DNS security
Images are sometimes not shown due to bandwidth/network limitations. Refreshing the page usually helps.
You are currently reading a thread in /g/ - Technology
You are currently reading a thread in /g/ - Technology
Who DNSSEC[1][2] here? Why do you use it? What do you use it for? Have you considered TLSA (DANE[3]), SSHFP[4], OPENPGPKEY[5] RRs yet? Discuss.
Perhaps you also use DNSCrypt[6] for encryption of your queries? Or maybe you like to encrypt everything and you're running DNSCurve[7]?
Newbies section:
>DNSSEC uses asymmetric cryptography to securely sign all RRsets on all authoritative name servers that have DNSSEC enabled. This thwarts tampering and spoofing of identity by attackers.
>If you're thinking about registering your own domain, check if they offer DNSSEC. Some registrars automatically sign your zone, which means you most likely can already add your TLSA RRs and such. Other registrars offer to upload your DS RR, or your KSK/ZSK's public key instead. That's also nice if you wish to host your authoritative name server yourself.
There's also an interesting new IETF draft, SMTP STS[8]. This leverages DANE to securely connect to MTAs when encryption is to be expected by strictly adhering to the TLSA RRs. This as opposed to the weak default opportunistic encrypted connections MTAs usually establish between each other, which is easier to downgrade, and vulnerable to man-in-the-middle attacks.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-08
[6] https://www.dnscrypt.org/
[7] https://dnscurve.org/
[8] https://tools.ietf.org/html/draft-margolis-smtp-sts-00
tell us about it
RED BAR RADIO IS THE BEST
>>53912880
i saved one of your old threads to read it later OP.
What are the downsides of DNSSEC on home/large organizations?
>>53912956
There aren't so many downsides to this system, especially considering the advantages and increased security it offers. DNSSEC mainly has a learning curve that most people don't bother with or care for.
I would suggest all organisations to roll out DNSSEC for their domains, given that they've hired competent DNS administrators that know what they're doing and understand the technology.
Another anon here has problems with the hierarchical trust model, like X.509 offers (simplification: the usual certificate system that gives you the green locks in your browser). Namecoin uses a fully distributed trust model that relies on a blockchain all the peers have access to (like bitcoin), but it's still in development and hasn't really caught on yet.
I'd go with DNSSEC (with DANE) because of its increased security which blocks a lot of attacks.
Seems like my thread, New to the game and wondering how do i set up a dns server? Do i need to dedicate the hardware? so would i need to run it in a virtual box? Can someone help me out
Here are some very basic, newbie friendly, introductory DNSSEC videos:
https://www.youtube.com/watch?v=lTABuMxO2AM
https://www.youtube.com/watch?v=qlto6GfZEvA
Technical presentation by LACNIC on DANE (and some X.509):
https://www.youtube.com/watch?v=BhvU19RJrPY
>>53913205
If you want to setup your own authoritative name server, you could start playing with this locally in a VM, sure. You can always register a real domain later, and then use your authoritative name server to serve your registered domain.
>>53913255
I want to register a domain but its asking for server name and ip
>>53913334
There you could provide your registrar with the authoritative name servers you wish to use to serve your domain.
For example:
ns1.yourdomain.org -> 1.2.3.4
ns2.yourdomain.org -> 1.2.3.5
DNS requires you to have at least 2 authoritative name servers, but if you only have one, just have both name servers point to the same IP address (1.2.3.4, for example).
If you do this from home, provide them with your public IP address, and open port 53 (TCP and UDP) on your router/modem, which you should configure to forward all traffic to your internal authoritative name server.
>>53913391
Ive not been this lost on what to do in a while.
>>53913491
I'm sorry, I get that a lot...
>>53913493
Really?
Is their a better way to learn how to set up a server? Because I think I asked a question that I should know if i knew the basics.
>>53913525
So, let's take a step back. What have you done thus far, and what do you want to do?
It seems you already registered a domain, but now you should tell it where to find you authoritative name server(s). Did you already install one?
>>53913547
I havent installed one, is that the stuff like apache? Im downloading wampserver currently
>>53913585
Apache is a web server, not a DNS server, mate. Bother with your own website later and choose a DNS server first.
I played with it for a while but found it only exists in two states:
- Something is broken and no one can access your site
- It's working, and no client checks it and it was a waste of time
I'm pretty excited about Certificate Transparency though. https://crt.sh is worth checking out.
I do my home setup the babymode way
dnscrypt to dns that supports dnscrypt and dnssec and doesnt log me
>>53913593
ok, so how do I choose a dns server? Basically my situation is i wrote the htlm and css (not that its much) and all i wanted to do was host it but im at a loss on how to do it
>>53912880
>DNSSEC
Still staying away from it until they can make it easier to understand.
If a system is literally more complicated than the immensely bloated and obfuscated X.509, I don't see their adoption improving.
>>53913661
>>>53913593 (You)
>ok, so how do I choose a dns server?
This should get you started https://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
>Basically my situation is i wrote the htlm and css (not that its much) and all i wanted to do was host it but im at a loss on how to do it
Then make sure you covered DNS first. If you want people to visit your site, they first have to resolve your domain name before they connect to your web server.
Are you sure you want to host DNS yourself? For you it's probably easier to use your registrar for this and let them deal with it. Then just create an A record pointing to your web server.
>>53913662
DNSSEC has a learning curve, but if you're not willing to put some effort into it, don't blame it on DNSSEC. It's not much harder than X.509.
>>53913708
So i would just put in my ip here? is that what you mean by using theirs?
>>53913739
Yes, exactly. Then just install your web server and open port 80/TCP (and 443/TCP if you want to use TLS).
Once you've managed to do that, do your own little victory dance, get a cup of coffee, and consider hosting your own DNS server if tou want to learn more.
>>53913770
thanks, victory dance will ensue
>>53913622
It takes very little effort to setup DNSSEC, but it takes some more effort to actually know what is you're doing. And clients didn't bother with DNSSEC validation maybe 5 years ago. Client nowadays do opportunistic DNSSEC validation.
>crt.sh
So what is this exactly? For just looking up and validating X.509 certificates we've got DANE.
Which server are you using?
https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
>>53914242
You could also use your own.
>>53915998
dont bump...
just let the thread die
>>53916435
Bump you.
On a related note, opennic used to be a very good dnssec source. However recently they seem to be having lots of failures and servers dropping out of their lists, this is getting suspicious, any idea about what is happening?
List here: http://servers.opennicproject.org/
>>53917255
Don't know. Maybe consider signing up or browsing through their mailing lists? https://lists.opennicproject.org/
