12

Denise is an average user who goes with the default settings of her OS and home router. She knows that her browser and email client use DNS and she's worried because I told her that the DNS protocol has no built-in security.

Are there sensible security measures that Denise should take to increase her privacy and security when using DNS? And what do these measures protect her against?

Examples: Should she switch from the default DNS servers provided by her ISP (e.g. to OpenDNS)? Should she, as an end user, care about DNSSEC or DNSCurve? Should she adopt DNSCrypt? If she consistently browses via HTTPS, does she have to worry about DNS attacks at all? Anything else to consider?

Arminius
  • 43,922
  • 13
  • 140
  • 136
  • I don't think any OS visible to a user has a fixed default for external DNS; they (all?) default to whatever is set by DHCP on the network(s) they are connected to, which in turn usually is an ISP or similar provider. Some insert a local cache/manager like dnsmasq or unbound, but those still recurse to DHCP. Embedded/IoT stuff with no UI might hardcode DNS, but might just hardcode IP and skip DNS. – dave_thompson_085 Dec 13 '16 at 09:12

3 Answers3

15

The average user, in my opinion, shouldn't spend any time whatsoever thinking about DNS attacks.

First, it just doesn't happen on a scale that warrants such attention. When phishing attacks, ransomware, and password guessing are rampant, users are infinitely better off spending what little security motivation they have on preventing those.

Second, an attack involving a malicious DNS server realistically means you're connecting to a rogue access point. If you're using TLS for as many things as possible, you greatly mitigate the amount of damage that can be done in that scenario anyway. For anything that doesn't go over TLS, the problem is better solved by the developer of the application getting their act together, and unlikely to be solved by encouraging users to switch to something else.

So in practice I'd really say it boils down to "use TLS for everything", which insulates users from so much attack surface it's frankly absurd that there are still holdouts on this front. While it's not perfect, it at least greatly increases the difficulty of most attack scenarios and seriously hampers most non-targeted attacks.

Stephen Touset
  • 5,736
  • 1
  • 23
  • 38
5

As an end user, you cannot care about DNSSEC in practice. DNSSEC requires that the owner of the domain setup their authoritative nameserver to sign their responses. You cannot use DNSSEC to secure domains that don't support DNSSEC.

DNSCurve, on the other hand, is designed to secure the DNS query between your machine and a trusted recursive nameserver. The DNSCurve threat model don't really address the possibility of the recursive nameserver you are connecting to going rogue.

So what should you, as an average user, do?

  1. You should point your machines/routers to a DNSSEC-validating recursive nameserver that is operated by an operator that you trust,
  2. You should connect to this trusted nameserver with DNSCurve,
  3. You should keep in mind that if the recursive nameserver proves to be unworthy of trust, either due to malice or incompetence, they can screw your name resolution
Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
1

The first rule of engagement is to never use public DNS without using a VPN. Anything else, just gives you a false sense of security.

TLS may mitigate this, and it is way better than plain HTTP, however, there is a lot of non-encrypted activity going around.

I would use VPN+dnscrypt on top of it to prevent DNS leaks.

At home, I would go a step further, and would use dnscrypt to:
1) avoid the ISP going for the low hanging fruit of registering all my DNS requests as "metadata";
2) avoid them intercepting and modifying my DNS requests.

(I am actually doing this).

I would even go a step further, and would say you should use VPN provisioning rules both in Mac in Windows that define VPN on demand, such that your VPN connection is not teared down, and suddenly (part of) your current connections leak onto the normal connection.

To further comment on the DNS requests. Using DNS on the clear is asking for trouble. As an example, in our corporate VPNs, I intercept DNS requests for any DNS server (for people with fixed DNS configurations), and redirect them to our DNSes in order to lower trouble tickets about them not being able to resolve internal sites. Any public wifi can / rogue wifi spot can and will do the same.

Rui F Ribeiro
  • 1,736
  • 8
  • 15
  • What public DNS servers provide VPN termination? The only threat models this seems to address is DNS spoofing (and even then only between the client and recursive server) and sniffing of your DNS traffic. Unless terminated at the recursive server, then you're just shifting the problem elsewhere. – symcbean Dec 13 '16 at 13:02
  • If you read it carefully, I am saying in a not so hidden words it is not only between the client and the recursive server...Those who think otherwise are deluding themselves. – Rui F Ribeiro Dec 13 '16 at 15:29
  • Or you can simply skip the DNS part, tell that it's not your problem, let the VPN server do the resolution for you. – Rápli András Jan 02 '17 at 20:21
  • 3
    me thinks you go way "further" than an "average user", for better or worse ;) – dandavis Jan 05 '17 at 16:09