Encrypted Recursive DNS with DNS over TLS, Unbound, and Cloudflare
April 23, 2018 · Benjamin Lee · dns · security
The recent announcement of Cloudflare's new privacy-focused recursive DNS service 18.104.22.168 prompted me to revisit the options for encrypted recursive DNS and finally enable DNS over TLS on my workstations.
As a brief reminder, Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) improve privacy online by using symmetric encryption to prevent eavesdropping and using public-key cryptography to authenticate recipients.
Due to increasing awareness and new revelations regarding sophisticated spying operations by governments and corporations, there has been a significant increase in the adoption of HTTPS (HTTP over TLS) over the past several years. According to Google, over 68% of Chrome traffic on Android and Windows is now protected.
However, recursive DNS, which is used before an HTTPS connection can be established, remains largely vulnerable to the same attacks that are used against unencrypted HTTP.
Fortunately, there are several options for protecting recursive DNS, including DNS over TLS, DNS over HTTPS, and DNSCrypt. Each option has various tradeoffs and may not be available depending on your specific operating system and internet provider. For example, you will need to ensure that the relevant ports are not blocked.
Unbound is a DNS resolver with native support for DNS over TLS. In version 1.7.0 you can use the appropriately named forward-tls-upstream option, while the same option was named forward-ssl-upstream in version 1.6.0. Older versions supported the global ssl-upstream option.
To set up a forwarding resolver with Unbound, simply create a forward-zone entry with name "." and the appropriate upstream addresses. Cloudflare supports DNS over TLS on 22.214.171.124 and 126.96.36.199 on port 853. The final result in your unbound.conf should look something like this:
forward-zone: name: "." forward-tls-upstream: yes forward-addr: 188.8.131.52@853 forward-addr: 184.108.40.206@853
- Cloudflare Blog: Announcing 220.127.116.11: the fastest, privacy-first consumer DNS service
- Google Security Blog: DNS over TLS support in Android P Developer Preview
- Google Security Blog: A secure web is here to stay
- Ars Technica: How to keep your ISP’s nose out of your browser history with encrypted DNS
- Arch Linux Wiki: Unbound