Securing DNS

Any thoughts on protecting DNS queries from prying eyes?

I already have two servers running ISC BIND 9.9.4 setup to do DNSSEC 
validation and recursive. I do not have set to forward either so the 
servers queries the root servers. I never use my ISP's DNS servers as I 
see it as a privacy concern.

I know the DNS queries are UDP unecrypted.

Is there anyway to encrypt the DNS traffic between my DNS servers and 
root servers?

With all this talk about HTTPS PFS and secure VPN's......what about DNS 
and DNSSEC? How can we protect ourselves from tampered DNS queries and 
intercepted DNS queries to see where everywhere we go?
0
Dallam
12/17/2013 5:08:22 AM
grc.securitynow 3529 articles. 0 followers. Follow

6 Replies
901 Views

Similar Articles

[PageSpeed] 34
Get it on Google Play
Get it on Apple App Store

Dallam Oliver-Lee has sent:

> Any thoughts on protecting DNS queries from prying eyes?
> 
> I already have two servers running ISC BIND 9.9.4 setup to do DNSSEC
> validation and recursive. I do not have set to forward either so the
> servers queries the root servers. I never use my ISP's DNS servers as I
> see it as a privacy concern.
> 
> I know the DNS queries are UDP unencrypted.
> 
> Is there anyway to encrypt the DNS traffic between my DNS servers and
> root servers?
> 
> With all this talk about HTTPS PFS and secure VPN's......what about DNS
> and DNSSEC? How can we protect ourselves from tampered DNS queries and
> intercepted DNS queries to see where everywhere we go?

Well Dallam, all DNSSec could be checked level by level by your DNS
server, so there should NOT be a problem there.

There is, however, also an encryption that could be set between servers:
<https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Security_Guide/sec-Security_Guide-Understanding-DNSSEC.html>

seek for "man rndc.conf" to use keys between servers.
<http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-bind-rndc-configuration-rndcconf.html>

For traffic between servers and clients you need to set up IPSec.

However to encrypt root-servers traffic you do need to contact the
root-server operator to set a common key for secure DNS replication.

-- 
Mark Cross @ 12/17/2013 5:32 a.m.
Look to the future, because that is where you'll spend the rest of your life. — George Burns

0
Mark
12/17/2013 9:38:19 AM
On 2013-12-16 21:08, Dallam Oliver-Lee wrote:
[...]
> With all this talk about HTTPS PFS and secure VPN's......what about DNS
> and DNSSEC? How can we protect ourselves from tampered DNS queries and
> intercepted DNS queries to see where everywhere we go?

DNSSEC protects you against tampering. Potentially, you could route your 
DNS traffic through TOR quite safely if you reject all non-DNSSEC responses.

Of course, you would suffer quite a bit of latency.

If you are willing to trust a specific third party, you could send your 
DNS requests through a VPN, but ultimately that comes down to the same 
question as trusting your ISP.

Regards,
Sam
0
Sam
12/17/2013 8:49:23 PM
> With all this talk about HTTPS PFS and secure VPN's......what about DNS 
> and DNSSEC? How can we protect ourselves from tampered DNS queries and 
> intercepted DNS queries to see where everywhere we go?

I think DNSCrypt by OpenDNS does what you want.
http://www.opendns.com/technology/dnscrypt/

I'm surprise DNSSec doesn't support a fully encrypted data stream... I
thought they'd build that in. Hmmmmm.


Hope that helps.
0
David
12/18/2013 12:33:16 PM
Problem with TOR is that NSA is watching that and then of course 
performance issue.

Whenever I am not at home, I always use 128-bit AES encryption VPN into 
my home network.

Turning on DNSSEC has helped alot as added security and I even made sure 
all of my own domains I own including my DNS servers that handle those 
domains was signed as well with DNSSEC.

I just cant find anything how to encrypt all DNS traffic from my own 
local DNS server to the public root DNS servers as well others as the 
DNS queries go down the chain. I see many domains still not using 
DNSSEC. Sometimes they can not becuase some of these big DNS hosting 
companies do not even offer it for their customers.

My local DNS servers are owned and operated by myself. Both using ISC 
BIND 9.9.4 with CentOS 6.5 and Windows Server 2003.

