In no particular order, here are some alternative technologies. As always YMMV and the proof is not just in the technical implementation of the protocol, but also the policies and politics around the adoption. A good chunk of them overlap DNS's goals in what they aim to do, but only partially.
* DNSSEC - https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-...
Various Distributed Hash Table (DHT) based approaches:
* IPNS - https://medium.com/@yaniv_g/hosting-websites-on-ipfs-with-ip...
* Telehash - http://telehash.org/
Various cryptocurrency approaches:
* Namecoin - https://bit.namecoin.org/
* DomainToken - http://www.domaintoken.io/
* Steemit - https://steemit.com/
If you know of others, please comment with the name and a link.
There is the DNS Privacy project, which proposes some solutions to the privacy issue [2].
The alternatives you're mentioning are really not alternatives at all (except namecoin, but only for .bit). How the other solutions (e.g. Steemit) are connected to the problem at hand is beyond me.
[1]: https://stats.labs.apnic.net/dnssec/XA?c=XA&x=1&g=1&r=1&w=7&... [2]: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+-+The+Sol...
This concern started being addressed in the latest DoH draft.
I know people are working on encrypted SNI but that will take time.
I have no clue how often this attack vector has been used in the real world, but last time I read about it, I got the impression that it would not be very hard for a skilled attacker to pull off. (DNSSEC would work, too, but as you say, most clients do not make use of it.)
To concentrate purely on the DNS side, I set about re-engineering things for privacy, safety and speed (in that order). I'll only address my local resolver, and not the DNS I'm serving to the world at large for my personal domains.
I run Palo-Alto's free minemeld server in order to get realtime threat lists. Any medium or higher threat level domains are fed to:
an unbound caching resolver on my OpenBSD edge firewalls. These threat domains (along with adware domains from someonewhocares) are blackholed to 0.0.0.0. Any queries that are not in the cache are forwarded to:
a BIND 9 server on a VM that has no direct access to the internet or the rest of my LAN. It will either answer authoritative queries for my internal LAN or forward queries that require an external authoritative answer to:
Six DNSCrypt proxies in a round-robin scheme. Each proxy was chosen because it (claims it) doesn't log, and will also pass back DNSSEC failures. OpenDNS doesn't!
Notes :
My BIND server verifies DNSSEC. I also have a bunch of known-good/bad DNSSEC domains that my Nagios server checks constantly, verifying that DNSSEC is succeeding/failing as expected. I also have DNSSEC/TLSA/DANE for all my domains and services. Thank you letencrypt!
My OpenBSD pf firewall forces ALL DNS queries to my unbound resolvers, so regardless of what server an internal client attempts to use, it ends up going thru all my security and privacy apparatus. Malware is unable to use it's own DNS servers to bypass my blackholing.
I have not gone the extra step of using TOR. Although this seems like it would improve my privacy, I can't shake the feeling its an NSA honeypot and does more to mark you as a target of interest than it does to protect you.
One feature I would like, which I have found impossible to implement on my own is fresh DNS cooldown, to prevent brand-new domains from resolving for x number or hours. I like the idea that malware using dynamically generated domains could be thwarted with this, but there isn't any central list/mechanism to figure this out. whois info is too unreliable and unstructured.
Unbound also allows you to set a min-ttl, which is taboo in the DNS admin realm, but very useful for adding a small amount of privacy, at the risk of poorly engineered websites being unreachable for a small period of time. See "cache-min-ttl:" Consider keeping that under 20 minutes.
I also log all query responses, then sort by request count and do additional prefetching of names I use, plus batches of random domain names to add some noise as others suggested. "log-queries: no" and "log-replies: yes". Logging this data can also help you spot websites that try to enumerate a users DNS and real IP by using unique A records per client.
Also make sure you don't have the "subnetcache" module loaded, as it will by default send client-subnet data, allowing enumeration of your private network.
https://spameatingmonkey.com/services
I've not used this myself, so I'm not recommending it. I only know that it exists.
I have my own DNS with min-ttl set. Further more I have firewalled all DNS-lookup except to a certain provider.
