Changing DNS service to provide more security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
CULater
Posts: 1209
Joined: Sun Nov 13, 2016 10:59 am

Changing DNS service to provide more security

Post by CULater » Wed Jun 13, 2018 3:52 pm

Recent article recommends changing your computer's DNS service from the default provided by your ISP to Google, Cloudfare, or Quad9, which you can do through system settings. Easy enough to do. But I have a question. Shouldn't you really be changing the DNS service used by your modem/router? The modem is what connects you to the internet. Or is changing it on your computer sufficient?
Last edited by CULater on Wed Jun 13, 2018 3:55 pm, edited 1 time in total.
May you have the hindsight to know where you've been, The foresight to know where you're going, And the insight to know when you've gone too far. ~ Irish Blessing

renue74
Posts: 1118
Joined: Tue Apr 07, 2015 7:24 pm

Re: Changing DNS service to provide more security

Post by renue74 » Wed Jun 13, 2018 3:54 pm

Change the DNS on your router and that will work for all computers in your network.

jalbert
Posts: 3423
Joined: Fri Apr 10, 2015 12:29 am

Re: Changing DNS service to provide more security

Post by jalbert » Wed Jun 13, 2018 4:09 pm

Whether it increases or decreases security is a complex question to answer.
Index fund investor since 1987.

User avatar
Pancakes-Eggs-Bacon
Posts: 105
Joined: Wed May 02, 2018 6:17 am

Re: Changing DNS service to provide more security

Post by Pancakes-Eggs-Bacon » Wed Jun 13, 2018 5:18 pm

Agreed that it's a complex answer. We should probably differentiate between security and privacy, too. For example, Google's public DNS (8.8.8.8 and 8.8.4.4) provide decent security (and now supports DNSSEC) but likely mediocre privacy, since Google likely wants to use that information for advertising and analytics.

I'd say changing on the router is easier and more bang-for-the buck, since all DHCP clients on your network will inherit those settings unless they are manually changed (either by you the person or by malware). Plus, I like having internal DNS so if you have servers or NAS on your home network, you can refer to them by their hostname. If you change the DNS on your individual computers/devices to something public and external, you typically lose all ability to resolve internal hosts within your home.

tl;dr, change DNS settings on your router, and have all internal devices forward DNS queries to the router. Best of both worlds: The router will know if a request is internal to your house vs. external to the public Internet and will either resolve internally or forward the request to the public DNS resolver.

CULater
Posts: 1209
Joined: Sun Nov 13, 2016 10:59 am

Re: Changing DNS service to provide more security

Post by CULater » Wed Jun 13, 2018 5:32 pm

Pancakes-Eggs-Bacon wrote:
Wed Jun 13, 2018 5:18 pm
Agreed that it's a complex answer. We should probably differentiate between security and privacy, too. For example, Google's public DNS (8.8.8.8 and 8.8.4.4) provide decent security (and now supports DNSSEC) but likely mediocre privacy, since Google likely wants to use that information for advertising and analytics.

I'd say changing on the router is easier and more bang-for-the buck, since all DHCP clients on your network will inherit those settings unless they are manually changed (either by you the person or by malware). Plus, I like having internal DNS so if you have servers or NAS on your home network, you can refer to them by their hostname. If you change the DNS on your individual computers/devices to something public and external, you typically lose all ability to resolve internal hosts within your home.

tl;dr, change DNS settings on your router, and have all internal devices forward DNS queries to the router. Best of both worlds: The router will know if a request is internal to your house vs. external to the public Internet and will either resolve internally or forward the request to the public DNS resolver.
The other devices on the network are an Obi 200 VOIP device and my smartphone when it is connected to WiFi. Not sure if the Obi is affected, but guess my smartphone would be when I have a WiFi connection, right?
May you have the hindsight to know where you've been, The foresight to know where you're going, And the insight to know when you've gone too far. ~ Irish Blessing

User avatar
Pancakes-Eggs-Bacon
Posts: 105
Joined: Wed May 02, 2018 6:17 am

Re: Changing DNS service to provide more security

Post by Pancakes-Eggs-Bacon » Wed Jun 13, 2018 6:11 pm

CULater wrote:
Wed Jun 13, 2018 5:32 pm
The other devices on the network are an Obi 200 VOIP device and my smartphone when it is connected to WiFi. Not sure if the Obi is affected, but guess my smartphone would be when I have a WiFi connection, right?
Yeah, if you change the DNS on your router, your computer, Obi 200, and smartphone should still defer to your router for all DNS decision making.

jalbert
Posts: 3423
Joined: Fri Apr 10, 2015 12:29 am

Re: Changing DNS service to provide more security

Post by jalbert » Wed Jun 13, 2018 8:11 pm

Agreed that it's a complex answer. We should probably differentiate between security and privacy, too. For example, Google's public DNS (8.8.8.8 and 8.8.4.4) provide decent security (and now supports DNSSEC) but likely mediocre privacy, since Google likely wants to use that information for advertising and analytics.
If your ISP does not support DNSSEC, then using a 3rd party site that supports DNSSEC would offer you the benefit of having the IP addresses you get back be signed by the DNS server, a benefit. But you still need to be able to get a public key for the DNS site from a certificate authority you trust, and if you can do that, you can get a public key for the site to which you ultimately are trying to connect.

