rusty-snakes DNS Setup

[rusty-snake]

Outsourced discussion from #5825 - @Rosika2

---

Beforehand, I use Fedora and everything here assumes
the default of Fedora.

Advantages

• DNSSEC validation
• DNS rebinding protection
• Bad domain (Ad, Privacy, Malware, Phishing, ...) blocking
• Sandbox friendly to resolv.conf changes

Disable systemd-resolved

systemd-resolved work a bit special and does not provide all the features that I want.
Futhermore authselect does not have a profile/feature to disable resolve and prefer dns.
Therefore we disable systemd-resolved:

systemctl disable --now systemd-resolved.service

Disable NetworkManager resolv.conf and DNS management

/etc/NetworkManager/NetworkManager.conf:

[main]
dns=default
rc-manager=unmanaged
systemd-resolved=false

Remeber to systemctl restart NetworkManager.service.

Replace /etc/resolv.conf

rm /etc/resolv.conf && echo "nameserver 127.0.0.1" > /etc/resolv.conf

dnsmasq

Install dnsmasq if it is not installed.

Harden dnsmasq.service

/etc/systemd/system/dnsmasq.service.d/override.conf

# Copying and distribution of this file, with or without modification,
# are permitted in any medium without royalty provided the copyright
# notice and this notice are preserved.  This file is offered as-is,
# without any warranty.

[Service]
Environment=LD_PRELOAD=/usr/lib64/libhardened_malloc.so

# NoNewPrivileges=yes
PrivateDevices=yes
ProtectClock=yes
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
SystemCallArchitectures=native
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
ProtectHostname=yes
LockPersonality=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
PrivateTmp=yes
ProtectHome=yes
# TODO: strict
ProtectSystem=full
ProtectProc=invisible
ProcSubset=pid
# PrivateUsers=
SystemCallFilter=@system-service
SystemCallFilter=~@resources
# IPAddressDeny=
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes

# Make some more paths inaccessible
InaccessiblePaths=-/boot
InaccessiblePaths=-/mnt
InaccessiblePaths=-/media
InaccessiblePaths=-/run/media

Create dnsmasq config

/etc/dnsmasq.d/50-custom.conf:

# Filter request where the upstream DNS can not answer
domain-needed
bogus-priv

# Reject private IP-addrs
stop-dns-rebind

# Do not read /etc/hosts
no-hosts

# Additional hosts file to read
addn-hosts=/etc/dnsmasq-hosts-blocklist

neg-ttl=120
local-ttl=120
min-cache-ttl=300
cache-size=500
clear-on-reload

dnssec
dnssec-check-unsigned
proxy-dnssec
conf-file=/usr/share/dnsmasq/trust-anchors.conf

# Here you can add upstream servers using the 'server' option
# or disable reading of resolv.conf with 'no-resolv'.
# Nevermind, we are going to use 'resolv-file' to tell dnsmasq
# to read upstream servers from NetworkManager instead of '/etc/resolv.conf'.
resolv-file=/run/NetworkManager/no-stub-resolv.conf

listen-address=127.0.0.1
listen-address=::1

# DEBUG
#log-queries
##log-queries=extra
#log-facility=/tmp/dnsmasq-log.txt
#log-async=25

Bad domain blocking (hosts-file)

You can add domains to a hosts file added via addn-hosts like we did with /etc/dnsmasq-hosts-blocklist:

0.0.0.0 google-analytics.com
:: google-analytics.com

Warning: You must add an IPv4 and an IPv6 address for a domain you want to block. Otherwise it can still be resolved.

Warning: Entry in hosts-files only match the specified domain but no subdomains. So the above snipped will still allow ssl.google-analytics.com for example.

Warning: Malicious hosts-files can redirect all your traffic to other servers.

Bad domain blocking (address-option)

A second way to block domains is to add a configuration file that use the address option like

address=/google-analytics.com/

to return NXDOMAIN or

address=/google-analytics.com/#

to return 0.0.0.0/::.

This file can be much smaller because you do not need repeated lines for IPv6 nor for subdomains.

I do this with my own tool that downloads a hosts file, sanitizes and deduplicates it and outputs a dnsmasq configuration file. https://gitlab.com/rusty-snake/uhb2dnsmasq.

Warning: Malicious configuration file has full control over your dnsmasq.

Start dnsmasq

systemctl enable --now dnsmasq.service

[topimiettinen]

My setup is rather opposite, it's based on systemd-resolved instead. It also supports DNSSEC (perhaps too strictly). For domain and per-application blocking, I'm using this PR.

• hosts entry in /etc/nsswitch.conf doesn't include dns but there's resolve, so applications are using UNIX socket of systemd-resolved for name resolution (UDP/TCP isn't involved). The socket can be also blocked by Firejail and systemd, per application.
• systemd-resolved is configured not to listen on local ports with DNSStubListener=no.
• Firewall rules block access to traditional DNS (port 53/853 UDP/TCP, including to/from localhost) except for systemd-resolved.
• Browsers are configured not to use DNS over HTTP (DoH).
• /etc/resolv.conf doesn't exist.

One weakness is that browsers need access to HTTP ports, which could also serve DoH. I could also block known open DNS providers like 8.8.8.8 from them, but I'd like to avoid that kind of whack-a-mole. Some kind of simple filtering HTTP or SOCKS proxy would be nice, but it would also have to support different rules for different applications (apt, browser, flatpak, games, git, MUA, etc.). I'm also considering how to integrate opensnitch into this setup.