DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 26th November 2014
gso gso is offline
Port Guard
 
Join Date: Nov 2014
Posts: 35
Default secure DNS lookup howto

On the subject of secure DNS lookups.

DNSCrypt is one solution. However I did ask about this some time ago and it was suggested that I use unbound (which was not in base at the time).

I'm actually at the point where I need to do this now, so my question is given unbound, and a ssh socks5 proxy running on the same machine, how would I configure unbound to forward DNS requests to use the socks5 proxy?
Reply With Quote
  #2   (View Single Post)  
Old 26th November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'm not sure what you mean by "secure DNS".
  • If your intent is to privatize (through encryption) the domain name resolution enquiries which occur between client and nameserver, a SOCKS proxy is probably not the right tool, since applications must be written to use the SOCKS API, and resolution is an OS function. I would look to IPSec or other VPN technologies -- which might include SSH tunnels. I look to IPSec first due to its efficiency and depth of integration with this OS.
  • If your intent is to authenticate DNS resolutions, the world seems to be moving (slowly but surely) towards full DNSSEC implementations.
More information about what you intend would help us point you in the right direction. Or directions. There may be multiple solutions to your problem, once it is more clear what your problem actually is.
Reply With Quote
  #3   (View Single Post)  
Old 27th November 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

This is the exert from my unbound.conf file

Code:
        # If you want to perform DNSSEC validation, run unbound-anchor before
        # you start unbound (i.e. in the system boot scripts).  And enable:
        # Please note usage of unbound-anchor root anchor is at your own risk
        # and under the terms of our LICENSE (see that file in the source).
        auto-trust-anchor-file: "/var/unbound/etc/root.key"

        # File with DLV trusted keys. Same format as trust-anchor-file.
        # There can be only one DLV configured, it is trusted from root down.
        # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
        dlv-anchor-file: "/var/unbound/etc/dlv.isc.org.key"
Reply With Quote
  #4   (View Single Post)  
Old 27th November 2014
gso gso is offline
Port Guard
 
Join Date: Nov 2014
Posts: 35
Default

For a laptop I'm looking for a turnkey solution rather than server configuration.

L2TP and OpenVPN I have found unreliable (the connection usually drops at some point shortly after setting up, and seems compromised when brought back up, though bringing the connection back up with a different VPN server appears to be a workaround - I haven't the time to look into this further at this point).

'Confidentiality' (i.e., encryption) is the main need I am experiencing, authentication I don't think a major issue at least at the moment:

Code:
# TCP only

ssh -L localhost:53:8.8.8.8:53 user@1.2.3.4

host -T www.somewebsite.org 127.0.0.1
If I remember correctly unbound can be configured to forward TCP DNS requests?
Reply With Quote
  #5   (View Single Post)  
Old 27th November 2014
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by gso View Post
For a laptop I'm looking for a turnkey solution rather than server configuration.
If you look 5.6 under the hood you will notice that Unbound is already configured to listen on 127.0.0.1 and you just need to start daemon. The real work is configuring dhclient not to put DNS servers of your hotspots into /etc/recolve.conf. This is how /etc/dhclient.conf looks on my laptop.


Code:
timeout 60;
retry 60;
reboot 10;
select-timeout 5;
initial-interval 2;
reject 192.33.137.209;

interface "em0" {
        send host-name "oko";
        send dhcp-lease-time 7776000;
        supersede host-name "oko";
        supersede domain-name "bagdala2.net";
        prepend domain-name-servers 127.0.0.1;
        request subnet-mask, broadcast-address, time-offset, routers,
                domain-name, domain-name-servers, host-name, ntp-servers;
        require subnet-mask, domain-name-servers, routers;
        }
Quote:
Originally Posted by gso View Post
L2TP and OpenVPN I have found unreliable (the connection usually drops at some point shortly after setting up, and seems compromised when brought back up, though bringing the connection back up with a different VPN server appears to be a workaround - I haven't the time to look into this further at this point).
I can't say anything about L2TP but I have OpenVPN running on one of my OpenBSD firewalls and about 2 dozen of our remote Red Hat desktops connected to it. Desktops use my DNS server of course and their entire traffic is through VPN. I even have NFS shares mounted through OpenVPN. I just checked uptime and it is 256 days so far. That seems pretty reliable connection to me. You must be doing something wrong with OpenVPN.
Reply With Quote
  #6   (View Single Post)  
Old 27th November 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

If 1.2.3.4 is a remote machine that I control, I would establish a VPN between my local machine(s) and the remote one. There, I would run a caching resolver such as unbound to provide DNS back via the VPN. Privacy is then established for DNS between local and remote. Outbound DNS resolution from the remote platform is of course a separate issue. If I used Google's 8.8.8.8 as in your example, Google would have all DNS resolution requests coming from that remote machine.

My choice on OpenBSD machines is IPSec for VPNs; I have not used OpenVPN in decades and have no opinion of it.

L2TP is a tunnelling protocol that provides no encryption. It can be deployed in combination with IPSec in transport mode to provide similar privacy to IPSec ESP tunnelling, and one of my IPSec implementations I've deployed is L2TP/IPSec between OpenBSD and Android. That works fine, for me.
Reply With Quote
  #7   (View Single Post)  
Old 28th November 2014
vanGrimoire's Avatar
vanGrimoire vanGrimoire is offline
Port Guard
 
Join Date: Nov 2012
Posts: 43
Default DNSCrypt, unbound, dnssec

Well, I found instructions for dnscrypt-proxy on bsdnow.tv

http://www.bsdnow.tv/tutorials/dnscrypt

I wasn't happy with running chflags on resolv.conf, so I fixed up my
dhclient.conf.

my dhclient.conf file is very simple:
Code:
supersede domain-name-servers 127.0.0.1;
# prepend domain-name-servers 127.0.0.1; #uncomment to fallback on insecure dns
the manpage for dnscrypt-proxy Warns:

dnscrypt-proxy is not a DNS cache ... clients shouldn't directly send requests
to dnscrypt-proxy.

with help from Oko's example I turned on unbound in rc.conf.local & turned on dnssec by uncommenting the anchor line in unbound.conf (5.6):

Code:
	# Uncomment to enable DNSSEC validation.
	#
	auto-trust-anchor-file: "/var/unbound/db/root.key"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
unbound reverse lookup private zone Oko General software and network 2 20th November 2013 03:15 PM
how to secure my ftp? milo974 OpenBSD Security 3 4th August 2009 03:47 PM
sendmail host name lookup failure ducu_00 General software and network 9 21st January 2009 02:42 AM
Is this secure? Ungenious OpenBSD Security 4 30th November 2008 02:27 AM
Sendmail 8.14.2 undisclosed DNSBL lookup failure and NOQUEUE errors (FreeBSD 7.0) NathanPardoe FreeBSD General 9 21st May 2008 12:00 AM


All times are GMT. The time now is 02:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick