Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Wed 16 Oct 2019, 13:20
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Operating one's own local DNS resolution server
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [7 Posts]  
Author Message
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Thu 15 Nov 2018, 20:16    Post subject:  Operating one's own local DNS resolution server  

Operating one's own local DNS resolution servers is one of the simplest and lowest-cost things an IT administrator can do to monitor and protect applications, services, and users from potential risks.

Every open source server platform, such as Linux or BSD, offers many free implementations of the DNS resolution service. The oldest of these is called BIND, but newer implementations such as PowerDNS, Unbound, and Knot are also well-trusted, production-ready software packages. Most will offer some kind of template configuration that includes local DNS resolution.
Source : https://www.darkreading.com/vulnerabilities---threats/benefits-of-dns-service-locality/a/d-id/1333088?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

DNSSEC

To a great extent, protecting DNS today begins with DNSSEC. The DNS Security Extensions handle one set of tasks, but it's an extremely important set in the overall scheme of things. DNSSEC is all about making sure that the server (or service) you want to talk to is the one you're actually talking to.

DNSSEC uses a DNSSEC-validating DNS resolver to check DNS signatures and ensure that the resolution information has not been changed and the responding server is the correct server. It's important to note that the signatures in DNSSEC aren't used for any sort of encryption — they're only responsible for validating the identity of the servers involved.

It's also important to note that DNSSEC can protect more than Web pages. Any service that uses a DNS-based address, from email to instant messaging, can benefit from the server authentication provided by DNSSEC.


Quad9

Quad9 is a joint project of the Global Cyber Alliance (GCA), IBM, and Packet Clearing House. Beyond basic name resolution, Quad9 (named for its address, 9.9.9.9) is intended to block the vast majority of malicious sites, including those hosting and controlling malware, botnet infrastructure, and more. To do so, Quad9 collects reputation and security information from 18 different partners, including F-Secure, abuse.ch, Cisco, Proofpoint, and NetLab.

In addition to the blacklist functions, Quad9 will support both a whitelist of the million top-requested domains and a "gold list" of major sites (such as Google, Amazon Web Services, and Microsoft Azure) that should always be considered "safe." Both types of lists are intended to maintain high performance while providing security from bad actors and their malicious destinations.

Source : https://www.darkreading.com/operations/7-ways-to-keep-dns-safe/d/d-id/1332252

Further reading :
DuckDuckGo's public DNS list
https://duckduckgo.com/html?q=public%20dns
"DNS [security] is still not top of mind,"
https://www.darkreading.com/perimeter/dns-a-victim-of-its-own-success--/d/d-id/1330048
Intra, the Android App for DNS Encryption
https://www.darkreading.com/mobile/an-intro-to-intra-the-android-app-for-dns-encryption/d/d-id/1332965
Best Public DNS Servers
https://whoer.net/blog/article/best-public-dns-servers/
Public DNS for IPv4 and IPv6
https://sebsauvage.net/wiki/doku.php?id=dns-alternatifs
The official release of AdGuard DNS — a new unique approach to privacy-oriented DNS
https://adguard.com/en/blog/adguard-dns-announcement/

Last edited by labbe5 on Thu 10 Jan 2019, 10:56; edited 3 times in total
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Thu 10 Jan 2019, 10:27    Post subject: Google DNS Service (8.8.8.8) Now Supports DNS-over-TLS  

https://thehackernews.com/2019/01/google-dns-over-tls-security.html

Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com).

Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an individual visits but is also vulnerable to spoofing attacks.


To address these problems, Google announced Wednesday that its Public DNS (Domain Name System) service finally supports DNS-over-TLS security protocol, which means that the DNS queries and responses will be communicated over TLS-encrypted TCP connections.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Fri 09 Aug 2019, 18:45    Post subject: Knot DNS
Subject description: High-performance authoritative-only DNS server
 

https://www.knot-dns.cz/
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Sat 07 Sep 2019, 19:53    Post subject: Configure DNS over TLS  

https://www.linuxbabe.com/linux-mint/dns-over-tls-stubby

The future is to encrypt DNS.
Here is a tutorial.

It is not to be applied as a step-by-step tutorial for Puppy or Dog-based OS.
Just read and think about DNS over TLS and maybe adapt the tutorial for Puppy or a Dog-based OS.

