Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
A nice article on dns security: https://arstechnica.com/information-technology/2018/04/how-to-keep-your-isps-nose-out-of-your-browser-history-with-encrypted-dns/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On 04/09/2018 10:54 AM, Matthias Runge wrote: > On Mon, Apr 09, 2018 at 10:01:21AM +0200, Martin Sehnoutka wrote: >>> Restarted Firefox and then also the whole laptop. Doesn't work. But >>> then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work >>> for me isn't really the point of the thread. I'm wondering about >>> something that works out of the box for everyone, what that looks >>> like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or >>> DNS-over-HTTP. >> >> I've been playing with dnssec-trigger for a while and I would not enable >> it by default. If you have a single connection with ISP provided >> resolvers or public DNS, it is fine, but it gets harder to configure >> when you have multiple connections like Wi-Fi and corporate or >> university VPNs where each provides some forward zones and needs reverse >> zones for correct behavior. > > Same here, I' cusious if anyone has been able to get it working > properly? In best case, has someone written about it? > > I'm fiddling around with adding/removing unbound forwards depending on > connected networks here and there, but it's still quite hacky. > > Matthias > I am thinking about writing some article on this topic. The hacky thing with adding/removing forwards should do the script automatically, but it does not work 100% of times, unfortunately ... -- Martin Sehnoutka | Associate Software Engineer PGP: 5FD64AF5 UTC+1 (CET) RED HAT | TRIED. TESTED. TRUSTED. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Mon, Apr 09, 2018 at 10:54:10AM +0200, Matthias Runge wrote: > On Mon, Apr 09, 2018 at 10:01:21AM +0200, Martin Sehnoutka wrote: > > > Restarted Firefox and then also the whole laptop. Doesn't work. But > > > then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work > > > for me isn't really the point of the thread. I'm wondering about > > > something that works out of the box for everyone, what that looks > > > like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or > > > DNS-over-HTTP. > > > > I've been playing with dnssec-trigger for a while and I would not enable > > it by default. If you have a single connection with ISP provided > > resolvers or public DNS, it is fine, but it gets harder to configure > > when you have multiple connections like Wi-Fi and corporate or > > university VPNs where each provides some forward zones and needs reverse > > zones for correct behavior. > > Same here, I' cusious if anyone has been able to get it working > properly? In best case, has someone written about it? It works fine for me on multiple desktops 99% of the time. The bug with the latest update was the first time in a long time that I've had issues. With laptops, you are more likely to run into issues, but even there I keep it enabled most of the time, knowing that I can disable it if I run into an issue. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On 09/04/18 09:54, Matthias Runge wrote: On Mon, Apr 09, 2018 at 10:01:21AM +0200, Martin Sehnoutka wrote: Restarted Firefox and then also the whole laptop. Doesn't work. But then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work for me isn't really the point of the thread. I'm wondering about something that works out of the box for everyone, what that looks like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or DNS-over-HTTP. I've been playing with dnssec-trigger for a while and I would not enable it by default. If you have a single connection with ISP provided resolvers or public DNS, it is fine, but it gets harder to configure when you have multiple connections like Wi-Fi and corporate or university VPNs where each provides some forward zones and needs reverse zones for correct behavior. Same here, I' cusious if anyone has been able to get it working properly? In best case, has someone written about it? I'm fiddling around with adding/removing unbound forwards depending on connected networks here and there, but it's still quite hacky. DNSSEC is basically a complete disaster area. Even on a well configured fixed network I sometimes have trouble with and on my laptop it's hopeless - as soon as I connect to a network away from home it's almost guaranteed to fail. I wind up just turning on permissive mode in unbound though even that doesn't always seem to work now. Even just dynamically configuring forwards in unbound based on VPN connections seems to be getting harder - recent versions of unbound seem to be something of a disaster. Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Mon, Apr 09, 2018 at 10:01:21AM +0200, Martin Sehnoutka wrote: > > Restarted Firefox and then also the whole laptop. Doesn't work. But > > then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work > > for me isn't really the point of the thread. I'm wondering about > > something that works out of the box for everyone, what that looks > > like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or > > DNS-over-HTTP. > > I've been playing with dnssec-trigger for a while and I would not enable > it by default. If you have a single connection with ISP provided > resolvers or public DNS, it is fine, but it gets harder to configure > when you have multiple connections like Wi-Fi and corporate or > university VPNs where each provides some forward zones and needs reverse > zones for correct behavior. Same here, I' cusious if anyone has been able to get it working properly? In best case, has someone written about it? I'm fiddling around with adding/removing unbound forwards depending on connected networks here and there, but it's still quite hacky. Matthias -- Matthias Runge ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On 04/09/2018 02:07 AM, Chris Murphy wrote: > On Sun, Apr 8, 2018 at 4:59 PM, Dominik 'Rathann' Mierzejewski > wrote: >> On Monday, 09 April 2018 at 00:52, Chris Murphy wrote: >> [...] >>> [chris@f28h ~]$ dnssec-trigger-control status >>> at 2018-04-08 16:46:45 >>> cache 75.75.76.76: OK >>> cache 75.75.75.75: OK >>> cache 2001:558:feed::1: OK >>> cache 2001:558:feed::2: OK >>> state: cache secure >> >> This looks good, similar to mine. >> >>> But no pages load. >>> >>> Hmm. We’re having trouble finding that site. >>> We can’t connect to the server at www. >> >> What can I say... this works for me (Fedora 27). Maybe try restarting >> Firefox? > > Restarted Firefox and then also the whole laptop. Doesn't work. But > then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work > for me isn't really the point of the thread. I'm wondering about > something that works out of the box for everyone, what that looks > like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or > DNS-over-HTTP. I've been playing with dnssec-trigger for a while and I would not enable it by default. If you have a single connection with ISP provided resolvers or public DNS, it is fine, but it gets harder to configure when you have multiple connections like Wi-Fi and corporate or university VPNs where each provides some forward zones and needs reverse zones for correct behavior. > > -- Martin Sehnoutka | Associate Software Engineer PGP: 5FD64AF5 UTC+1 (CET) RED HAT | TRIED. TESTED. TRUSTED. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 08, 2018 at 04:41:34PM -0600, Chris Murphy wrote: > On Sun, Apr 8, 2018 at 3:52 PM, wrote: > > > > There was also > > https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was > > proposed for F22, but deferred twice and eventually dropped. > > I followed the multistep instructions there, and this also breaks everything. > > Apr 08 16:38:21 f28h.local unbound[5065]: [5065:0] error: .: failed > lookup, cannot transfer from master k.root-servers.net That looks like this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1560223 ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 8, 2018 at 4:59 PM, Dominik 'Rathann' Mierzejewski wrote: > On Monday, 09 April 2018 at 00:52, Chris Murphy wrote: > [...] >> [chris@f28h ~]$ dnssec-trigger-control status >> at 2018-04-08 16:46:45 >> cache 75.75.76.76: OK >> cache 75.75.75.75: OK >> cache 2001:558:feed::1: OK >> cache 2001:558:feed::2: OK >> state: cache secure > > This looks good, similar to mine. > >> But no pages load. >> >> Hmm. We’re having trouble finding that site. >> We can’t connect to the server at www. > > What can I say... this works for me (Fedora 27). Maybe try restarting > Firefox? Restarted Firefox and then also the whole laptop. Doesn't work. But then I'm in Fedora 28 so it may be a bug. Anyway, getting this to work for me isn't really the point of the thread. I'm wondering about something that works out of the box for everyone, what that looks like, and it seems like dnscrypt-proxy 2 can support either DNSSEC or DNS-over-HTTP. