Monday, July 23, 2018

How to configure encrypted unbound DNS over TLS on CentOS Linux

https://www.dnsknowledge.com/unbound/configure-unbound-dns-over-tls-on-linux

Unbound is a free and open source BSD licensed caching DNS resolver. It also works with DNSSEC and in recursive mode. Coded in C programming language. It means it runs on Linux, Windows, *BSD and Unix-like operating system.

Why use encrypted unbound DNS over TLS on CentOS Linux?

DNS is an old protocol. It was not created with privacy in mind. Anyone can snoop your unencrypted DNS traffic even though connected to privacy and security enhanced HTTPS based web service.

How to see DNS queries sent around the internet in an unencrypted format

Open the terminal application on macOS or Linux based system or your router. Type the following command to capture traffic:
tcpdump -vv -x -X -s 1500 -i 'port 53'
tcpdump -vv -x -X -s 1500 -i br0 'port 53'
tcpdump -vv -x -X -s 1500 -i wifi0 'port 53'
tcpdump -vv -x -X -s 1500 -i eth1 'port 53'

Open another terminal session and type DNS queries:
host google.com 1.1.1.1
host dnsknowledge.com 8.8.8.8

Verify unsecure DNS over Internet in Linux
One can see all DNS queries/data with an unencrypted format (click to enlarge image)

From the above image, it is clear that unencrypted DNS leaks data to anyone who is monitoring your network or Internet connection. In most cases, your ISP will sell data to 3rd parties or they might build a profile about you.

How to install unbound in CentOS Linux 7

Type the following commands:
# yum install epel-release
# yum update
# yum install unbound

Resolving Dependencies
--> Running transaction check
---> Package unbound.x86_64 0:1.6.6-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
 Package           Arch             Version                Repository      Size
================================================================================
Installing:
 unbound           x86_64           1.6.6-1.el7            base           673 k
Transaction Summary
================================================================================
Install  1 Package
Total download size: 673 k
Installed size: 2.4 M
Is this ok [y/d/N]: y

Turn on service

# systemctl enable unbound
Created symlink from /etc/systemd/system/multi-user.target.wants/unbound.service to /usr/lib/systemd/system/unbound.service.

Configure encrypted unbound DNS over TLS on CentOS Linux

Update /etc/unbound/unbound.conf
# vim /etc/unbound/unbound.conf
Make sure LAN is allowed to access this server:
#control which clients are allowed to make (recursive) queries
access-control: 127.0.0.1/32 allow_snoop
access-control: ::1 allow_snoop
access-control: 127.0.0.0/8 allow
access-control: 192.168.1.0/24 allow

Secure DNS over TLS in Unbound configuration on CentOS

#Adding DNS-Over-TLS support
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
## Also add IBM IPv6 Quad9 over TLS
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
## IPv6  Cloudflare DNS over TLS
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853

How do I verifying the certificates of the forwarders with this setup?

The following will only work with the latest version of unbound and not with the current version of unbound server shipped with the CentOS 7.x. Update config as follows:
#Adding DNS-Over-TLS support
server:
tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
forward-zone:
name: "."
forward-ssl-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
## Also add IBM IPv6 Quad9 over TLS
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
## IPv6  Cloudflare DNS over TLS
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

Start/restart the service

# systemctl restart unbound

Test it

host google.com your-server-ip-here
host google.com 192.168.1.254

Verify privacy and security settings with the tcpdump

tcpdump -vv -x -X -s 1500 -i 'port 853'
tcpdump -vv -x -X -s 1500 -i br0 'port 853'

After configure encrypted unbound DNS over TLS on CentOS Linux
All dns data encrypted (click to enlarge image)

Conclusion

This quick tutorial showed how encrypting your DNS traffic can help privacy protect your internet browsing. By using Unbound DNS cache server, you are able to allow CentOS Linux 7.x to take advantage of DNS-over-TLS to help encrypt web traffic. I strongly suggest that you use the following pages for more information about using Unbound as a DNS privacy server:
  1. Unbound home page/help page
  2. Verify TLS cert at nlnetlabs when usign DNS over TLS
  3. IBM quad9 home page
  4. Cloudflare DNS home page

No comments:

Post a Comment