Thanks,
Dallam

In article <l8qdau$12bt$2@news.grc.com>, sschinke@gmail.com says...
> On 2013-12-16 21:08, Dallam Oliver-Lee wrote:
> [...]
> > With all this talk about HTTPS PFS and secure VPN's......what about DNS
> > and DNSSEC? How can we protect ourselves from tampered DNS queries and
> > intercepted DNS queries to see where everywhere we go?
> 
> DNSSEC protects you against tampering. Potentially, you could route your 
> DNS traffic through TOR quite safely if you reject all non-DNSSEC responses.
> 
> Of course, you would suffer quite a bit of latency.
> 
> If you are willing to trust a specific third party, you could send your 
> DNS requests through a VPN, but ultimately that comes down to the same 
> question as trusting your ISP.
> 
> Regards,
> Sam
> 
0
Dallam
12/19/2013 6:10:42 AM
On 2013-12-18 22:10, Dallam Oliver-Lee wrote:
> In article <l8qdau$12bt$2@news.grc.com>, sschinke@gmail.com says...
>> On 2013-12-16 21:08, Dallam Oliver-Lee wrote:
>> [...]
>>> With all this talk about HTTPS PFS and secure VPN's......what about DNS
>>> and DNSSEC? How can we protect ourselves from tampered DNS queries and
>>> intercepted DNS queries to see where everywhere we go?
>>
>> DNSSEC protects you against tampering. Potentially, you could route your
>> DNS traffic through TOR quite safely if you reject all non-DNSSEC responses.
>>
>> Of course, you would suffer quite a bit of latency.
>>
>> If you are willing to trust a specific third party, you could send your
>> DNS requests through a VPN, but ultimately that comes down to the same
>> question as trusting your ISP.
 >
 > Problem with TOR is that NSA is watching that and then of course
 > performance issue.

Right, but I thought your concern was the NSA watching your ISP ("prying 
eyes"), and did mention the performance issue. ;)

The NSA is free to watch TOR all they like. If used correctly (and if 
you don't get infected by their malware), they shouldn't be able to 
de-anonymize you.

[...]
 > I just cant find anything how to encrypt all DNS traffic from my own
 > local DNS server to the public root DNS servers as well others as the
 > DNS queries go down the chain. I see many domains still not using
 > DNSSEC. Sometimes they can not becuase some of these big DNS hosting
 > companies do not even offer it for their customers.

Right. My answer was to a slightly different question -- it anonymizes 
your DNS traffic rather than providing end-to-end encryption.

BTW, I've moved your reply so that it is below my post. The convention 
on this server is to "bottom post".

Regards,
Sam
0
Sam
12/19/2013 6:13:35 PM
I've been researching VPN services recently as I decided I'd rather go 
this route the connecting back to my home router. My top 3 contenders are:

https://PrivateInternetAccess.com
https://ProXPN.com
https://PrivateTunnel.com

I like all 3, in particular PrivateTunnel.com, with their pay-as-you-go 
service (I won't be using a bunch of bandwidth). For monthly/annual plan 
VPNs, PrivateInternetAccess appears superior to ProXPN in both features 
and value. Anyone have any other recommendations or input? :)

Thanks,
-- 
/Ian
0
Ian
12/19/2013 9:04:24 PM
Reply:

Similar Artilces:

DNS security patch
Hi, running NW65SP7. I see since Aug 8th (TID#5032400) the security patch for the popular DNS issues has now been posted. What I'm wondering about is it necessary to post this to your server if your DNS is only used for internal queries? That is the DNS cannot be queried from outside the firewall? If not needed when an internal DNS only, then I won't bother installing and risking my environment, since there's no other fix mentioned in the release. Cheers James Jjb, > That is the DNS cannot be queried from outside the > firewall? Do you trust t...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

DNS question for security (DMZ, Private and ISP DNS _
My customer DNS (two WIN 2000 AD) in the private will forward request to IIS 5 DNS in the DMZ. When registering the domain of the customer, would you use the ISP DNS for the customer'domain 2 DNS? Or you would use the DMZ'DNS Server in the DMZ and the ISP DNS for the secondary ??? I'm concerned about security.... JF Unless your customer has an arrangement for the ISP to host their public DNS, then it will do no good to have the ISP's DNS servers listed in the domain registry. Security wise, it would be better to have 2 dedicated DNS servers operating in s...

Secure DNS?
I just read an article about secure dns, being called DNSSEC. (www.dnssec.net) Does Novell's DNS server support this new feature? Thanks, Cheryl Cheryl Fischer Network / Email Administrator Horizon Bank Cheryl, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp - Check all of the other support tools a...

DNS UP
Hi We are running 2 BM (3.8) Proxies and until today they have been operating reasonably well. Today we have started getting a lot of 504 errors on workstations using either both servers, looking at the proxy DNS page (on both servers) the DNS links are continually going up and down (like our internet) We have 3 DNS servers entered 2 external and 1 internal. I have tested from outside the BM Servers $and know the 2 external DNS servers are working fine (also no one else who use our provider have an issue). The internal DNS also seems fime. We have not made any changes to th...

DNS SECURITY ALGORITHM NUMBERS DNS KEY and SIG RRs
DNS SECURITY ALGORITHM NUMBERS DNS KEY and SIG RRs [RFC2535] use an 8-bit number used to identify the security algorithm being used: Number DescriptionReference --------- ------------------------------ --------- 0 Reserved 1 RSA/MD5 [RFC2537,RFC1321] deprecated, see 5 2 Diffie-Hellman [RFC2539] 3 DSA/SHA1 [RFC2536,DSA,SHA-1] 4 Reserved for Elliptic Curve Crypto 5 RSA/SHA-1 [RFC3110] 6 - 251 Reserved by the IANA 252 ...

