Secure name resolution with DNS-over-TLS

What's the Name?

© Photo by Ainur Iman on Unsplash

© Photo by Ainur Iman on Unsplash

Author(s):

Ordinary DNS sends queries in plaintext. If you're looking for something safer, dial up the privacy with DNS-over-TLS.

In the constantly shifting terrain of network security and administration, the demand for robust privacy measures is at an all-time high. Modern organizations navigate a complex digital ecosystem, often grappling with threats that compromise the integrity of their data and communications. Enter Linux's advanced networking capabilities paired with the security fortifications of DNS-over-TLS – a fusion that promises heightened security levels. This article examines how this integration elevates network privacy, enhancing protection against potential cyberthreats while maintaining seamless communication flows in intricate digital landscapes.

The Problem

At its core, the Domain Name System (DNS) acts as the Internet's directory. Every time a user inputs a domain name into their browser, DNS is the mechanism that translates this human-readable address into a machine-recognizable IP address. For IT professionals, this is Networking 101. Every web application, every cloud service, and every remote server connection hinges on the reliable functioning of DNS.

However, a key flaw permeates traditional DNS. The process, which involves converting domain names into IP addresses, operates in plaintext. The absence of encryption exposes a significant vulnerability, as plaintext communication can be intercepted, viewed, or even manipulated by malicious actors.

Every time a DNS query occurs, anyone with the necessary tools can see which website or service a user is trying to access. This opens the door to a plethora of security threats: from eavesdropping by curious hackers to more orchestrated man-in-the-middle attacks where query responses are manipulated to redirect users to malicious sites.

In the evolving world of cybersecurity, where threats grow in sophistication each day, IT professionals understand that the status quo of DNS communication is not tenable. This is where DNS-over-TLS enters the picture, promising a more secure iteration of this foundational Internet protocol.

Introducing DNS-over-TLS

DNS-over-TLS (DoT) is a fortified version of traditional DNS. At its essence, DoT takes the conventional DNS system and envelops it within the Transport Layer Security (TLS) protocol, thereby providing an encrypted channel for DNS queries.

For IT professionals familiar with the transition from HTTP to HTTPS (thanks to SSL/TLS encryption), the concept here is analogous. While HTTPS encrypts our web-browsing activities, DoT aims to encrypt our domain lookup activities.

The process begins when a client wants to resolve a domain name. Instead of sending a plaintext query, the client establishes a TLS connection to the DNS server. Within this encrypted connection, the DNS query is sent securely. This guarantees that intermediaries, be it ISPs or potential attackers, cannot view or tamper with the DNS traffic.

The key advantages of DoT are:

  • End-to-end encryption: With DoT, DNS queries are encrypted from the source (the client) to the destination (the DNS resolver). This ensures complete confidentiality of the user's DNS queries.
  • Data integrity: The TLS protocol ensures that the data packets, both queries and responses, remain inviolate. Any attempt at tampering is quickly detected, preventing potential redirection attacks.
  • Server authentication: DoT facilitates the authentication of DNS servers. When the client establishes a TLS connection, it can verify the server's certificate, ensuring that it's connecting to a legitimate DNS server and not a malicious imitation.

Ensuring System Readiness

For a seamless transition to DNS-over-TLS, the system's readiness is paramount. Given that the majority of servers run on Linux-based systems, I'll focus on requirements specific to Linux, which include:

  • Operating system: A Linux distribution should be in place. Ubuntu, with its extensive community support and robust performance, serves as an excellent platform for DoT implementation.
  • User access: It's essential to have root or sudo access. This is necessary for installing packages, modifying system configurations, and restarting services.

As for the server side, it is worth mentioning that you'll need to connect to a DNS server that also supports DoT.

To utilize DoT over the systemd name service systemd-resolved, your systemd version must be 239 or above. This is essential because earlier versions don't support the DNSOverTLS option.

To check the version number, type

systemd --version

If your version is below 239, consider a system update; DoT support might be a compelling reason to access the newer features of systemd. By default, systemd-resolved is enabled on recent Ubuntu releases. It's a system service that manages network names and resolves them.

