Learn me DNS over TLS

Why / what DNS over TLS? I'm hiding my requests, but when it comes back everyone knows I'm looking for broadband porn at 80.249.106.141.

What's it all about?


(A coincidence that Banger has also posted a DNS/TLS question today. I've also tried it but it didn't work... Anyway, didn't want to hijack his thread.)

You encrypt the DNS request and response with either DoT (DNS over TLS) or DoH (DNS over HTTPS).

Your subsequent connection to the site then is using HTTPS so encrypted, you can enjoy your broadband porn

https://www.cloudflare.com/en-gb/learning/dns/dns-ov...

In reply to a post by Pheasant:

Your subsequent connection to the site then is using HTTPS so encrypted, you can enjoy your broadband porn

But you still know I'm looking at porn. The IP address I request is still recorded by my ISP, isn't it? You might not know if I get my kicks from ADSL or FTTP but you know where I've been.

I'll go and read the link in case I'm making a complete fool of meself.

VPN tunnel time

In reply to a post by Woolwich:

The IP address I request is still recorded by my ISP, isn't it?

The destination IP address isn't necessarily a good indicator since IP addresses can be shared amongst many websites, shared hosting, content delivery networks, etc.

That said, privacy is also hampered by the fact that the TLS certificate name is sent in plain text due to SNI. This is another thing that is being worked on by the privacy gurus.

But it's not just about privacy. DNS queries sent in plain text can theoretically be modified in transit. When the queries are encrypted you can be sure that the reply is genuine and not spoofed.

In reply to a post by Pheasant:

VPN tunnel time

Yeah but they're all run by the CIA...

In reply to a post by Oliver341:

But it's not just about privacy. DNS queries sent in plain text can theoretically be modified in transit. When the queries are encrypted you can be sure that the reply is genuine and not spoofed.

This is about the only bit I understand and see a need for.

That's why you use a VPN too, as long as you pick a VPN provider you can trust. It's definitely a bit of a guessing game, they all claim "no logging" bla bla bla, the trick is in reading the small print.

FYI, in my opinion DNS over TLS is a non-starter from a privacy standpoint. Because it uses it's own port, anyone can see you are trying to hide your DNS traffic. DoH just goes with the rest of your HTTPS traffic so is better hidden. I see why business prefer DoT though, as there is a legitimate need to filter DNS traffic in a business environment.

Edited by severedsolo (Thu 09-Sep-21 18:29:33)

Even using a VPN someone will know what you are looking at. If the VPN is reputable they will be logging requests as per Gov instructions and if not reputable they will be logging for potential future usage against you if it is ever worthwhile.

Do you trust your ISP or some other unknown party?

DPI can also be used by any UK ISP under Govn instruction so even VPNs are 'monitorable' but who in Gov / ISP cares if you are looking at Porn according to most surveys over 65% of connections are used for Porn People looking for pead porn is all they are interested in and most people would agree with this.

In reply to a post by kitcat:

Even using a VPN someone will know what you are looking at. If the VPN is reputable they will be logging requests as per Gov instructions and if not reputable they will be logging for potential future usage against you if it is ever worthwhile.

Do you trust your ISP or some other unknown party?

Considering we live in a country where we know that ISPs are (or are about to start) logging everybodies internet traffic regardless, and my VPN provider has been tested in court (a subpoena was made, and the only thing they could verify was "yes this person is a customer") I trust my VPN provider more than I trust my ISP.

I take your point though, in my case this is very much a protest against the Investigatory Powers Act and the aforementioned logging. If I can do anything (legal) to protest it and make life more difficult for those trying to erode our civil liberties I will do so.

Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound won't help you if your goal is to protest an overreaching surveillance state. Unbound does support encrypted DNS but most of the authoritative nameservers won't so your queries will be made using plain unencrypted DNS on port 53 which is all too easy for anyone on the network path to see.

If you can setup Unbound to act as a forwarding resolver in front of an encrypted resolver you trust that would be better. I run a setup like this on my network only I use bind instead of Unbound and it serves internal DNS records for my LAN and forwards external queries to a local dnscrypt-proxy.

In reply to a post by smouty:

Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound will recursively query all servers from the authoritative servers upwards, and all stamped with your IP address. It's not "private" in the slightest.

In reply to a post by Oliver341:

In reply to a post by smouty:

Ideally use unbound for DNS if you can. It uses the authoritative servers only so DNS requests are distributed.

Unbound will recursively query all servers from the authoritative servers upwards, and all stamped with your IP address. It's not "private" in the slightest.

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place. Once queried, the request is served from cache.

I don't think there is a 'magic bullet' for total security yet so choose the best option for you.

Edited by smouty (Sun 12-Sep-21 07:56:24)

In reply to a post by smouty:

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place.

How is that a good thing? Rather than your IP address going to one place for DNS queries, it is sent all over the internet.

In reply to a post by Oliver341:

In reply to a post by smouty:

It isn't private and it was never mentioned but at least all your DNS requests are not going to one place.

How is that a good thing? Rather than your IP address going to one place for DNS queries, it is sent all over the internet.

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

In reply to a post by smouty:

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

Yes you have choice of which DNS provider you use and you can review their privacy policy, ascertain your trust in them, etc.

Whereas with Unbound you are sending queries all over the place with your IP address with no knowledge of the various servers' data collection and sharing policies.

In reply to a post by Oliver341:

In reply to a post by smouty:

A centralised DNS provider will have a record of every DNS lookup you have made which may be an issue unless you implicitly trust them not to keep/sell/pass on etc.

Yes you have choice of which DNS provider you use and you can review their privacy policy, ascertain your trust in them, etc.

