Tag: DNS

DNS privacy issues

Until recently I though that having DNS subdomain entries provides enough obscurity thus should it be secure. If your DNS server does not offer transfering domain to another place then any subdomains should be hidden from public sight. Transfers, if enabled (or rather misconfigured) could be made by:

dig -t axfr example.com

Second thing is querying for ANY option, but it does not mean “all”:

dig example.com any

So, with disabled transfers and lack of exactly private entries while quering for any, you would think that you are on a safe side. And that is actually wrong. There are two 3 options on a table:

  • Someone run crawler and scrap websites for domain names, possibly there are plenty of such systems as I see them quite often in HTTP server logs
  • Someone hacked your network perimeter and changed your DNS addresses for their own, this affects all the clients connected to such network if you would be able to force such traffic. This is of course a malicious and intrusive procedure, not happening on every day manner.
  • You are using public/private/provider DNS server and it is saving your requests building a database. Of course it could be either DNS forwarder or resolver or any in DNS query chain with similar configuration.

As far as I know for the most of domains there is no possibility of transfering or exposing too much with “any”. Not every domain was ever present on any other website so it could have been automatically crawled. Is everyone hacked or the most popular public DNS server are involved in building domains list database? There are plenty of subdomains or even domains that are way too complicated to be guessed. I do not think that those information leak from domain registrars but there is a chance.

So there is this domainsproject.org. They say that they use crawling and DNS checks, but I do not bother even to check their code as it seems to be fugazi (fake). How on earth could they check for some random text put in subdomains. It is for sure coming from DNS queries that should stay at those servers safe. Fortunately it does not include every subdomain configured.

Today thinking should be changed a little bit. If you put something on the internet then it is not safe or hidden by default. Maybe I just assumed too naively, and took for granted that people running public DNS servers share the feeling about privacy things as myself.

Allow .local domain suffix to be resolved

On many chances you may need to configure some domains using .local suffix. Unfortunately this is covered by RFC 6762 (multicast DNS). On specific Linux distributions you will not be able to resolv such domains using DNS server you set either in the machine or in the cloud settings (for instance Azure).

How to you know that the DNS query is not reaching your desired DNS server? In case you use named, then first enable query logging by the following comman:

rndc querylog on

Now DNS queries from the clients who set that particular DNS server as its resolved will be visible in system logger file, like /var/log/messages. Then try to make a ping or curl to the desired domain address with .local suffix and check if it appears in the DNS server log. You can also force DNS query to reach that DNS server by using dig command:

dig yourdomain.local @yourdnsserver

If it’s present in DNS server log file then you’re confident that if you reconfigure your client machine it will work properly. To do this on Ubuntu 20 few things are required. First one is to have IP configuration fixed (some yaml file in /etc/netplan/ directory):

network:
    ethernets:
        eth0:
            dhcp4: no
            addresses:
            - 10.99.99.10/24
            gateway4: 10.99.99.1
            nameservers:
              addresses: [10.99.99.20]
            dhcp4-overrides:
                route-metric: 100
            dhcp6: false
            match:
                driver: hv_netvsc
                macaddress: 60:45:bd:94:4a:85
            set-name: eth0
    version: 2

And also as suggested in the netplan configuration file, to disable cloud init feature create file in /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content:

network: {config: disabled}

Then reapply network configuration:

sudo netplan try

For me, personally, it is sometimes overcomplicated as comparing to CentOS distribution. Now with the fixed settings that should not be overwritten by some other processes you can proceed with disabling local DNS stub listener:

cd /etc/
sudo ln -sf ../run/systemd/resolve/resolv.conf
cd /etc/systemd/
sudo sed -i -e 's/#DNSStubListener=yes/DNSStubListener=no/' resolved.conf
sudo systemctl restart systemd-resolved

You can put your own desired DNS server in the /etc/systemd/resolved.conf file. After all of these operations try ping, curl or wget with your .local domain and check if this query appears in the DNS server log file.