Operating one's own local DNS resolution server

[labbe5]

Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect applications, services, and users from potential risks.

Every open source server platform, such as Linux or BSD, offers many free implementations of the DNS resolution service. The oldest of these is called BIND, but newer implementations such as PowerDNS, Unbound, and Knot are also well-trusted, production-ready software packages. Most will offer some kind of template configuration that includes local DNS resolution.
Source : https://www.darkreading.com/vulnerabili ... rss-simple

DNSSEC

To a great extent, protecting DNS today begins with DNSSEC. The DNS Security Extensions handle one set of tasks, but it's an extremely important set in the overall scheme of things. DNSSEC is all about making sure that the server (or service) you want to talk to is the one you're actually talking to.

DNSSEC uses a DNSSEC-validating DNS resolver to check DNS signatures and ensure that the resolution information has not been changed and the responding server is the correct server. It's important to note that the signatures in DNSSEC aren't used for any sort of encryption — they're only responsible for validating the identity of the servers involved.

It's also important to note that DNSSEC can protect more than Web pages. Any service that uses a DNS-based address, from email to instant messaging, can benefit from the server authentication provided by DNSSEC.

Quad9

Quad9 is a joint project of the Global Cyber Alliance (GCA), IBM, and Packet Clearing House. Beyond basic name resolution, Quad9 (named for its address, 9.9.9.9) is intended to block the vast majority of malicious sites, including those hosting and controlling malware, botnet infrastructure, and more. To do so, Quad9 collects reputation and security information from 18 different partners, including F-Secure, abuse.ch, Cisco, Proofpoint, and NetLab.

In addition to the blacklist functions, Quad9 will support both a whitelist of the million top-requested domains and a "gold list" of major sites (such as Google, Amazon Web Services, and Microsoft Azure) that should always be considered "safe." Both types of lists are intended to maintain high performance while providing security from bad actors and their malicious destinations.
Source : https://www.darkreading.com/operations/ ... id/1332252

Further reading :
DuckDuckGo's public DNS list
https://duckduckgo.com/html?q=public%20dns
"DNS [security] is still not top of mind,"
https://www.darkreading.com/perimeter/d ... id/1330048
Intra, the Android App for DNS Encryption
https://www.darkreading.com/mobile/an-i ... id/1332965
Best Public DNS Servers
https://whoer.net/blog/article/best-public-dns-servers/
Public DNS for IPv4 and IPv6
https://sebsauvage.net/wiki/doku.php?id=dns-alternatifs
The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS
https://adguard.com/en/blog/adguard-dns-announcement/

[labbe5]

https://thehackernews.com/2019/01/googl ... urity.html

Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com).

Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an individual visits but is also vulnerable to spoofing attacks.

To address these problems, Google announced Wednesday that its Public DNS (Domain Name System) service finally supports DNS-over-TLS security protocol, which means that the DNS queries and responses will be communicated over TLS-encrypted TCP connections.

[labbe5]

https://www.knot-dns.cz/

[labbe5]

https://www.linuxbabe.com/linux-mint/dn ... tls-stubby

The future is to encrypt DNS.
Here is a tutorial.

It is not to be applied as a step-by-step tutorial for Puppy or Dog-based OS.
Just read and think about DNS over TLS and maybe adapt the tutorial for Puppy or a Dog-based OS.

Further reading :
DNS Privacy Daemon - Stubby
https://dnsprivacy.org/wiki/display/DP/ ... n+-+Stubby
Google plans to test DNS over HTTPS in Chrome 78
https://www.ghacks.net/2019/09/11/googl ... chrome-78/
Mozilla plans to roll out DNS over HTTPS to US users in late September 2019
https://www.ghacks.net/2019/09/07/mozil ... mber-2019/
Turn off DoH, Firefox. Now.
https://ungleich.ch/en-us/cms/blog/2019 ... h-firefox/
Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It?
https://www.eff.org/deeplinks/2019/09/e ... ome-groups
Self-hosted Dns Over Https service
https://balaskas.gr/blog/2019/10/15/sel ... s-service/

[labbe5]

http://www.ubuntubuzz.com/2019/10/tor-a ... -easy.html
This simple tutorial will show you to install two privacy tools, The Onion Router (TOR) and Dnscrypt-Proxy, on Ubuntu Bionic Beaver. We will make use of existing Mozilla Firefox browser instead and just configure system wide proxy using Ubuntu System Settings. We do not install Tor Browser or any other additional stuffs to make everything simple for everybody.

