DNSSEC on resolver side

Comments

25 comments

  • Avatar
    mattwilson9090

    Even if OpenDNS fully supported DNSSEC it wouldn't really matter since so few domains are configured for DNSSEC.

    You are wrong about one thing. If DNSCurve is implemented on the authoritative DNS server it would both authenticate and encrypt the DNS packets, whereas DNSSEC only authenticates packets. The problem is, unless the authoritative server implements DNSSEC and/or DNSCurve it won't matter what OpenDNS does since the authentication needs to begin at the authoritative server.

    It's a bit of a dated post http://blog.opendns.com/2010/02/23/opendns-dnscurve/ but here they discuss what they are implementing and why. Basically they are saying that DNSSEC traffic and demand is so low that they won't implement it until that increases. And it will really only improve when more domains implement DNSSEC on their authoritative server. I wish they would implement it, but frankly, if they did I wouldn't notice it.

  • Avatar
    aryas

    Yes.. DNSCurve does authenticate and encrypt DNS traffic from and to authoritative NS. Except DNSSEC is steadily being adopted by various authoritative name and almost all major root servers whereas it can't be said the same for DNSCurve.. (Let's save the reasoning for another discussion)  so I'll just assume hypothetically  DNSCurve wouldn't be widely deployed by authoritative NS. 

    while you're right that most of us won't notice DNSSEC implementation for a service with security as a focus I imagine it's more than relevant and sensible for OpenDNS to implement DNSSEC early. Some other large resolver already does..

  • Avatar
    mattwilson9090

    Every single authoritative and recursive DNS service in the world, including OpenDNS could support DNSSEC but it still wouldn't make much of a difference because the actual certificates and other settings that have to be implemented for DNSSEC any particular domain to work with DNSSEC have to come from the entity that has registered that domain. Of course it would be possible for the domain registrars or DNS authoritative hosts to offer that as part of the standard package or an option, but it's still something that basically needs to be initiated by the domain owner.

    The same thing is what has been happening with the root servers. It's less a matter of software and settings, as it is a matter of getting certificates and properly signing things. I can't remember how many of the root servers are finally signed, but last year is a huge step in that direction.

    I have no idea how widespread DNSCurve is with the various authoritative or recursive DNS servers out there. Right now it can complement DNSSEC, but it's possible that in time one will completely take over and the other die off. It's as much a matter of politics and money as it is technology.

    I have no idea who that other large resolver is, or what capabilities they offer aside from recursive DNS, but it would be as irrelevant and unnoticeable for them to offer as it would be for OpenDNS to, just because so few domains are actually signed for DNSSEC. I'd like to see them add the capability but there are a number of features that should probably be a higher priority for now.

  • Avatar
    gtaxl

    "it wouldn't really matter since so few domains are configured for DNSSEC" Hate to bump a thread but that's changed now as of 2016 where a BIG DNS/Web Proxy provider (CloudFlare) allows you to enable DNSSEC for your domain with the click of a button basically. I  have all my domains DNSSEC protected.

  • Avatar
    aande

    Just adding another voice for DNSSEC implementation. And thank you for already doing DNSCrypt.

  • Avatar
    mattwilson9090

    @aande Unless you voted for this idea at the top of the page your voice will not be heard.

  • Avatar
    pe0mot

    Please implement DNSSEC!

    Do not discuss ("our idea is better"), but just do it. We have changed back to Google DNS as you do not support.

    http://conn.internet.nl/connection/ for your test if it works fine!

     

  • Avatar
    haravikk2 (Edited )

    +1 from me.

    OpenDNS' stance on this so far has been strange; it's a classic circular problem if one of the largest resolvers refuses to support DNSSEC because not enough people support it, when by failing to support it they're diminishing support for the feature!

    These days most (all?) major authoritative servers support it, so the missing link really are the resolvers like OpenDNS, so I think it's about time for them to stop dragging their heels.

    It's strange given that they've supported DNSCrypt for a long time, yet despite acknowledging that DNSCrypt and DNSSEC solve different problems, DNSSEC support remains non-existent, unless I've missed it somewhere.

