how. (Maybe there's a package, or a setting,
that does exactly what I'm after, and I've just never heard of it.)
Please reply to me off-list if the answer is not relevant to
Dnsmasq.
The iptables statistic match is probably not in stock openwrt, so
that must be installed.

What I do, and have posted before on this list about, is to run
dnsmasq for DHCP and local names, using a local resolver (on an
alternate port, because dnsmasq gets ports 53) as its one upstream
server.

I use BIND named(8) for this, with a simple configuration. If you
are interested in this and can't find it in the list archives, post
again. You won't have named in stock openwrt, so you would need to
install it.

Any other recursive resolver could do it also; the only catch is that
it must be able to bind on an alternate port. I like BIND, but on an
embedded platform it's probably much bigger than others. Look at
pdns-recursor and unbound.
Post by Sam Kuper
- whether, if the desired functionality is not currently readily
available within OpenWRT, but could be made available by extending
Dnsmasq, any of you on the list would be keen to implement that
functionality (Simon Kelley, maybe?), or to donate funds towards
such an effort.
--
http://rob0.nodns4.us/
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Sam Kuper
2016-10-11 18:08:24 UTC
Permalink
Post by /dev/rob0
Post by Sam Kuper
I was setting up an OpenWRT router recently, and wanted to be able
to improve the privacy of DNS requests made from that router and
from the PCs on the LAN.
By handing off all the requests to *one* DNS provider, whether
that provider is the ISP, or Google, or someone else, privacy is
obviously compromised: that provider can very easily record *all*
the DNS requests sent via that router
The ISP could, and they could do it regardless of the DNS forwarder
chosen. The ISP could even redirect all outbound queries to their
own resolver, and through the magic of NAT, reply as the destination
resolver.
Thanks for pointing this out!

Would DNSCrypt and/or DNSSEC protect against this? (I intend to learn
more about both in due course, but haven't got far enough with this
yet to be entirely confident in my estimation of the answer to that
question, sorry...)
Post by /dev/rob0
Post by Sam Kuper
(except, perhaps, in cases where the client is configured not
to seek a DNS forwarder on the LAN).
Redirection covers this. Just as with many hotels and hotspots,
enter ANY IP address as your resolver, and it will "work", through
the ISP's resolver.
Ditto.
Post by /dev/rob0
There are ways to "defeat" such an attack (where "defeat" means to
detect it and to break your own ability to resolve names, so it's
certainly not a clear victory.) More on that below. [...]
Post by Sam Kuper
Fortunately, there are numerous public DNS servers that I trust,
more or less, to return accurate results to DNS queries. I'll call
this the "semi-trusted set".
Therefore, it occurred to me that a better option than simply
relying on *one* provider, would be to supply the router with a
list of IP addresses for the servers in the semi-trusted set, and
then, for each DNS query the router cannot answer from its own DNS
cache, have the router send the query to a randomly selected DNS
server from that list.
This functionality does not exist in dnsmasq at this time. But a
Linux-specific way to do it would be to DNAT some of the queries
using the "statistic" match. See "iptables -m statistic -h" and the
iptables-extensions(8) manual.
Cool suggestion. I wasn't aware of the "statistic" match options in
iptables. Will look into this more. On the face of it, it looks a bit
more fragile, and more prone to my making an error in setting it up,
than having a suitable capability present in Dnsmasq would be; but as
the latter doesn't presently exist, iptables may well be my best bet
:)
Post by /dev/rob0
Post by Sam Kuper
That way, the clients would (I hope) receive trustworthy replies,
and none of the providers would be able to record more than a
random subset of the requests. This might come at the cost of
slightly slower average response times for DNS queries, but for my
use case, this would be perfectly acceptable.
While searching for a way to do this, I learned that Dnsmasq is
included by default in OpenWRT. Learning, in turn, about Dnsmasq,
made me optimistic that it might be possible to configure or extend
Dnsmasq to achieve the desired functionality described above.
- whether, and if so, why, the desiderata I described are a Bad
Idea. (I hope not, but it's always good to have a sanity check.)
It doesn't seem important to me, but I am a "full control" control
freak who runs his own recursive resolver. And that's how I defeat
the redirection attacks.
See, a recursive resolver makes queries directly to the various
authoritative NS hosts. Those queries do not have the "RD" bit
(recursion desired) set, and the resolver will only accept replies
which have the "AA" bit (authoritative) set.
Replies from a recursive resolver do not have AA, so when my ISP gets
that hare-brained idea again, to redirect queries to their broken
resolver, immediately, I know. (Because nothing resolves.)
Thanks for this, too. I was hoping for a solution that was more
lightweight than running my own recursive resolver, but it's an option
I will definitely consider.
Post by /dev/rob0
DNSSEC validation also helps here. The root and most top-level zones
are signed, and if those signatures are missing or broken, again, I
will see that nothing resolves.
Understood.
Post by /dev/rob0
Post by Sam Kuper
- whether anyone on this list knows of a way to achieve the desired
functionality by configuring existing software available within
OpenWRT, and if so, how. (Maybe there's a package, or a setting,
that does exactly what I'm after, and I've just never heard of it.)
Please reply to me off-list if the answer is not relevant to
Dnsmasq.
The iptables statistic match is probably not in stock openwrt, so
that must be installed.
I think you are correct. On a stock OpenWRT CLI:

# iptables -h | grep -i statistic | wc -l
0
Post by /dev/rob0
What I do, and have posted before on this list about, is to run
dnsmasq for DHCP and local names, using a local resolver (on an
alternate port, because dnsmasq gets ports 53) as its one upstream
server.
I use BIND named(8) for this, with a simple configuration. If you
are interested in this and can't find it in the list archives, post
again. You won't have named in stock openwrt, so you would need to
install it.
Thanks again. I guess this is the relevant thread:

http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q2/007320.html
Post by /dev/rob0
Any other recursive resolver could do it also; the only catch is that
it must be able to bind on an alternate port. I like BIND, but on an
embedded platform it's probably much bigger than others. Look at
pdns-recursor and unbound.
Will do. Cheers!

Loading...