Too ensure systemd-resolved is running, enter:

sudo systemctl enable systemd-resolved.service
sudo systemctl start systemd-resolved.service

The central configuration file for systemd-resolved is /etc/systemd/resolved.conf.

Open it using

sudo nano /etc/systemd/resolved.conf

Within this file, DNS sets the DNS servers systemd-resolved should use. For my setup, I utilize Cloudflare's DNS servers, which support DoT. FallbackDNS is a backup; if the primary DNS servers fail, these servers are consulted. Finally, activating DNSOverTLS (set to yes) ensures DNS queries are encrypted.

The configuration lines should look like:

[Resolve]
DNS=1.1.1.1 1.0.0.1
FallbackDNS=8.8.8.8 8.8.4.4
DNSOverTLS=yes

Press Ctrl+X, then Y, and Enter to save and exit the nano editor.

Reactivate the service to apply changes:

sudo systemctl restart systemd-resolved

Testing the Implementation

Without validation, configuration changes are just optimistic adjustments. By testing, you ensure that your system uses the specified DNS servers and also that the DNS queries are encrypted, guaranteeing the privacy and security boost DoT promises.

To check the active DNS server, enter

resolvectl status | grep 'Current DNS Server'

If the output matches the specified servers (e.g., 1.1.1.1), it's a preliminary indication things are on track.

Monitoring DNS Traffic for Encryption

DoT is a fundamental security feature for modern networks, but like all systems, DoT requires vigilance. One cannot simply enable and forget; it must be actively monitored.

Before you can monitor traffic on your interface, you need to determine its name using the ip a or ip addr show command:

ip a

This command provides a list of all network interfaces. Typically, wired connections are represented as ethX (e.g., eth0), while wireless connections are often labeled as wlanX (e.g., wlan0).

Look for the interface that has an Inet address (IPv4) or Inet6 address (IPv6) associated with it and is UP. This is typically the active network interface. For instance, the output might look like Listing 1.

Listing 1

Output Showing All Network Interfaces

01 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
02 inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic eth0

In Listing 1, eth0 is the active network interface.

Monitoring with tcpdump

Now that you've identified your active network interface, utilize tcpdump to monitor DNS traffic. With DoT, monitoring becomes critical to ensure encryption is active. To monitor your DNS traffic, use

sudo tcpdump -i eth0 -n 'port 853'

Replace eth0 with your identified interface.

With the above command, tcpdump intercepts and logs network traffic. If DoT is functional, the domain names accessed won't appear in plaintext. DoT operates via port 853, with encrypted queries passing through it.

While tcpdump is active, access a few websites. Instead of recognizable domain names, you'll largely see encrypted data, verifying the effectiveness of your DoT setup.

The importance of regular traffic monitoring can't be overstated. Monitoring helps identify unusual traffic patterns and potential security breaches, while also ensuring that DoT operates without hitches. Of course, tools like DoT are only part of the solution for maintaining a secure environment. You're still only as safe as your system is, which means you can never escape the need for regular audits and system updates (see the box entitled "Keeping the System Up to Date").

Keeping the System Up to Date

Every system, regardless of its purpose, is a potential target. As such, keeping systems updated is not a luxury, but a necessity.

On Apt-based Linux systems, system and package updates are as easy as

sudo apt update && sudo apt upgrade

Regular updates patch vulnerabilities and ensure optimal performance. This not only keeps the DoT setup solid but the entire system secure.

Periodic security audits are also important. Tools like Nmap or Wireshark will help you monitor and review network traffic. Be sure only necessary ports are open and accessible, and regularly review and update configurations, ensuring that no deprecated protocols or software are in use.

Conclusion

Not merely a protocol upgrade, DoT is a paradigm shift toward respecting data privacy and enhancing security.

Every IT professional has the responsibility of ensuring the digital spaces they oversee are secure. Adopting DoT acknowledges this responsibility. It is also a call to arms for a more private, secure, and user-respecting Internet.

The Author

Marcin Gastol is a senior DevOps engineer and Microsoft Certified Trainer with extensive experience in Azure technologies and teaching various IT subjects. He writes about multiple IT topics on his blog, https://marcingastol.com/.