On top of this I have a installed a local CA on all devices.
Blocked domains are reverted to an local nginx that answer with a empty gif or 204, even when the request is on https (domains spoofed).
The access.log is very interesting to analyse, and sometimes you find bugs in iOS apps that crashes because they could not send their usage data to flurry.com or other domains.
You could also take inspiration from the NSA and actually perform random DNS queries & HTTP requests to various sites to disguise the true queries.
Another improvement would be actually offloading the resolver to another location via a VPN and querying from there.
The confidentiality win is not huge, most use-cases will let an attacker make a good guess at the query through the destination IP (for IPs serving only one site) or via SNI. Still, there's definitely a win for other types of queries, and it'll get more useful once we figure out how to encrypt SNI.
Can you explain why it's important _not_ to have DNSSEC ?
In the most threatening MitM scenarios that we see, an adversary controls IP traffic to their victims (usually only relatively briefly). If we can use DNSSEC this gets them a denial of service and nothing further. But with your preferred options they are able to silently interpose as the victim, and tools you've worked on like Let's Encrypt will help "re-assure" the public that nothing is wrong. I have no doubt that ISRG would say they have no liability when the relying parties are screwed over - that's after all exactly what their commercial equivalents say all the time - but it'd be an easier argument to make if you weren't here saying that when it comes to the one thing that _would_ work you'd "rather not see it succeed".
Do you at least have something _instead_ you think would give people these benefits ?
Which shouldn't be an excuse for not doing DNSSEC validation if only because your own zones can be signed. You know, the ones you will be constantly ssh'ing to, and blindly accept new ssh server keys from because hey, it's your zone and you trust it.
Dnssec is just as vulnerable to mitm attacks, because you just strip the dnssec responses and the client has no way to know if it the resolver just doesn't support DNSSEC
The crypto ones don't even warrant a response, they are non compatible with anything that happens today.
2. Configure network settings to use 127.0.0.1 as the resolver
You now have end to end DNSSEC protected DNS (when the domain supports it. Where support is admittedly low). The best a MITM can do is block your lookups. In the same way they can also block your HTTPS connections.
[edit] Of course, the above will now fail by default in Firefox, because they wont use your local system resolver. Every other app on your system will be secured though. Until they also start getting their own custom made name resolution systems too.
For privacy reasons, DNS over TLS and DNS over HTTPS are still a good idea. So even with DNSSEC you would need one of those.
There's also this interesting app: https://play.google.com/store/apps/details?id=app.intra
There are also tutorials on how to set up your own DNSCrypt server: https://github.com/jedisct1/dnscrypt-proxy/wiki/How-to-setup...
But for DoH to make sense, the server must be outside of my private network and my ISP's network.
Problem is that I have no idea how to test if it is really working :-)
For a reference, this is what I get when I set my dns as 1dot1dot1dot1.cloudflare-dns.com on Android P:
https://cloudflare-dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3Q...
I think that DNS over HTTPS is loved by the ad-community. No local DNS that can disturb or block user generated data. Don’t get fooled people.
#DeleteGoogle
I guess for me that equates to Firefox on 3 systems. Although I have three separate Firefox profiles, so I guess that's 9 times it needs configuring. And at some point 3 copies of Chrome, and another 3 Chromiums I guess. And then whatever other apps decide they want their own custom name resolution. That's assuming I'm actively notified that they have been changed to work that way, and assuming I remember to do it after each install.
Because by the sound of it, without remembering to configure my systems, I'm going to end up in a situation where I'm now shipping off a list of all the websites I visit to some American corp for safe keeping, by default. Along with everyone else in the World.
I can't even sit here in the UK, visiting a UK website, without asking an American corp for the IP. At least today, I'm asking my ISP for the IP. A company based in my legal jurisdiction, with whom I have a business relationship.
[edit] I forgot Firefox on my phone too. Thankfully I don't have a tablet.
I guess the stuff in the dns=bit is a query to look up the ip of dns.google.com? ;)
I'm not sure if I think trusting certs for ip addresses (as opposed to domain names) is a great idea. And how else would this bootstrap?
https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-ove...