Whereas with Unbound you are sending queries all over the place with your IP address with no knowledge of the various servers' data collection and sharing policies.

Just to turn this around a bit - What is the issue with sending queries 'all over the place' apart from what you have mentioned?

In reply to a post by smouty:

What is the issue with sending queries 'all over the place' apart from what you have mentioned?

Whether it's an "issue" or not entirely depends how how concerned you are about keeping your DNS queries private.

But aside from privacy, using a personal DNS sever negates the performance advantages of having a shared server with millions of cached queries, all other things being equal. With a shared server you are far more likely to request a record which someone else has already queried and cached in the DNS server, meaning the server does not have to perform queries to various servers before it returns the DNS record.

DNS over TLS (DoT) or DNS over HTTPS (DoH) is really to stop man-in-the-middle attacks, effectively to authenticate a response is genuine and not tampered with - think of it as if you're sending a letter with a tamper proof seal and requires a signature when delivered.

For privacy it's pretty useless as the encryption doesn't actually achieve anything. While men in the middle can't see the payload of the DNS request, they will see the IP address in the subsequent web request stream, even though they can't see what you're looking at on that site. It's like the letter above had an address in it, and you then send another parcel with a tamper proof seal requiring a signature to the address that was in the first letter... but the postie can now see the address!

For performance it's also slower in terms of latency. Both DoT and DoH use TCP not UDP like normal DNS, so this means an ACK packet needs to be sent back and forth basically meaning you need two 'pings' to the DNS server instead of one to get the response - so double the latency. Theoretically DoT is simpler - just a DNS request in a TLS stream - while DoH is a DNS request over HTTP over TLS - but in practice the differential is meaningless as there's so much more optimisation in both hardware and software for full HTTPS. But a normal DNS request will always be twice as fast as it requires half the packets. This is somewhat mediated with DoQ (DNS over QUIC, which is HTTPS but over UDP), but that's just a kludge looking for a problem.

The best as others have said is to use a VPN. Preferably to a server you control and therefore trust, but using a VPN service is OK. Most VPN technologies use UDP and have developed their own reliability techniques in the protocol, so therefore the 'best' option is to use bog standard DNS over a UDP-based VPN, ie like Wireguard or well set up OpenVPN.

If you're interested in the authentication side, there's another DNS feature that's called DNSSEC which is a set of extra DNS requests that normal DNS uses that effectively 'signs' the DNS request but is unencrypted (read above as to why encryption is pointless), so you can use the authenticating features of DoT/H with the speed of standard DNS. The downside is most consumer routers won't have the slightest clue how to use DNSSEC as they mainly use software called dnsmasq which will support DNSSEC, but it needs a friendly DNS server and a smart client to be set up to request and handle DNSSEC properly upstream (few do, least of all ISP DNS servers).

Instead, get a Raspberry Pi with PiHole and unbound set up as an All-Around DNS Solution and you get the full benefit of DNSSEC, a great ad blocker, and the benefit of speed of standard DNS. Set up unbound to query the entire DNS network from the root servers and switch on DNSSEC, and it will authenticate the entire chain then cache the lot (ie it'll be slow at first, then speed up dramatically). The same Pi if it's a Pi 4 can probably run the VPN too, but probably not to gigabit speeds.

This way you can watch your pr0n fast, ad-free (and therefore even faster) and have minimum latency skipping to the good bits 😎

Edit: grammar

Edited by zzing123 (Tue 14-Sep-21 01:36:57)

Technically yes, but practically, no.

The reason being is that the personal DNS server will have a much cleaner cache tailored to your consumption and cache sizes even for the big shared servers don't actually need to be very big. DNS records all have TTL's and have to be expired all the time. Cloudflare for example defaults TTLs to 5 minutes, so any DNS server whether a big shared one or a personal would have to requery the record every 5 minutes - a lot more often than you think.

The cache is useful for a session of a batch of requests such as the 20-100 or so loading a web page, but not really for any long term memory. The thing that differentiates performance of the bigger DNS servers is purely connectivity, as they are connected via a much higher quality connections and via multiple peers, massively reducing latency and also allows them to use anycasting (making 1.1.1.1 and 8.8.8.8 appear to be nearby wherever you are in the world) rather than going through the ISP's cruft then to the Intertubes via god knows who's peerings to the DNS servers.

DNS and DNS servers are smart though. There are 13 root servers geographically dispersed and all using anycasting that mean they're PDQ to get a request back to you, and DNS servers utilize prefetching and a lot of threading to parallelise queries as much as they can.

It's just whether you deal with an authoritative DNS server directly (ie the server with 'master' DNS record) and whether things like DNSSEC and authentication of records also matter to you where the preferential difference is. Most people will use Cloudflare or another cloud DNS provider to host DNS records, and these authoritative servers themselves are anycasted, meaning they'll be pretty fast too. Only in very rare cases where you're dealing with a bonkers sysadmin who insists on running their authoritative DNS server at the end of a 3G line that you'll see a problem... but so will the big shared server.

But you can also use unbound with forwarding to a shared server, and even use DoT with it if you really must and then you can just "cache the cache", which is exactly what dnsmasq that most consumer routers use does. But practically speaking there's no real difference in performance by querying the root servers recursively using DNSSEC and trust the authoritative server only for the actual authenticated DNS record. But having the cache locally on your network is 100% the fastest option - it's just how it's set up to query records upstream that matters.

Yeah. For non-cached lookups on Pihole (with unbound) I see queries in the 70-80ms region which is un-noticeable in use and once cached about 0.1ms.