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Monday, 09 April 2018 at 00:52, Chris Murphy wrote: [...] > [chris@f28h ~]$ dnssec-trigger-control status > at 2018-04-08 16:46:45 > cache 75.75.76.76: OK > cache 75.75.75.75: OK > cache 2001:558:feed::1: OK > cache 2001:558:feed::2: OK > state: cache secure This looks good, similar to mine. > But no pages load. > > Hmm. We’re having trouble finding that site. > We can’t connect to the server at www. What can I say... this works for me (Fedora 27). Maybe try restarting Firefox? Regards, Dominik -- Fedora https://getfedora.org | RPMFusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 8, 2018 at 4:38 PM, Dominik 'Rathann' Mierzejewski wrote: > On Monday, 09 April 2018 at 00:33, Chris Murphy wrote: >> On Sun, Apr 8, 2018 at 4:25 PM, Chris Murphy wrote: >> > On Sun, Apr 8, 2018 at 4:07 PM, Dominik 'Rathann' Mierzejewski >> > wrote: >> >> On Sunday, 08 April 2018 at 23:52, mcatanz...@gnome.org wrote: >> >>> >> >>> There was also >> >>> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which >> >>> was >> >>> proposed for F22, but deferred twice and eventually dropped. >> >> >> >> Guys, I've had this enabled since forever with unbound as the local >> >> resolver being used out-of-the-box. Make sure you have dnssec-trigger >> >> installed: >> >> dnf install dnssec-trigger-panel >> > >> > >> > OK but can you call it out of the box if you have to install >> > dnssec-trigger-panel? > > Frankly, I don't remember. I haven't installed Fedora recently. > >> OK so I did that, and it broke Firefox. It fails to resolve anything. >> Reboot, same deal. 'dnf remove dnssec-trigger-panel' and now it's all >> working again. So, I dunno what that did but it doesn't work for me. > > Well, maybe your DHCP-provided DNS server is broken and doesn't support > DNSSEC. Try reprobing: > dnssec-trigger-control reprobe > and check with: > dnssec-trigger-control status > Well, Comcast claims they support DNSSEC in 2012 on their blog. I have no idea if they still do. [chris@f28h ~]$ dnssec-trigger-control reprobe Apr 08 16:46:44 f28h.local dnssec-triggerd[5651]: ok Apr 08 16:46:45 f28h.local dnssec-triggerd[5651]: ok [chris@f28h ~]$ dnssec-trigger-control status at 2018-04-08 16:46:45 cache 75.75.76.76: OK cache 75.75.75.75: OK cache 2001:558:feed::1: OK cache 2001:558:feed::2: OK state: cache secure But no pages load. Hmm. We’re having trouble finding that site. We can’t connect to the server at www. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 8, 2018 at 3:52 PM, wrote: > > There was also > https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was > proposed for F22, but deferred twice and eventually dropped. I followed the multistep instructions there, and this also breaks everything. Apr 08 16:38:21 f28h.local unbound[5065]: [5065:0] error: .: failed lookup, cannot transfer from master k.root-servers.net -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Monday, 09 April 2018 at 00:33, Chris Murphy wrote: > On Sun, Apr 8, 2018 at 4:25 PM, Chris Murphy wrote: > > On Sun, Apr 8, 2018 at 4:07 PM, Dominik 'Rathann' Mierzejewski > > wrote: > >> On Sunday, 08 April 2018 at 23:52, mcatanz...@gnome.org wrote: > >>> > >>> There was also > >>> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which > >>> was > >>> proposed for F22, but deferred twice and eventually dropped. > >> > >> Guys, I've had this enabled since forever with unbound as the local > >> resolver being used out-of-the-box. Make sure you have dnssec-trigger > >> installed: > >> dnf install dnssec-trigger-panel > > > > > > OK but can you call it out of the box if you have to install > > dnssec-trigger-panel? Frankly, I don't remember. I haven't installed Fedora recently. > OK so I did that, and it broke Firefox. It fails to resolve anything. > Reboot, same deal. 'dnf remove dnssec-trigger-panel' and now it's all > working again. So, I dunno what that did but it doesn't work for me. Well, maybe your DHCP-provided DNS server is broken and doesn't support DNSSEC. Try reprobing: dnssec-trigger-control reprobe and check with: dnssec-trigger-control status Regards, Dominik -- Fedora https://getfedora.org | RPMFusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 8, 2018 at 4:25 PM, Chris Murphy wrote: > On Sun, Apr 8, 2018 at 4:07 PM, Dominik 'Rathann' Mierzejewski > wrote: >> On Sunday, 08 April 2018 at 23:52, mcatanz...