This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
technical:dnsresolver [2019-01-30 18:34] aleks Update gozmail and CCCBerlin IPv4 |
technical:dnsresolver [2023-12-10 16:05] lotusbleu |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | # DNS resolvers | ||
+ | |||
+ | This page lists open DNS resolvers that respect your privacy. | ||
+ | |||
+ | You can also find documentation on how to run your own DNS resolver, and even how to run an open DNS resolver. Be warned: providing an open DNS resolver is not something you can improvise! | ||
+ | |||
+ | ## List of open DNS resolvers | ||
+ | |||
+ | You can freely use the following open DNS resolvers. | ||
+ | |||
+ | Some of them have a DNSSEC validation, but be careful; the DNS is not transported over TLS, so the content can be modified between the resolver and your computer even if the DNSSEC validation is working. | ||
+ | |||
+ | You can also install a DNS resolver directly on your own computer, see below. | ||
+ | |||
+ | ^ Coun-try ^ IPv4 ^ IPv6 ^ Name ^ DNSSEC validation ^ Organisation ^ | ||
+ | | FR | 80.67.169.12 | ||
+ | | FR | 80.67.169.40 | ||
+ | | FR | 80.67.188.188 | ||
+ | | FR | 89.234.141.66 | ||
+ | | FR | 185.233.100.100 | 2a0c: | ||
+ | | FR | 185.233.100.101 | 2a0c: | ||
+ | | FR | 45.67.81.23 | 2a0c: | ||
+ | | FR | 80.67.190.200 | ||
+ | | DE | 85.214.20.141 | ||
+ | | DE | 195.160.173.53 | ||
+ | | DE | 194.150.168.168 | 2001: | ||
+ | | DE | 84.200.69.80 | ||
+ | | DE | 84.200.70.40 | ||
+ | | DK | 91.239.100.100 | ||
+ | | DK | 89.233.43.71 | ||
+ | |||
+ | Please only add open DNS resolvers that respect the privacy of their users (so, no 8.8.8.8 please). | ||
+ | |||
+ | ## Setup your own local DNS resolver with unbound | ||
+ | |||
+ | Instead of using somebody else's resolver, why not setup your own resolver, on your own computer? | ||
+ | |||
+ | The advantage is that you don't depend on any resolver, that could be shutdown or hijacked. | ||
+ | |||
+ | On Linux, just install `unbound` from your distribution packages. | ||
+ | |||
+ | That's it, you are now using your own local DNS resolver! | ||
+ | |||
+ | Note: on many distributions, | ||
+ | |||
+ | ## Setup an open DNS resolver with unbound | ||
+ | |||
+ | If you want to operate an open DNS resolver, then you need to be aware of DNS-based [reflection attacks](http:// | ||
+ | |||
+ | If you know what you are doing, here is a the bit of configuration for unbound to become an open DNS resolver: | ||
+ | |||
+ | server: | ||
+ | # Open DNS resolver | ||
+ | # NOTE: only do that if you setup a firewall-based rate limiting! | ||
+ | interface: :: | ||
+ | interface: 0.0.0.0 | ||
+ | access-control: | ||
+ | access-control: | ||
+ | |||
+ | Currently, `unbound` does not support rate limiting. | ||
+ | |||
+ | ### Firewall-based rate-limiting | ||
+ | |||
+ | If your DNS software cannot do rate limiting itself, you can do it with a firewall. | ||
+ | |||
+ | Here is the (advanced) IPv6 configuration for iptables, courtesy of LDN: | ||
+ | |||
+ | ip6tables -A FORWARD -d $IP/128 -p udp -m udp --dport 53 -j DNS-RATE-LIMIT | ||
+ | ip6tables -A FORWARD -d $IP/128 -p udp -m udp --dport 53 -m comment --comment " | ||
+ | ip6tables -A FORWARD -s $IP/128 -p udp -m udp --sport 53 -m comment --comment " | ||
+ | ip6tables -A DNS-RATE-LIMIT -m u32 --u32 " | ||
+ | ip6tables -A DNS-RATE-LIMIT -m u32 --u32 " | ||
+ | ip6tables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 56 -m comment --comment " | ||
+ | |||
