[Dnsmasq-discuss] Improve privacy by randomly selecting DNS server from a whitelist

/dev/rob0 rob0 at gmx.co.uk
Mon Oct 10 17:55:47 BST 2016 

On Mon, Oct 10, 2016 at 02:53:44PM +0100, Sam Kuper wrote:
> I was setting up an OpenWRT router recently, and wanted to be able 
> to improve the privacy of DNS requests made from that router and 
> from the PCs on the LAN.
> 
> By handing off all the requests to *one* DNS provider, whether
> that provider is the ISP, or Google, or someone else, privacy is 
> obviously compromised: that provider can very easily record *all* 
> the DNS requests sent via that router

The ISP could, and they could do it regardless of the DNS forwarder 
chosen.  The ISP could even redirect all outbound queries to their 
own resolver, and through the magic of NAT, reply as the destination 
resolver.

Furthermore the ISP has access to the personal information of the 
account holder.  They have the ability to make an association of IP 
address to customer.

I doubt it's so easy for Google to get personally identifying 
information from Google Public DNS.  I suspect that data is of 
interest to them in determining site rankings, mostly.  A side 
benefit is to see the DNS attacks which are underway.  I suspect 
Google has multiple full-time analysts looking at those attacks.
(Perhaps I should say, I *hope* they do.)

> (except, perhaps, in cases where the client is configured to no
> to seek a DNS forwarder on the LAN).

Redirection covers this.  Just as with many hotels and hotspots, 
enter ANY IP address as your resolver, and it will "work", through 
the ISP's resolver.

There are ways to "defeat" such an attack (where "defeat" means to 
detect it and to break your own ability to resolve names, so it's 
certainly not a clear victory.)  More on that below.

> Unfortunately, there are no public DNS providers who I trust not to
> record this sort of information for longer than necessary, nor any
> whom I trust never to abuse that sort of information. (Perhaps you
> think my feelings about this are wrong, but please bear with me.)

Again I'd definitely be more concerned about the ISP than about el 
Goog.  I'm not speaking as a Google fanboy (I'm not one!), just 
considering the technical issues.  (For one thing, note that a DNS 
query cannot identify why you were querying; perhaps it wasn't even 
for HTTP.)

But, that's how it is for most of us: we have to deal with an ISP if 
we want to get online.

> Fortunately, there are numerous public DNS servers that I trust, 
> more or less, to return accurate results to DNS queries. I'll call 
> this the "semi-trusted set".
> 
> Therefore, it occurred to me that a better option than simply 
> relying on *one* provider, would be to supply the router with a 
> list of IP addresses for the servers in the semi-trusted set, and 
> then, for each DNS query the router cannot answer from its own DNS 
> cache, have the router send the query to a randomly selected DNS 
> server from that list.

This functionality does not exist in dnsmasq at this time.  But a 
Linux-specific way to do it would be to DNAT some of the queries 
using the "statistic" match.  See "iptables -m statistic -h" and the 
iptables-extensions(8) manual.

> That way, the clients would (I hope) receive trustworthy replies, 
> and none of the providers would be able to record more than a 
> random subset of the requests. This might come at the cost of 
> slightly slower average response times for DNS queries, but for my 
> use case, this would be perfectly acceptable.
> 
> While searching for a way to do this, I learned that Dnsmasq is 
> included by default in OpenWRT. Learning, in turn, about Dnsmasq, 
> made me optimistic that it might be possible to configure or extend 
> Dnsmasq to achieve the desired functionality described above.
> 
> I would be grateful to know:
> 
> - whether, and if so, why, the desiderata I described are a Bad 
> Idea. (I hope not, but it's always good to have a sanity check.)

It doesn't seem important to me, but I am a "full control" control 
freak who runs his own recursive resolver.  And that's how I defeat 
the redirection attacks.

See, a recursive resolver makes queries directly to the various 
authoritative NS hosts.  Those queries do not have the "RD" bit 
(recursion desired) set, and the resolver will only accept replies 
which have the "AA" bit (authoritative) set.

Replies from a recursive resolver do not have AA, so when my ISP gets 
that hare-brained idea again, to redirect queries to their broken 
resolver, immediately, I know.  (Because nothing resolves.)

DNSSEC validation also helps here.  The root and most top-level zones 
are signed, and if those signatures are missing or broken, again, I 
will see that nothing resolves.

> - whether anyone on this list knows of a way to achieve the desired 
> functionality by configuring existing software available within 
> OpenWRT, and if so, how. (Maybe there's a package, or a setting, 
> that does exactly what I'm after, and I've just never heard of it.) 
> Please reply to me off-list if the answer is not relevant to 
> Dnsmasq.

The iptables statistic match is probably not in stock openwrt, so 
that must be installed.

What I do, and have posted before on this list about, is to run 
dnsmasq for DHCP and local names, using a local resolver (on an 
alternate port, because dnsmasq gets ports 53) as its one upstream 
server.

I use BIND named(8) for this, with a simple configuration.  If you 
are interested in this and can't find it in the list archives, post 
again.  You won't have named in stock openwrt, so you would need to 
install it.

Any other recursive resolver could do it also; the only catch is that 
it must be able to bind on an alternate port.  I like BIND, but on an 
embedded platform it's probably much bigger than others.  Look at 
pdns-recursor and unbound.

> - whether, if the desired functionality is not currently readily 
> available within OpenWRT, but could be made available by extending 
> Dnsmasq, any of you on the list would be keen to implement that 
> functionality (Simon Kelley, maybe?), or to donate funds towards 
> such an effort.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

More information about the Dnsmasq-discuss mailing list