Further reading :
DNS Privacy Daemon - Stubby
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
Google plans to test DNS over HTTPS in Chrome 78
https://www.ghacks.net/2019/09/11/google-plans-to-test-dns-over-https-in-chrome-78/
Mozilla plans to roll out DNS over HTTPS to US users in late September 2019
https://www.ghacks.net/2019/09/07/mozilla-plans-to-roll-out-dns-over-https-to-us-users-in-late-september-2019/
Turn off DoH, Firefox. Now.
https://ungleich.ch/en-us/cms/blog/2019/09/11/turn-off-doh-firefox/
Encrypted DNS Could Help Close the Biggest Privacy Gap on the Internet. Why Are Some Groups Fighting Against It?
https://www.eff.org/deeplinks/2019/09/encrypted-dns-could-help-close-biggest-privacy-gap-internet-why-are-some-groups
Self-hosted Dns Over Https service
https://balaskas.gr/blog/2019/10/15/self-hosted-dns-over-https-service/

Last edited by labbe5 on Yesterday, at 15:46; edited 1 time in total
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Mon 07 Oct 2019, 08:15    Post subject: DNSCrypt  

http://www.ubuntubuzz.com/2019/10/tor-and-dnscrypt-on-ubuntu-1804-made-easy.html
This simple tutorial will show you to install two privacy tools, The Onion Router (TOR) and Dnscrypt-Proxy, on Ubuntu Bionic Beaver. We will make use of existing Mozilla Firefox browser instead and just configure system wide proxy using Ubuntu System Settings. We do not install Tor Browser or any other additional stuffs to make everything simple for everybody.

It is best to use DNSCrypt if your DNS is provided by your ISP. If you have chosen 9.9.9.9 from Quad9 or 1.1.1.1 from Cloudflare, it is because you care about privacy. If you use a VPN, thanks to it, DNS is taken care of by your VPN provider. To be sure, go to : https://ipleak.net/. DNS Address section. Or do a DNS leak test : https://www.dnsleaktest.com/

Further reading :
Configure Ubuntu Pi-hole for Cloudflare DNS over HTTPS
https://www.cyberciti.biz/faq/configure-ubuntu-pi-hole-for-cloudflare-dns-over-https/
How To Set Permanent DNS Nameservers
https://www.tecmint.com/set-permanent-dns-nameservers-in-ubuntu-debian/

Last edited by labbe5 on Sat 12 Oct 2019, 15:15; edited 1 time in total
Back to top
View user's profile Send private message 
purple379

Joined: 04 Oct 2014
Posts: 133

PostPosted: Fri 11 Oct 2019, 09:43    Post subject: What Encrypted DNS already implemented in Easy OS?
Subject description: What would be simple to install in Easy OS?
 

I thought Firefox was going to implement a proxy something to resolve encrypted DNS issues like this. Where is that project?

I seem to recall some forum post where a fellow said he was talking to the Network Engineer on the ISP he used. The Network Engineer laughed and said, "If you want to enter the DNS number instead of doing the DNS look up, that is fine, I can change the DNS number you put in the browser box, and send you anywhere I choose." Not to be malevolent, just that is the way Servers can be changed by the ISP.

In truth, I personally suspect that is the way the internet was always intended to work. A lot of websites have pages cached in all kinds of places to make them load quicker. There was a fellow who was posting about a problem he had downloading content, the unreliability of the downloading and extra dollar costs, only to discover that while he was in the US, he was downloading content from Australia that was available from the same web site in the US, because the US had its own servers to download from.

What about a DNS comparison program, I get the DNS from one provider, compare it to the previous DNS I have for that web page, while also downloading the other DNS servers version of the same webpage. I guess the DNS companies do that all the time, so it is just another resource hog on my computer.

Anyone do a review on the YubiKey that is supposed to verify our getting to the correct webpage? That is, is the result of the Yubikey reliable, or is it just relying on what the DNS the ISP could be providing?

How much would need to be installed on a computer to slurp the password for a VPN. So the a group like the NSA or the Chinese equivalent could do a sophisticated "Man in the Middle" intercept, and read.


The Ultimate back door would be to have https keys. How could one trick a browser into letting one -- hmmm.
Back to top
View user's profile Send private message 
labbe5

Joined: 13 Nov 2013
Posts: 2003
Location: Canada

PostPosted: Yesterday, at 15:58    Post subject: LibreDNS  

https://libreops.cc/2019/10/14/libredns/

DNS is a very old and essential internet protocol, that we all use daily. But it was built without privacy and secrecy in mind. It lacks encryption, and though it's decentralized in theory, for most people it has a central point of failure (or censorship), their ISP's DNS provider.

LibreDNS

Today we announce our own DNS service, a public encrypted DNS service, that people can use to maintain secrecy of their dns traffic and bypass censorship. This is a DNS service run by LibreOps.

DNS over HTTPS (DoH) is best to be configured and used on applications, namely browsers.

At the moment the only browser that has sufficient support is Firefox. To configure Firefox do the following steps:

Open Firefox settings and navigate to:
General > Network Settings > Settings
At the bottom of this dialog:
Enable DNS over HTTPS.
Change from the default setting to Custom and fill in:
https://doh.libredns.gr/dns-query


DNS over TLS (DoT) is best to be configured globally for the entire operating system.
https://libredns.gr/
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [7 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0510s ][ Queries: 12 (0.0110s) ][ GZIP on ]