Restoring DNS Privacy

by Michael Tremer, January 17, 2020

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Stefan and I have been taking last week to add DNS over TLS into IPFire - another step to make DNS more private. Here is what we have done.

Cleaning up some mess

IPFire has multiple places where DNS servers could be configured. If you were using PPP for your Internet connection, you would have set this up with your dialup settings. If you were using a static IP address, then you would have set up the DNS servers with it in the setup. If you were using DHCP, you had a page on the web user interface to go to. This is not only confusing for the user, but also there were the places in the code where those settings were applied.

Now, we have created an entire new page which combines all of it together! You will have a list where you can set all DNS servers and set new settings.

With that, there are a couple more features coming:

For those of you who are running IPFire in a school or at home with children, you can now enable Safe Search for multiple search engines and YouTube. If Safe Search is enabled, all adult and violent content will be filtered in the search results.

This used to be a feature of the web proxy, but since everyone is now using HTTPS everywhere, we can no longer edit the search query being sent to the search engine. Safe Search is now realised by sending the client to a different server which only returns the filtered results and can therefore not be disabled on the client any more.

QNAME Minimisation

To protect your privacy, the DNS proxy inside IPFire strips away any part of the domain name that is not required to resolve the query. That way, the resolver has less of a chance to know what website you are looking for. This will always be enabled, and was in IPFire for a long time, but a new option has been introduced: An ever stricter mode which works according to RFC 7816, but might make some records unresolvable if the upstream name server does not respond according to the standard.

DNS over TLS

Last but not least, we have added that you can choose the protocol used to talk to your DNS servers. UDP is the standard protocol and most compatible with all DNS servers, but some users are in an environment where it cannot be used. Some ISPs have been filtering DNS and TCP simply would work around this.

Even better is TLS. All queries to the DNS servers will be encrypted which makes it impossible for your ISP to eavesdrop on them. DNSSEC already makes sure that nobody can change them. All DNS servers need to have their "TLS hostname" configured to be used with TLS.

Currently DNS over TLS has a slight performance impact, because unbound, the DNS resolver used in IPFire, cannot reuse existing TLS connections, but opens a new one for each query which has a large overhead. This will be solved by the unbound team hopefully soon, so that in some time, this impact will go entirely.

IPFire already supports TLS 1.3 and TCP Fast Open - some further technology to make this secure and fast.

Get ready

This will be release with Core Update 140. Amongst the many new features, we have removed a lot of code that has caused us a lot of trouble in the past and rewritten many things entirely from scratch.

Help us test and please do not forget to donate, so that we can keep things like these coming and make IPFire the best firewall in the world.