Your traffic still has to go through ISP facilities. Introducing a 3rd party site thus increases the attack surface, a detriment. If the ISP is compromised, would malware there be able to stage a man-in-the-middle attack on the DNS lookup anyway? Are you then taking on the combined vulnerabilities of both the ISP and the DNS service?

It is not easy to compare those two tradeoffs.
Index fund investor since 1987.

User avatar
Pancakes-Eggs-Bacon
Posts: 105
Joined: Wed May 02, 2018 6:17 am

Re: Changing DNS service to provide more security

Post by Pancakes-Eggs-Bacon » Wed Jun 13, 2018 8:46 pm

jalbert wrote:
Wed Jun 13, 2018 8:11 pm
Agreed that it's a complex answer. We should probably differentiate between security and privacy, too. For example, Google's public DNS (8.8.8.8 and 8.8.4.4) provide decent security (and now supports DNSSEC) but likely mediocre privacy, since Google likely wants to use that information for advertising and analytics.
If your ISP does not support DNSSEC, then using a 3rd party site that supports DNSSEC would offer you the benefit of having the IP addresses you get back be signed by the DNS server, a benefit. But you still need to be able to get a public key for the DNS site from a certificate authority you trust, and if you can do that, you can get a public key for the site to which you ultimately are trying to connect.

Your traffic still has to go through ISP facilities. Introducing a 3rd party site thus increases the attack surface, a detriment. If the ISP is compromised, would malware there be able to stage a man-in-the-middle attack on the DNS lookup anyway? Are you then taking on the combined vulnerabilities of both the ISP and the DNS service?

It is not easy to compare those two tradeoffs.
This probably depends on if the consumer router inside someone's home even validates the DNSSEC response. If it does, then a compromised ISP probably likely wouldn't reduce the security since the compromised ISP still wouldn't be able to impersonate the website's authoritative DNS server (with DNSSEC private keys). I doubt most consumer routers understand DNSSEC responses so there wouldn't be a way to tell if the traffic had been compromised anywhere in the middle.

I'm not sure how much consumer-grade equipment could really add security to DNS at this point, at least until it's overhauled and DNS-over-TLS becomes the norm, or something like that.

There may be some privacy gains by switching to a 3rd party DNS resolver, assuming the ISP doesn't log DNS queries that pass through it anyways, haha, which it totally could. *shrug*

I personally am doing my own resolving using my own pfSense router, and sending all traffic, including said DNS queries, through a VPN. So my ISP doesn't see diddly squat!

jalbert
Posts: 3423
Joined: Fri Apr 10, 2015 12:29 am

Re: Changing DNS service to provide more security

Post by jalbert » Wed Jun 13, 2018 11:03 pm

This probably depends on if the consumer router inside someone's home even validates the DNSSEC response. If it does, then a compromised ISP probably likely wouldn't reduce the security since the compromised ISP still wouldn't be able to impersonate the website's authoritative DNS server (with DNSSEC private keys)
If the ISP is compromised it might send you rogue certificates so you think a DNS translation is signed by the DNSSEC-enabled site, but it really is signed by the malware that compromised the ISP.

I’m not sure using a 3rd party DNS protects against the ISP being compromised, which is the risk of using the ISP’s DNS servers. It might be a net reduction of risk overall.

Routing all traffic through a VPN tunnel to a trusted VPN server would address the issue of a compromised ISP but it kicks the can down the road to the VPN service.
Index fund investor since 1987.

lazydavid
Posts: 1658
Joined: Wed Apr 06, 2016 1:37 pm

Re: Changing DNS service to provide more security

Post by lazydavid » Thu Jun 14, 2018 5:13 am

jalbert wrote:
Wed Jun 13, 2018 11:03 pm
If the ISP is compromised it might send you rogue certificates so you think a DNS translation is signed by the DNSSEC-enabled site, but it really is signed by the malware that compromised the ISP.
That's not how certificate authentication works. Neither your ISP nor a bad actor pretending to be your ISP can "send you rogue certificates" and force your computer to trust them. If you manually add one to your trust store, that's your own damn fault. In order to do what you're suggesting, the bad actor would have to compromise a certificate authority or own your machine. If they can do either of those things, it's game over, no matter what you use for DNS.

