1

I am confused about if I decided to implement DNS over TLS (DoT), would I lose DNSSEC?

Details:

  • I am connected with IPv4 + IPv6 Cloudflare DNS directly in my home OpenWrt router.

  • I love the idea of safer DNS, even if for home purposes, DNSSEC might be enough I originally thought.

  • But since every DNS request goes unencrypted, my ISP could eavesdrop on me, I believe.

  • That is why I'm thinking about implementing DNS over TLS (DoT), nothing more, nothing less.

  • Nowhere can I find the information about keeping / losing DNSSEC with DNS over TLS (DoT).

schroeder
  • 123,438
  • 55
  • 284
  • 319
LinuxSecurityFreak
  • 1,562
  • 2
  • 18
  • 32
  • You are replacing your trust in your ISP with trust in Cloudflare. They can see all your queries if you use their resolvers. – Mark Koek Feb 22 '21 at 09:39

2 Answers2

3

Your question illustrates a wrong assumption. But before going further on that point, DoH/DoT secures the data in transit, while DNSSEC secures the data at rest. Both are orthogonal and I would posit that a good provider, offering multiple transports, should be able to offer DNSSEC on all of them (or none) because it makes no difference on his side (the computations he has to do for DNSSEC validations do not depend if the original client asked the question over plain UDP/TCP, or over HTTPS or over TLS).

Now back to what I think is a false assumption.

You are comparing:

  • using provider X to do DNS resolution on your behalf using "plain DNS"
  • using same provider but with DNS over TLS.

And you want the properties of DNSSEC. I am using "provider X" because the below is the same for any kind of provider.

The differences between the two cases is that with DNS over TLS, you have the guarantee (if everything configured properly both on your end and your provider's end) that what you receive was not tampered with (nor listened to in fact) by any actor on the network path between you and the provider. It does not add any guarantee at all on what happens at the provider or what happens when the provider itself queries other nameservers to do the full resolution on your behalf.

Which means, about DNSSEC, that in this setup you fully accept what the provider will tell you. If it flips the flag saying "authenticated" you will believe that it did do the DNSSEC checks as needed and guarantees you everything clicks.

But isn't that a big assumption? Do you trust your provider for that, in all cases? Does it uses any filtering or any "Negative Trust Anchors" (which are used to bypass DNSSEC configuration errors, but could as well be used to bypass proper DNSSEC resolution, so if they are not solidly documented, and even better until noone does the equivalent of Certificate Transparency Logs for DNSSEC, you have really no guarantee what happens). Etc.

Said differently: if you are really serious on your DNS setup you might want to bring another option to the table and study it (not saying it is a solution for all cases, just saying: please remember this option and judge it relatively to others). Which is: do the DNSSEC checks on YOUR side, not on provider side.

Any decent nameserver software can do it. Of course, this can still be thwarted by a rogue provider, if it starts to strip off root DNSKEY and things like that. But until that it may be a better security for you than relying on any provider do DNSSEC on your behalf.

PS: you are asking for links but note that this Q&A site does not want to be just a list of links, you have search engines for that; the aim is to collect knowledge here, not under some links that can go stale at any point. Also, since you cater for only one specific provider in your question, did you do the first step of contacting it with your question?

Patrick Mevzek
  • 1,748
  • 2
  • 10
  • 23
2

DoT and DoH are both essentially just encrypted tunnels for traditional DNS.
These protocol variations do not make any inherent guarantees regarding DNSSEC behavior and they also do not make any attempt of functionally replacing DNSSEC. So there is no general answer for DoT or DoH across the board.
As one technology does not replace the other in this case, you probably want both.

Now, if the DoT (or DoH) service provider promises that they do DNSSEC validation (in the case of 1.1.1.1 I'm pretty sure this is the case operationally, but I don't know that they have committed to this in any legal sense) and you actually trust them with this, you could just have the DNSSEC validation happening on their end of the DoT (or DoH) tunnel.
Otherwise (if they do not validate, or you just cannot trust that they will consistently validate), you need to validate on your end just like with plain DNS.

Håkan Lindqvist
  • 131
  • 2