    Also; please ignore that my display name seems to be insisting on coming up as "opendns", I've tried changing it but it seems to be taking its sweet time.

  • Avatar
    mattwilson9090

    You're right, DNSSEC support remains non-existent. Very few domain owners have signed their domains for DNSSEC, especially the "big" domains from government or the private sector. It doesn't help that DNSSEC is still essentially evolving, and though it's still generally understood there are portions that are still being nailed downed. It's not at all easy to do, especially with the increased data size required for a protocol that has already been very lean and fast.

    It seems to be a chicken and egg problem, and I think most people always find something that is of higher priority.

    I do wish OpenDNS would support DNSSEC, but frankly, I put a higher priority on fully supporting IPv6 than I do DNSSEC.

    BTW, unless you actually voted for this at the top of the page, your +1 is meaningless. OpenDNS management does not count "+1's" as a metric, the only metric they really pay attention to are the votes, and 22 votes for an idea that's just a little over 3 years old isn't very much.

  • Avatar
    pe0mot

    Listening to customers is a difficult task Matt. Your answers are not customer centric but seem to come from other priorities.

    Looking at the numbers does not say anything as security is only really understood by a few. These few are influencing big customers, so it can be wise to listen to them.

  • Avatar
    mattwilson9090

    I am not an OpenDNS employee. I am an OpenDNS user just like everyone else on this forum. As such my response is very customer centric since it comes from my own knowledge, experience, and priorities. I am well aware of what security is and understand it quite well.

    Like I said, although it would be good to see DNSSEC supported by OpenDNS I would much rather see IPv6 fully supported, especially since DNSSEC is still in flux and so domain owners have acquired the certs that are necessary to make it of use.

  • Avatar
    locketine

    Has anything changed in regards to this topic in the past 14 months? My 7 y/o router finally got support for DNS-over-TLS and DNSSEC, so I'd like to fully secure my dns queries if possible.

  • Avatar
    pe0mot

    Nothing changed, no IPV6 no dnssec. For this reason moved to quad9 and my own unbound pihole server.

  • Avatar
    rotblitz

    Instead of DNSSEC or DoH you could have used DNSCrypt.  And OpenDNS supports IPv6, of course.  The resolver addresses are 2620:119:35::35 and 2620:119:53::53, but these do not use individual dashboard settings yet, but the OpenDNS defaults.

     

  • Avatar
    haravikk2 (Edited )

    > Instead of DNSSEC or DoH you could have used DNSCrypt.

    I think you may be confusing some terms here; DNSCrypt is not equivalent to DNSSEC, they solve two different problems, DNSCrypt is about securing the connection to a DNS resolver, and verifying the resolver itself, while DNSSEC is about giving web hosts the ability to secure and verify the DNS records themselves.

    Put another way, you can trust a DNS resolver is who you wanted using DNSCrypt, but still get bad DNS records from them, as ultimately all a resolver does is deliver records from some authoritative source that could be comprised. DNSSEC provides the ability to verify that records are genuine.

    You're right that DoH (DNS over HTTPS) is equivalent, however this is mainly because newer DNSCrypt clients will actually use DoH if it's available 😏

  • Avatar
    rotblitz (Edited )

    I agree with everything, but just another comment on:

    "DNSSEC is about giving web hosts the ability to secure and verify the DNS records themselves."

    Sounds great and is correct, but unfortunately applies to less than 20% of DNS zones only. 
    https://www.internetsociety.org/deploy360/dnssec/statistics/

    Would you suggest to query only these DNSSEC supported domains?  What is with the rest?

    See also https://umbrella.cisco.com/blog/2010/02/23/opendns-dnscurve/ from 9 years ago.  It's still valid.

  • Avatar
    haravikk2

    > Would you suggest to query only these DNSSEC supported domains?

    No, but that's not really the point; while 20% may not seem a lot, at least that's 20% we can be reasonably certain are now secure; as more places support DNSSEC, more zones and sites can enable it.

    OpenDNS have tried in the past to use the low adoption as an excuse not to implement it, but that's a kind of self fulfilling prophecy, because by implementing it they would help to increase adoption.