It is best to use DNSCrypt if your DNS is provided by your ISP. If you have chosen 9.9.9.9 from Quad9 or 1.1.1.1 from Cloudflare, it is because you care about privacy. If you use a VPN, thanks to it, DNS is taken care of by your VPN provider. To be sure, go to : https://ipleak.net/. DNS Address section. Or do a DNS leak test : https://www.dnsleaktest.com/

Further reading :
How to use dnscrypt-proxy to secure DNS queries in Linux
https://www.kmotoko.com/articles/how-to ... -in-linux/
The article is intended for the following software versions:
OS: Linux with systemd
Package: dnscrypt-proxy v2
Tested on: Debian 10
Installation and configuration steps should be mostly applicable to distros using systemd and dnscrypt-proxy v2.
Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS
https://www.cyberciti.biz/faq/configure ... ver-https/
How To Set Permanent DNS Nameservers
https://www.tecmint.com/set-permanent-d ... tu-debian/

[purple379]

I thought Firefox was going to implement a proxy something to resolve encrypted DNS issues like this. Where is that project?

I seem to recall some forum post where a fellow said he was talking to the Network Engineer on the ISP he used. The Network Engineer laughed and said, "If you want to enter the DNS number instead of doing the DNS look up, that is fine, I can change the DNS number you put in the browser box, and send you anywhere I choose." Not to be malevolent, just that is the way Servers can be changed by the ISP.

In truth, I personally suspect that is the way the internet was always intended to work. A lot of websites have pages cached in all kinds of places to make them load quicker. There was a fellow who was posting about a problem he had downloading content, the unreliability of the downloading and extra dollar costs, only to discover that while he was in the US, he was downloading content from Australia that was available from the same web site in the US, because the US had its own servers to download from.

What about a DNS comparison program, I get the DNS from one provider, compare it to the previous DNS I have for that web page, while also downloading the other DNS servers version of the same webpage. I guess the DNS companies do that all the time, so it is just another resource hog on my computer.

Anyone do a review on the YubiKey that is supposed to verify our getting to the correct webpage? That is, is the result of the Yubikey reliable, or is it just relying on what the DNS the ISP could be providing?

How much would need to be installed on a computer to slurp the password for a VPN. So the a group like the NSA or the Chinese equivalent could do a sophisticated "Man in the Middle" intercept, and read.


The Ultimate back door would be to have https keys. How could one trick a browser into letting one -- hmmm.

[labbe5]

https://libreops.cc/2019/10/14/libredns/

DNS is a very old and essential internet protocol, that we all use daily. But it was built without privacy and secrecy in mind. It lacks encryption, and though it's decentralized in theory, for most people it has a central point of failure (or censorship), their ISP's DNS provider.

LibreDNS

Today we announce our own DNS service, a public encrypted DNS service, that people can use to maintain secrecy of their dns traffic and bypass censorship. This is a DNS service run by LibreOps.

DNS over HTTPS (DoH) is best to be configured and used on applications, namely browsers.

At the moment the only browser that has sufficient support is Firefox. To configure Firefox do the following steps:

Open Firefox settings and navigate to:
General > Network Settings > Settings
At the bottom of this dialog:
Enable DNS over HTTPS.
Change from the default setting to Custom and fill in:
https://doh.libredns.gr/dns-query

DNS over TLS (DoT) is best to be configured globally for the entire operating system.
https://libredns.gr/
Opera Software tests Cloudflare DNS over HTTPS in Opera 65
https://www.ghacks.net/2019/10/21/opera ... -opera-65/
LibreDNS has a new AdBlock endpoint
https://balaskas.gr/blog/2019/10/26/lib ... -endpoint/
Google tries to clear up DNS-over-HTTPS confusion
https://betanews.com/2019/10/29/google-chrome-doh/
DNS Encryption Explained
https://blog.cloudflare.com/dns-encryption-explained/
How To Enable DNS-Over-HTTPS On Chrome, Firefox, Edge, Brave
https://fossbytes.com/how-to-enable-dns ... dge-brave/
How To Setup DoH On Firefox, Opera, Chrome
https://pclosmag.com/html/Issues/201912/page08.html

[labbe5]

https://github.com/curl/curl/wiki/DNS-o ... le-servers

Have your pick of public DNS servers.

Further reading :
How to Enable DNS Over HTTPS in Your Web Browser
https://lifehacker.com/how-to-enable-dn ... 1841909057

[gcav]

If you need to control your DNS, try using pi-hole..
https://github.com/pi-hole/pi-hole

it further provides a platform to run some of the pkgs mentioned above.

g