DNS poisoned by upstream

If you have any suggestions or ideas about improving Salix, here's the place to post them.

DNS poisoned by upstream

Postby elcore » 5. Mar 2017, 19:21

I suspect that ISP's been redirecting several external DNS servers to somewhere else for quite some time now.
First thing I did was check DNS records through several different proxies and found that 8.8.8.8 lies about assigned IP address of certain hosts.
For example 8.8.8.8 retuns an address that doesn't exist in DNS records for the remote host, it clearly points to another host which appears to be hosted in the area.

In the past, all my systems behind a router used to resolve all hosts properly like this:

SRC<----->8.8.8.8:53<----->DST
.\______________________________\


But apparently, this is what upstream does right now:

SRC<------->\<-DROP->8.8.8.8:53
........................\
...........................DNAT 1.2.3.4.5:53 <-----> DST_CACHE <-----> DST
..............................\_____________________________\


This is unacceptable to me because the contract with ISP clearly says "internet access" and NOT "internal cache access"

Anyway, it's possible to bypass this NAT through a tunnel, like this:

\------------------------------------------------------------------------------------------------------\
..\------- DNSMASQ <----- SSL_TUNNEL -----> PROXY <-----> 8.8.8.8:53 <-----> DST
....\
SRC\<-DROP->\8.8.8.8:53


Since the MAP from ISP is not exactly open to public I can only assume how it looks like, but I figure they aren't going to drop SSL packets anytime soon.
One could say the remote proxy cache is just as insecure as the ISP cache, but personally I don't care one bit as long as the resolvers don't lie about DNS records.
I see when the resolver is poisoned because I sometimes drop outgoing packets to entire country for testing purpose.

It crossed my mind to suggest cisco's dnscrypt included in distribution as default resolver, to address this issue.
elcore
 
Posts: 37
Joined: 4. Jul 2014, 05:07
Location: EU

Re: DNS poisoned by upstream

Postby gapan » 6. Mar 2017, 08:26

How is this a suggestion?
Image
Image
User avatar
gapan
Salix Wizard
 
Posts: 5252
Joined: 6. Jun 2009, 17:40

Re: DNS poisoned by upstream

Postby elcore » 6. Mar 2017, 17:09

Well I could have just asked you to add a dnscrypt setup by default, and then you would've asked why.
It's just my reason for suggesting a more secure way to handle DNS resolvers. I've already tested the thing.
elcore
 
Posts: 37
Joined: 4. Jul 2014, 05:07
Location: EU

Re: DNS poisoned by upstream

Postby maximus » 7. Mar 2017, 18:01

elcore wrote:It's just my reason for suggesting a more secure way to handle DNS resolvers. I've already tested the thing.


Thanks for your post. If you have a chance, can you describe the steps you took? I'm guessing it's just a matter of installing and configuring dnscrypt-proxy? Thanks in advance!
User avatar
maximus
 
Posts: 141
Joined: 2. Sep 2009, 01:41

Re: DNS poisoned by upstream

Postby elcore » 8. Mar 2017, 19:01

Not sure there are any additional steps to note, it's basically just dns traffic over https with local cache.
Previously I have achieved something similar with plain iptables target REDIRECT, but the daemon is better becuse it's using strong crypto.
It's well documented, you will find all you need in man dnsmasq and man dnscrypt-proxy. Could also use BIND but I skipped it.
elcore
 
Posts: 37
Joined: 4. Jul 2014, 05:07
Location: EU


Return to Suggestions