  • Avatar
    locketine

    @rotblitz my router nor my devices support DNSCrypt. I see OpenDNS provides a DNSCrypt client for Windows, but what about Android, IOS, AsusWRT (Router), Roku, my many IoT devices, etc? That's just not a feasible solution in my opinion. The router needs to support whatever the DNS security mechanism is, in order for it be useful. And preferably support it out of the box since most people won't install custom software for DNS querying.

    I can use DNSSEC and DoH now for my entire network thanks to my router supporting them, and the Quad9 DNS service from IBM provides those features as an upstream DNS resolver. If AsusWRT was closer to DD-WRT, then I would have had DNSCrypt support for a while now. Apparently I can install it on my router, but why go through that trouble when the better solution is already provided?

  • Avatar
    rotblitz

    @haravikk2  -  Good point!  That may hold true.

     

    @locketine 

    OpenDNS supports the server side of DNSCrypt (and DNSCurve).  They do not supply clients. 
    You find the client (and also server) implementations here: https://dnscrypt.info/implementations

  • Avatar
    locketine

    @rotblitz OpenDNS does in fact supply clients, this is their repo for the windows client: https://github.com/opendns/dnscrypt-win-client

    The iOS and Android clients require rooting, so they're not for mainstream consumption. I stand by all my earlier statements, but I appreciate you providing a link for people to find the clients if they really really want to keep using OpenDNS.

  • Avatar
    rotblitz (Edited )

    "OpenDNS does in fact supply clients"

    You are correct, this is what they did - 7 years ago, version 0.0.6, a very early pre-version.  But now we have 2019.  This leftover should be deleted from Github, really.  It has just historical value.  I'm even not sure if it still runs on Windows 10.

    "The iOS and Android clients require rooting"

    DNSCloak for iOS does not require jail-breaking, I run it without probs on my iPhone.  If it would require jail-breaking, it would not be offered on the Apple app store.

    And there are also Android apps supporting DNSCrypt without rooting the device, as can be easily found on Google Play:
    https://play.google.com/store/apps/details?id=com.okirat.dnsmanager
    https://play.google.com/store/apps/details?id=org.sandroproxy.drony

    So what?  Please do not publish fake news!

  • Avatar
    locketine

    @rotblitz If you read the reviews on the DNS Manager app you'll notice that it requires root. I'm not reporting fake news, but you do seem to have more time to find apps that work. Which gets back to my original point. How can OpenDNS expect to keep users when their users have to spend so much time looking for the right combination of apps to install on some of their devices to get a semi secure DNS solution?

    The only reason I'm still using OpenDNS at all is because I can block social media access with it.

  • Avatar
    rotblitz

    What is the percentage of users caring about secure DNS solutions above standard DNS?  More than 0.001%?  Do you even consider any company in the world caring about this handful people as customers?

    The reality is: more than 90% of people use their ISP's DNS without even questioning how secure and reliable this is or what DNS is after all.  (So they do not really knowingly use DNS but simply take what is configured by default).  Some other percents use an alternative DNS service like Google Public DNS, Level-3, CloudFlare, or whatever, because they found that their ISP's DNS service is lousy in respect of performance.  Some 2% use OpenDNS, mostly because of the content filtering feature (where you are an example for), not because of security.  The rest looks (also) after security features, like you, me and a handful other persons. :)

  • Avatar
    locketine (Edited )

    Yes, in reality, most people will use their ISP's DNS server. Thankfully, Comcast, the largest US ISP, has implemented DNSSEC. They probably implemented it due to demand from their business customers who would be rightfully worried about leaking customer and corporate data. End users care about data security too, but very few understand how it's achieved, so we end up having very little influence on specific security measures like DNSSEC adoption. All we can effectively demand is "more security", at least until knowledge spreads about the importance of DNSSEC in protecting our private data.

    Based on this conversation, I think OpenDNS will only implement DNSSEC if they receive pressure from their business clients, or Cisco's clients.

     

  • Avatar
    sundoginteractive

    Here's a little company in the world that cares about it

    https://help.salesforce.com/articleView?id=000274941&language=en_US&type=1

     

Please sign in to leave a comment.