Securing DNS.
Can anyone tell me what's the best way to lock down DNS so that it doesn't send out root hints ? Just moved our DNS and now it's responding to such queries. Is this something I can do with a query filter ?! Thanks. -- neiljt1 ------------------------------------------------------------------------ neiljt1, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Visit http...

DNS? What DNS?
This has never happened before and in light light of this morning's news about the DDOS I was wondering if it is just my machine or if something else is going on. Background: A firewall on one of my machines blocked IE from getting to the net. I wanted to trace where it was planning to go to (207.188.24.150)to figure out if this was just XP again or something else. I tried Neo Trace and PC Helps "Net Tracer" but neither can track it. All I get is "undetermined" or "timed out" Robin In article <3DB714A2.7050902@twcny.rr.com>, omeru...

Security and DNS
--____FIVYRACBLJROFPKWMWQS____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi all: We're running DNS on Netware 6.5 SP2 as a clustered resource. It is = working very well (thanks for asking!) We have been running through our year end security self audit and I have = been tweaking our DNS setup up.=20 What I have done is this: Each client on LAN: gets 2 DNS entries. One local DNS server and one at a = remote office (both Netware). Offices are interconnected by private lines = so this process is all behind the firewall. Each...

Comodo Secure DNS
http://www.comodo.com/secure-dns/ Looks interesting? Perhaps it could be added to DNS Benchmark? DNS Nameserver Spoofability Test passes with flying colors.. Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through our worldwide network of redundant DNS servers. This can provide a much faster and more reliable Internet browsing experience than using the DNS servers provided by your ISP and does not require any hardware or software installation. Comodo Secure DNS gives you a safer, smarter and faster Internet because it's: More R...

Securing DNS queries
Is there a setting to secure the DNS so that it only resolves for a list of specific clients by subnets? > Is there a setting to secure the DNS so that it only resolves for a list > of specific clients by subnets? > > Should have mentioned that this is 5.1 In article <7FjXa.101$Fa2.18@prv-forum2.provo.novell.com>, wrote: > Is there a setting to secure the DNS so that it only resolves for a list > of specific clients by subnets? > No, you would have to use a firewall to control the DNS traffic that gets to the DNS server. ...

How secure is AuthenticationTypes.Secure?
I understand that AuthenticationTypes.Secure requests secure authentication using Kerberos or NTLM (??). However, here is a scenario I am trying to understand. Let us say that I am having a regular ASP.NET site - with SSL certificates not installed on the web server. The login sends the request out to an AD server which also does not have certificates installed. However, I have set Secure flag to AuthenticationTypes.Secure. When the username and password data gets transmitted between the application and the LDAP server, how secure are the password and username info? In other words is this in...

Web resources about - Securing DNS - grc.securitynow

Securing Email Communications from Facebook
It's very important to us that the people who use Facebook feel safe and can trust that their connection to Facebook is secure; for instance ...

Securing Graph API Calls - Facebook-Entwickler
Graph API calls can be made from clients or from your server on behalf of clients. Calls from a server can be better secured by adding a parameter ...

Securing your Twitter experience with HTTPS - Twitter Blogs
... makes your Twitter experience more secure by protecting your information, and it’s especiall... Skip to main content Sign in Search Securing ...

Securing the landing zone - Flickr - Photo Sharing!
U.S. Army 1st Sgt. Gerald Eagan, with the 6th Engineer Battalion, throws his rucksack in front of him while pulling security on a remote mountain ...

Slamming Boss Against Wall, Shouting ‘I Need More Cash!’ Still Leading Tactic For Securing Raise - YouTube ...
Subscribe to The Onion on YouTube: http://bit.ly/xzrBUA Calling it the most effective method for reaching one’s full earning potential, a report ...

AFC president calls for more on-pitch success from Asian nations after securing a new term - The National ...
The Asian Football Confederation (AFC) is more united than it has been before but its teams must do better on the field, Shaikh Salman Bin Ebrahim ...

IN PICTURES: Securing the journey to the Cloud roundtable - Slideshow - ARN
... to discuss the journey towards the cloud. ARN in conjunction with itX, Trend Micro and VMware hosted the exclusive discussion on the securing ...


Veterans' families serve by securing the base in wartime
There are no memorials to the families of soldiers. There should be.

Securing the network beyond passwords - consumerization of IT, BYOD, MDM, Networking, security, wireless ...
Passwords have been a weakness of network security since the development of computer networks. Through guessing weak passwords, exploiting weak ...

Resources last updated: 1/14/2016 11:39:03 PM