@gnome.org wrote: >>> >>> There was also >>> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was >>> proposed for F22, but deferred twice and eventually dropped. >> >> Guys, I've had this enabled since forever with unbound as the local >> resolver being used out-of-the-box. Make sure you have dnssec-trigger >> installed: >> dnf install dnssec-trigger-panel > > > OK but can you call it out of the box if you have to install > dnssec-trigger-panel? > OK so I did that, and it broke Firefox. It fails to resolve anything. Reboot, same deal. 'dnf remove dnssec-trigger-panel' and now it's all working again. So, I dunno what that did but it doesn't work for me. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sun, Apr 8, 2018 at 4:07 PM, Dominik 'Rathann' Mierzejewski wrote: > On Sunday, 08 April 2018 at 23:52, mcatanz...@gnome.org wrote: >> >> There was also >> https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was >> proposed for F22, but deferred twice and eventually dropped. > > Guys, I've had this enabled since forever with unbound as the local > resolver being used out-of-the-box. Make sure you have dnssec-trigger > installed: > dnf install dnssec-trigger-panel OK but can you call it out of the box if you have to install dnssec-trigger-panel? -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
On Sunday, 08 April 2018 at 23:52, mcatanz...@gnome.org wrote: > > There was also > https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was > proposed for F22, but deferred twice and eventually dropped. Guys, I've had this enabled since forever with unbound as the local resolver being used out-of-the-box. Make sure you have dnssec-trigger installed: dnf install dnssec-trigger-panel Regards, Dominik -- Fedora https://getfedora.org | RPMFusion http://rpmfusion.org There should be a science of discontent. People need hard times and oppression to develop psychic muscles. -- from "Collected Sayings of Muad'Dib" by the Princess Irulan ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Re: DNSSEC, DoH, dnscrypt-proxy 1 vs 2
There was also https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver which was proposed for F22, but deferred twice and eventually dropped. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
DNSSEC, DoH, dnscrypt-proxy 1 vs 2
Hi, I've been doing some digging around to figure out how to enhance DNS security privacy, and it's really a rabbit hole. Fedora 28, not any different near as I can tell from Windows 10 or macOS 10.13 is simply deferring to DHCP assigned DNS which for my POS ISP is hardwired to their DNS servers and can't be changed. Then I ran into this ancient feature from Fedora 17: https://fedoraproject.org/wiki/Features/DNSSEC_on_workstations Did that feature actually ship? Did it get undone soon thereafter? I don't remember ever having secure DNS of any type out of the box. A little more digging around and found some lightweight DoH clients that could be run locally, but then the best performer was dnscrypt-proxy 2 so I did a dnf search... dnscrypt-proxy looks like it's gone stale but is what's in the official repo, and the package URL points to a dead end web page with no function. https://koji.fedoraproject.org/koji/packageinfo?packageID=22504 This looks like the current version of dnscrypt-proxy 2 https://copr.fedorainfracloud.org/coprs/eclipseo/dnscrypt-proxy/ The UI for this right now is icky. First, for wireless DNS a per connection setting and I can't make it the default for all connections or future settings, at least not through the GUI. Second, it's not secure, it's just ordinary DNS. Anyway, I'm wondering if it's practical now or in the near future for Fedora to to offer an alternative to deferring to ISP DNS? But then also what that would look like? And then what it would or could look like among the editions: I could see Cockpit and GNOME/NetworkManager UI's have some default, with a list of common alternative providers: Google, quad9, Cloudfare's new thing, OpenDNS, etc and let people make their own choice. -- Chris Murphy ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
