|
|||
secure DNS lookup howto
On the subject of secure DNS lookups.
DNSCrypt is one solution. However I did ask about this some time ago and it was suggested that I use unbound (which was not in base at the time). I'm actually at the point where I need to do this now, so my question is given unbound, and a ssh socks5 proxy running on the same machine, how would I configure unbound to forward DNS requests to use the socks5 proxy? |
|
||||
This is the exert from my unbound.conf file
Code:
# If you want to perform DNSSEC validation, run unbound-anchor before # you start unbound (i.e. in the system boot scripts). And enable: # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). auto-trust-anchor-file: "/var/unbound/etc/root.key" # File with DLV trusted keys. Same format as trust-anchor-file. # There can be only one DLV configured, it is trusted from root down. # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key dlv-anchor-file: "/var/unbound/etc/dlv.isc.org.key" |
|
|||
For a laptop I'm looking for a turnkey solution rather than server configuration.
L2TP and OpenVPN I have found unreliable (the connection usually drops at some point shortly after setting up, and seems compromised when brought back up, though bringing the connection back up with a different VPN server appears to be a workaround - I haven't the time to look into this further at this point). 'Confidentiality' (i.e., encryption) is the main need I am experiencing, authentication I don't think a major issue at least at the moment: Code:
# TCP only ssh -L localhost:53:8.8.8.8:53 user@1.2.3.4 host -T www.somewebsite.org 127.0.0.1 |
|
||||
Quote:
Code:
timeout 60; retry 60; reboot 10; select-timeout 5; initial-interval 2; reject 192.33.137.209; interface "em0" { send host-name "oko"; send dhcp-lease-time 7776000; supersede host-name "oko"; supersede domain-name "bagdala2.net"; prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, host-name, ntp-servers; require subnet-mask, domain-name-servers, routers; } Quote:
|
|
||||
If 1.2.3.4 is a remote machine that I control, I would establish a VPN between my local machine(s) and the remote one. There, I would run a caching resolver such as unbound to provide DNS back via the VPN. Privacy is then established for DNS between local and remote. Outbound DNS resolution from the remote platform is of course a separate issue. If I used Google's 8.8.8.8 as in your example, Google would have all DNS resolution requests coming from that remote machine.
My choice on OpenBSD machines is IPSec for VPNs; I have not used OpenVPN in decades and have no opinion of it. L2TP is a tunnelling protocol that provides no encryption. It can be deployed in combination with IPSec in transport mode to provide similar privacy to IPSec ESP tunnelling, and one of my IPSec implementations I've deployed is L2TP/IPSec between OpenBSD and Android. That works fine, for me. |
|
||||
DNSCrypt, unbound, dnssec
Well, I found instructions for dnscrypt-proxy on bsdnow.tv
http://www.bsdnow.tv/tutorials/dnscrypt I wasn't happy with running chflags on resolv.conf, so I fixed up my dhclient.conf. my dhclient.conf file is very simple: Code:
supersede domain-name-servers 127.0.0.1; # prepend domain-name-servers 127.0.0.1; #uncomment to fallback on insecure dns dnscrypt-proxy is not a DNS cache ... clients shouldn't directly send requests to dnscrypt-proxy. with help from Oko's example I turned on unbound in rc.conf.local & turned on dnssec by uncommenting the anchor line in unbound.conf (5.6): Code:
# Uncomment to enable DNSSEC validation. # auto-trust-anchor-file: "/var/unbound/db/root.key" |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
unbound reverse lookup private zone | Oko | General software and network | 2 | 20th November 2013 03:15 PM |
how to secure my ftp? | milo974 | OpenBSD Security | 3 | 4th August 2009 03:47 PM |
sendmail host name lookup failure | ducu_00 | General software and network | 9 | 21st January 2009 02:42 AM |
Is this secure? | Ungenious | OpenBSD Security | 4 | 30th November 2008 02:27 AM |
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) | NathanPardoe | FreeBSD General | 9 | 21st May 2008 12:00 AM |