AntsOnTheMarch
Posts: 610
Joined: Mon May 29, 2017 5:47 pm

Re: Changing DNS service to provide more security

Post by AntsOnTheMarch » Thu Jun 14, 2018 5:53 am

Pancakes-Eggs-Bacon wrote:
Wed Jun 13, 2018 6:11 pm
CULater wrote:
Wed Jun 13, 2018 5:32 pm
The other devices on the network are an Obi 200 VOIP device and my smartphone when it is connected to WiFi. Not sure if the Obi is affected, but guess my smartphone would be when I have a WiFi connection, right?
Yeah, if you change the DNS on your router, your computer, Obi 200, and smartphone should still defer to your router for all DNS decision making.
I changed it on my router but also on mobile devices for when I’m out and use other WiFi.

jalbert
Posts: 3423
Joined: Fri Apr 10, 2015 12:29 am

Re: Changing DNS service to provide more security

Post by jalbert » Thu Jun 14, 2018 4:52 pm

That's not how certificate authentication works. Neither your ISP nor a bad actor pretending to be your ISP can "send you rogue certificates" and force your computer to trust them.
If one of your trusted certificate authorities is your ISP that is compromised, it is certainly possible.

Have you ever looked at the default trusted certificate authorities in a browser installation? When I last installed Firefox there were certificate authorities in the trusted list all over the world including in countries where the govt may have collaborated with security firms to compromise security in systems around the world.

You would normally only get certificates from a certificate authority in a country in which lives a site to which you were trying to make an SSL connection. But a compromised ISP could send you a certificate signed by an authority half way around the world for a local request. Browsers have heuristics to identify certificates you may not want to trust, but there are no guarantees.

I’m not saying this is likely to happen, but just my main point is that decoupling DNS from your ISP may address weaknesses in the ISP’s DNS service, but also increases the attack surface for a DNS request, a trade-off.
Index fund investor since 1987.

JoeRetire
Posts: 1337
Joined: Tue Jan 16, 2018 2:44 pm

Re: Changing DNS service to provide more security

Post by JoeRetire » Thu Jun 14, 2018 5:44 pm

CULater wrote:
Wed Jun 13, 2018 3:52 pm
Recent article recommends changing your computer's DNS service from the default provided by your ISP to Google, Cloudfare, or Quad9, which you can do through system settings. Easy enough to do. But I have a question. Shouldn't you really be changing the DNS service used by your modem/router? The modem is what connects you to the internet. Or is changing it on your computer sufficient?
If you only ever have one computer on your modem/router then it wouldn't matter. As others have pointed out, making the change at the modem/router level affects all devices that connect to it.

BTW, it's "Cloudflare". (The article's author who worked for Quad9 got it wrong for some reason. Go figure.)

Gray
Posts: 613
Joined: Sat Apr 16, 2011 5:33 am

Re: Changing DNS service to provide more security

Post by Gray » Thu Jun 14, 2018 7:37 pm

I’ve been using open DS for years. It’s a great layer of security, and a filtering option if you have kids.

Cisco bought the company and is now marketing some additional cheap/free security-related services.

Opendns.com

lazydavid
Posts: 1658
Joined: Wed Apr 06, 2016 1:37 pm

Re: Changing DNS service to provide more security

Post by lazydavid » Thu Jun 14, 2018 9:30 pm

jalbert wrote:
Thu Jun 14, 2018 4:52 pm
That's not how certificate authentication works. Neither your ISP nor a bad actor pretending to be your ISP can "send you rogue certificates" and force your computer to trust them.
If one of your trusted certificate authorities is your ISP that is compromised, it is certainly possible.
Hence my next sentence that you omitted from the quote. :)
lazydavid wrote:If you manually add one to your trust store, that's your own damn fault.
jalbert wrote:
Thu Jun 14, 2018 4:52 pm
Have you ever looked at the default trusted certificate authorities in a browser installation? When I last installed Firefox there were certificate authorities in the trusted list all over the world including in countries where the govt may have collaborated with security firms to compromise security in systems around the world.
Yep, but it's been a while so I just looked now. Of the 55 in my store, 5 I've added myself (corporate stuff), and another half-dozen are from companies I don't immediately recognize. The rest are from the major US CAs.
jalbert wrote:
Thu Jun 14, 2018 4:52 pm
You would normally only get certificates from a certificate authority in a country in which lives a site to which you were trying to make an SSL connection. But a compromised ISP could send you a certificate signed by an authority half way around the world for a local request. Browsers have heuristics to identify certificates you may not want to trust, but there are no guarantees.
Also covered this in my post:
lazydavid wrote:the bad actor would have to compromise a certificate authority or own your machine. If they can do either of those things, it's game over
jalbert wrote:
Thu Jun 14, 2018 4:52 pm
I’m not saying this is likely to happen, but just my main point is that decoupling DNS from your ISP may address weaknesses in the ISP’s DNS service, but also increases the attack surface for a DNS request, a trade-off.
I don't disagree. But now you're talking about an extremely sophisticated attack, bordering on state-sponsored. If those folks are after an average joe, they're going to get him/her regardless of what precautions they take.

Post Reply