I use pfSense (Unbound) as my local resolver. Historically I've pointed it at root recursive resolution, because I perceived my main threat as trustworthiness and recency of data (poisoned/invalid DNS) and local ISP DNS tracking. (I don't know if that's so, but I felt that a root DNS server overseas might be less connected to me personally and have less interest in any queries I generate.) I mainly use IPv4 which may be relevant.
With all the attention on DNS tracking, some concerns and perceptions have arisen:
- Should I use some kind of DNS encyrption or signing method, for privacy/certainty? I'm not using DNSSEC or any other extensions, so my DNS queries are "in the clear" plain text. They are watchable between here and the various DNS servers, and there's no certainly over manipulation "on the wire" (less likely but noted). But what to use and how far will it help, as it's not supported by everyone.
- Should I use an external resolver instead of querying root servers? I'm querying root servers from the start, so I'm issuing many queries from root servers down to the actual subnet of interest, instead of using a precached entry on some existing DNS resolver/cache. But each DNS server only sees one component of the domain, they don't get to see the entire target. If I use an intermediate resolver, especially one with signing/encryption, I issue far fewer DNS requests and what I do issue would always be encrypted and signed. But it requires a chosen intermediary with considerable trust (caching etc), and doesn't affect the risk of interception.
- Should I route DNS over some kind of anonymising proxy? It's slower for first requests, but Unbound would cache any replies locally and also request refresh data in advance of the cached data expiring, and I'm guessing the 80/20 rule applies (most queries will be to the same subset of domains where I already have cached data), so I'm not too worried about the speed aspect. But how practical is this? The most prominent anonymising method is tor. Tor doesn't do UDP so it handles DNS by asking the exit node to do a DNS query and trusts the result. I could configure Unbound to query DNS over TCP only, and route via local tor, if that would solve it (= if most exit nodes will allow port 53, and if most DNS servers speak TCP). I'm also happy to run a DNS anonymising node if there is a tor equivalent specific to DNS, if it will help others (this might let me merge my traffic with general DNS queries) but does such a thing exist?
So my current risk model is probably something like this -
- Poisoned/invalid data;
- Logging/monitoring at the server(s), and modification/monitoring "on the wire";
- Tying queries to source IP / DNS anonymisation.
If I don't use DNS proxying/anonymisation, then there's only 2 options. I can resolve everything myself from root servers down, in which case I trust every DNS server on every domain not to log queries which is unlikely, but identifying query targets is less easy since the resulting subdomain queries are very widely distributed. If I use a public resolver I place "all my eggs in one basket" as they see the entire target domain, not just parts of it, and I'm trusting them not to be logged which may also be unrealistic. So DNS anonymisation seems necessary, but it's not clear if it's realistic.
I'm happy to put in the work to resolve this, and I'm sure I can improve on what I'm doing. But workarounds will be needed, since DNS is fundamentally insecure.
Given the current state of DNS and the current state of anonymising technologies, what is my best approach to threat mitigation for DNS queries?