For sake of privacy, we need randomization and encryption of my DNS requests:
- randomization: not a single server collects my requests. If you set up x (say x=10) DNS servers, only 1/x of your DNS requests will be intercepted if one of those servers get infiltrated.
- encryption: the DNS traffic to the upstream resolver is encrypted and cannot by intercepted or manipulated by someone in the middle (my ISP, my employer, etc). This can be done with DNS over HTTPS (DoH) (port 443) or DNS over TLS (DoT) (port 853).
coredns
randomization | Forward to DoH | Forward to DoT |
The idea is that a DNS-over-HTTPS proxy resolver connects to DNS-over-TLS upstream, based on coredns. Note that Coredns cannot forward with DNS-over-https.
Corefile
with multiple upstream servers:
https://.:8053 {
forward . tls://8.8.8.8 tls://1.1.1.1 tls://9.9.9.9
log
}
Randomization: Coredns can be configured with a forwarding policy which is by default random
(source). Privacy-aware randomization is discussed at https://github.com/coredns/coredns/issues/3656.
dnsproxy
randomization | Forward to DoH | Forward to DoT |
We use https://github.com/AdguardTeam/dnsproxy/. Its unique feature is to support forwarding to DNS-Over-HTTPS. Works on captive networks where DoT port 853 is blocked.
dnsproxy -l 127.0.0.1 -p 53 -u https://1.1.1.1/dns-query
dnsproxy -l 127.0.0.1 -p 53 -u https://1dot1dot1dot1.cloudflare-dns.com/dns-query -b 8.8.8.8:53
-b
is the bootstrap resolver
The selection strategies (incl. randomization) for upstream servers is discussed in https://github.com/AdguardTeam/dnsproxy/issues/249.
unbound
randomization | Forward to DoH | Forward to DoT |
(This example exposes DNS locally and connects to DNS-over-TLS upstream)
Install unbound, eg on Debian aptitude install unbound
Configure it through /etc/unbound/unbound.conf.d/forward.conf
.
server:
rrset-roundrobin: yes
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 8.8.8.8@853
forward-addr: 9.9.9.9@853
Randomization: some kind of randomization is implemented in unbound: “The fastest server (randomly picked within a so-called RTT band of 400 msec) is selected when a query has to be sent out” (source)
dns-over-https
randomization | Forward to DoH | Forward to DoT |
(This example exposes DNS-over-HTTPS locally and connects to DNS-over-TLS upstream)
Install doh-server
from dns-over-https.
Configure doh-server.conf
with multiple upstream servers:
upstream = [
"tcp-tls:1.1.1.1:853",
"tcp-tls:8.8.8.8:853",
"tcp-tls:9.9.9.9:853",
]
Randomization: By default dns-over-https
takes a random upstream server (source).
stubby
randomization | Forward to DoH | Forward to DoT |
(This example exposes DNS locally and connects to DNS-over-TLS upstream)
Install stubby, eg on Debian aptitude install stubby
Then activate several DNS servers in /etc/stubby/stubby.yml
.
- address_data: 1.1.1.1
tls_port: 853
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
You can also blend IPv4 and IPv6 addresses.
# Instructs stubby to distribute queries across all available name servers.
round_robin_upstreams: 1
Randomization: it is achieved with round-robin, so that the DNS request are spread over different servers. Note that this is not pure randomization, there is is featurte request for pure randomization on the stubby repository, see https://github.com/getdnsapi/stubby/issues/95.
nss-tls
randomization | Forward to DoH | Forward to DoT |
(This example plugs in to glibc and connects to DNS-over-TLS upstream)
Install nss-tls which is a plugin for GlibC. It supports randomization.
Randomization: nss-tls
has a unique randomization strategy: “it pseudo-randomly chooses one of the servers, for each name lookup, the choice of the server is consistent: if the same domain is resolved twice, nss-tlsd will use the same DoH server for both queries” This is good for privacy, since every upstream server only sees a portion of the user’s browsing history. This addresses Sara Dickinson’s concern on privacy
dnsmasq (only randomization)
randomization | Forward to DoH | Forward to DoT |
(This example exposes DNS locally and connects to unsecured DNS upstream)
With dnsmasq, one can use multiple forward name servers.
In /etc/resolv.conf
:
nameserver 127.0.0.1
In /etc/dnsmasq.conf
resolv-file /etc/resolv.dnsmasq
In /etc/resolv.dnsmasq
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 9.9.9.9
Randomization: The server is chosen not purely randomly, but it is indeed pseudo-randomly changed every 50 queries or 10 seconds have elapsed. This can be checked by logging queries (log-queries
).
systemd-resolved (only encryption, does not support dns-over-https)
randomization | Forward to DoH | Forward to DoT |
systemd-resolved is a systemd service, it provides support for DNS-over-TLS, with config in /etc/systemd/resolved.conf
(plus nameserver 127.0.0.53
in /etc/resolv.conf
)
[Resolve]
Domains=~
DNS=1.1.1.1
DNSOverTLS=yes
Cache=yes
Configure your resolver
Modify /etc/resolv.conf
so that it only contains: nameserver 127.0.0.1
If you have a laptop, note that your network manager may overwrite this configuration. This can be disabled, eg in NetworkManager
(/etc/NetworkManager/NetworkManager.conf
) with
[main]
dns=none
... # rest of the config
Captive portals
A downside of setting nameserver 127.0.0.1
in resolv.conf
is that it breaks registration on captive portals.
A solution for this is captive-browser.
Encrypted DNS Servers
For maximum privacy prefer servers owned by different organizations.
See also: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
DNS-Over-TLS Servers:
# OpenDNS
208.67.222.222@853
# Cloudflare
1.1.1.1@853
# Google
8.8.8.8@853
# Quad9
9.9.9.9@853
# UncensoredDNS
89.233.43.71@853
DNS-Over-HTTPS Servers:
# surfnet/sinodun
145.100.185.15@443
# cmrg
199.58.81.218@443
# ldn
forward-addr: 80.67.188.188@443