DNS.¶
Transparent DNS proxies¶
Some ISP’s are now using a technology called ‘Transparent DNS proxy’.
Using this technology, they will intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results.
This effectively forces you to use their DNS service for all DNS lookups.
If you have changed your DNS settings to use an ‘open’ DNS service such as Google, Comodo or OpenDNS,
expecting that your DNS traffic is no longer being sent to your ISP’s DNS server,
you may be surprised to find out that they are using transparent DNS proxying.
DNSCrypt¶
DNSCrypt encrypts and authenticates DNS traffic between user and DNS resolver.
While IP traffic itself is unchanged, it prevents local spoofing of DNS queries,
ensuring DNS responses are sent by the server of choice.
dnscrypt-proxy¶
DNSCrypt is a protocol for securing communications between a client and a DNS resolver,
preventing spying, spoofing or man-in-the-middle attacks.
To use it, you’ll need a tool called dnscrypt-proxy,
which “can be used directly as your local resolver or as a DNS forwarder,
authenticating requests using the DNSCrypt protocol and passing them to an upstream server”.
Check current local DNS service:
$ sudo ss -lp 'sport = :domain'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 23040 0 127.0.0.53%lo:domain 0.0.0.0:* users:(("systemd-resolve",pid=948,fd=12))
tcp LISTEN 0 128 127.0.0.53%lo:domain 0.0.0.0:* users:(("systemd-resolve",pid=948,fd=13))
Disable systemd-resolve service according to the above output:
$ sudo systemctl stop systemd-resolved
$ sudo systemctl disable systemd-resolved
Check current local DNS service again:
$ sudo ss -lp 'sport = :domain'
Uninstall old version:
$ sudo apt-get purge dnscrypt-proxy
Install new version:
$ sudo add-apt-repository ppa:shevchuk/dnscrypt-proxy
$ sudo apt update
$ sudo apt install dnscrypt-proxy
Configs:
$ sudo cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.2.1
$ cat /etc/dnsmasq.d/dnscrypt-proxy
# Redirect everything to dnscrypt-proxy
no-resolv
server=127.0.2.1
proxy-dnssec
Now you can see all your dns query is secured with type quic on the filter box of wireshark
And view related listening port:
# netstat -uanp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 127.0.0.1:40 0.0.0.0:* 1/init
udp 0 0 0.0.0.0:53 0.0.0.0:* 3089/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 2000/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 2221/dhclient
udp 0 0 0.0.0.0:33908 0.0.0.0:* 853/dnscrypt-proxy
udp6 0 0 :::53 :::* 3089/dnsmasq
Check service status:
$ sudo systemctl status dnscrypt-proxy
https://github.com/jedisct1/dnscrypt-proxy
https://wiki.archlinux.org/index.php/DNSCrypt
https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-linux
https://github.com/jedisct1/dnscrypt-proxy/wiki/Installation-Debian-Ubuntu
resolveconf¶
$ /etc/resolv.conf
Normally the resolvconf program is run only by network interface configuration programs such as ifup(8),
ifdown, NetworkManager(8), dhclient(8), and pppd(8); and by local nameservers such as dnsmasq(8).
These programs obtain nameserver information from some source and push it to resolvconf.
$ resolvconf
$ /etc/network/interface
https://wiki.debian.org/HowTo/dnsmasq
https://sfxpt.wordpress.com/2011/02/06/providing-dhcp-and-dns-services-with-dnsmasq/
dnssec-trigger and unbound¶
# apt-get inastall dnssec-trigger
# apt-get inastall unbound
Disable builtin dnsmasq on the network manager¶
$ pstree -sp $(pidof dnsmasq)
$ lsof -i :53
$ netstat -uanp
$ sudo vim /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile,ofono
# dns=dnsmasq
$ sudo service network-manager restart
$ sudo service networking restart
$ killall -9 dnsmasq
Deploying a DNS Server using Docker¶
http://www.damagehead.com/blog/2015/04/28/deploying-a-dns-server-using-docker/
$ docker run --name bind -it --rm \
--publish 53:53/tcp --publish 53:53/udp --publish 10000:10000/tcp \
--volume /srv/docker/bind:/data \
sameersbn/bind:9.9.5-20170129
We create the forward zone example.com by selecting Create master zone and in the Create new zone dialog set the Zone type to Forward, the Domain Name to example.com, the Master server to ns.example.com and set Email address to the domain administrator’s email address and select Create. Next, create the DNS entry for ns.example.com pointing to 172.17.42.1 and apply the configuration
To complete this tutorial we will create a address (A) entry for webserver.example.com and then add a domain name alias (CNAME) entry www.example.com which will point to webserver.example.com.
To create the A entry, select the zone example.com and then select the Address option. Set the Name to webserver and the Address to 192.168.1.1. To create the CNAME entry, select the zone example.com and then select the Name Alias option. Set the Name to www and the Real Name to webserver and apply the configuration.
And now, the moment of truth
$ host webserver.example.com 192.168.1.10
$ host www.example.com 192.168.1.10
The 192.168.1.10 is address of dns server( local host machine)
Resolve all domain name to specific IP¶
$ sudo vim /etc/hosts
127.0.0.1 example.com
127.0.0.1 www.example.com
$ sudo apt-get install dnsmasq
$ sudo vim /etc/dnsmasq.conf
conf-dir=/etc/dnsmasq.d/,*.conf
$ sudo vim /etc/dnsmasq.d/demo.conf
no-dhcp-interface=wlp3s0
bogus-priv
address=/#/192.168.1.10
$ sudo systemctl restart dnsmasq
The 192.168.1.10 is address of dns server( local host machine)
Disable systemd-resolved¶
That systemd-resolved cannot be uninstalled, but can be disabled with the following commands:
$ sudo systemctl disable systemd-resolved.service
$ sudo systemctl stop systemd-resolved
Check possibly already listening to port 53¶
$ ss -lp 'sport = :domain'