+ | Same for IPv4: | ||
+ | |||
+ | iptables -A FORWARD -d $IP/32 -p udp -m udp --dport 53 -j DNS-RATE-LIMIT | ||
+ | iptables -A FORWARD -d $IP/32 -p udp -m udp --dport 53 -m comment --comment " | ||
+ | iptables -A FORWARD -s $IP/32 -p udp -m udp --sport 53 -m comment --comment " | ||
+ | iptables -A DNS-RATE-LIMIT -m u32 --u32 " | ||
+ | iptables -A DNS-RATE-LIMIT -m u32 --u32 " | ||
+ | iptables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 24 -m comment --comment " | ||
+ | |||
+ | |||
+ | ## Setup an open DNS resolver, ARN way | ||
+ | |||
+ | All of our configuration, | ||
+ | |||
+ | ### Enable DNSSEC validation | ||
+ | |||
+ | Enable DNSSEC validation, even if it will only profit your local users, because of the so-called last mile problem. | ||
+ | |||
+ | #### Example with BIND (/ | ||
+ | |||
+ | dnssec-enable yes; | ||
+ | dnssec-validation auto; | ||
+ | # dnssec-lookaside auto; # not really necessary anymore nowayadys | ||
+ | |||
+ | #### Example with Unbound (/ | ||
+ | |||
+ | auto-trust-anchor-file: | ||
+ | |||
+ | #### Stay informed about the root's KSK rollovers. It normally goes well, but… | ||
+ | |||
+ | ### Have a valid " | ||
+ | |||
+ | Have a valid " | ||
+ | |||
+ | ### Graph and monitor your recursive server | ||
+ | |||
+ | Especially the outgoing traffic: thoughput and packets per second. At ARN, the monitoring setup emits an alert when the outgoing throughput goes beyond 250 kbps over 5 minutes. This limit represents 10 times the average traffic. | ||
+ | |||
+ | ### Prepare a safe configuration | ||
+ | |||
+ | Prepare a safe configuration (recursive only answering on your IPv4 and IPv6 blocks) that you will be able to load/apply in case of emergency (large sustained attack). | ||
+ | |||
+ | #### Example with BIND (/ | ||
+ | |||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | #### Example with Unbound (/ | ||
+ | |||
+ | server: | ||
+ | [...] | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | |||
+ | ### Limit attacks with Netfilter | ||
+ | |||
+ | * There still is a doubt on whether Response Rate Limiting (RRL) on a recursive is effective or appropriate. This is why we don't use it. | ||
+ | |||
+ | * We clean up traffic on our two routers to avoid internally transporting useless unwanted traffic, but these filters can also be applied directly on the recursive. To do so, you need to replace the FORWARD with INPUT. | ||
+ | |||
+ | #### IPv4 | ||
+ | |||
+ | iptables -N DNS-RATE-LIMIT | ||
+ | | ||
+ | iptables -A FORWARD ! -s < | ||
+ | | ||
+ | iptables -A DNS-RATE-LIMIT -m string --hex-string " | ||
+ | | ||
+ | iptables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS-GLOBL-v4 --hashlimit-srcmask 24 -m comment --comment " | ||
+ | |||
+ | |||
+ | #### IPv6 | ||
+ | |||
+ | ip6tables -N DNS-RATE-LIMIT | ||
+ | | ||
+ | ip6tables -A FORWARD ! -s < | ||
+ | | ||
+ | ip6tables -A DNS-RATE-LIMIT -m string --hex-string " | ||
+ | | ||
+ | ip6tables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS-GLOBL-v6 --hashlimit-srcmask 56 -m comment --comment " | ||
+ | |||
+ | |||
+ | * Remember to use netfilter-persistent to apply those filters at boot time. | ||
+ | |||
+ | |||
+ | ### Reduce the maximal size on UDP | ||
+ | |||
+ | Reduce the maximal size of the answers your recursive will send over UDP. The idea being to ask the client to come back asking over TCP its question creating a large answer. | ||
+ | |||
+ | With BIND (/ | ||
+ | |||
+ | max-udp-size 1460; | ||
+ | |||