[Yeti DNS Discuss] A public Yeti DNS resolver (but with TLS)

Stephane Bortzmeyer bortzmeyer at nic.fr
Wed Dec 21 20:11:06 UTC 2016 

Yeti does not have a public DNS resolver
<http://lists.yeti-dns.org/pipermail/discuss/2016-November/000736.html>. And
there are few public DNS-over-TLS (RFC 7858) resolvers
<https://portal.sinodun.com/wiki/display/TDNS/DNS-over-TLS+test+servers>,
which is sad, since DNS privacy is a big not-yet-solved problem
<https://www.internetsociety.org/events/ndss-symposium/ndss-symposium-2017/dns-privacy-workshop-2017-call-papers>

So, I installed an *experimental* public DNS-overs-TLS Yeti resolver
on dns-resolver.bortzmeyer.org (IPv6 only, which makes sense for
Yeti). Two warnings: it is best effort only, and since it sends
requests to the Yeti root, the user's data is captured and
analyzed. So, it is to test technically privacy-enhancing technqiues,
not to provide actual privacy.

The certificate was issued by CAcert <https://www.cacert.org/> I
wonder if it's possible to get a Let's Encrypt certificate for a DNS
server (you need to set up a callback server)?

If you don't know DNS-over-TLS clients, you can find some in
<https://portal.sinodun.com/wiki/display/TDNS/DNS-over-TLS+clients>

Another way to use it is a forwarder for a local resolver. Unbound
can do that:

server:
  ...
  auto-trust-anchor-file: "autokey/yeti-key.key"
  ssl-upstream: yes

forward-zone:
  name: "."
  #forward-host: "dns-resolver.bortzmeyer.org" forward-host does not work, unknown reason
  forward-addr: 2001:4b98:dc2:43:216:3eff:fea9:41a at 853
  forward-first: no

The public resolver itself is implemented with Unbound. Here is its
configuration:

server:
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"
  root-hints: "yeti-hints"
  auto-trust-anchor-file: autokey/yeti-key.key
  # Do NOT listen on public addresses (except with
  # DNS-over-TLS-over-TCP, port 853) because we accept queries from
  # everyone.
  interface: ::1
  interface: 127.0.0.1
  interface: 2001:4b98:dc2:43:216:3eff:fea9:41a at 853
  qname-minimisation: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  harden-glue: yes
  ssl-service-key: "/etc/unbound/tls-server.key"
  ssl-service-pem: "/etc/unbound/tls-server.pem"
  ssl-port: 853
  # Be careful: this turn us into an open resolver. This is safe only
  # because we do not listen to any interface except with DNS-over-TLS
  # (port 853). May be using the new "views" feature of Unbound >=
  # 1.6?
  access-control: ::0/0 allow
  # Slow but useful to debug the public resolver
  log-queries: yes

The requests are logged locally (see above the warning about privacy):

% sudo journalctl -n  -f -t unbound
...
Dec 21 17:20:12 dahu1 unbound[25626]: [25626:0] info: 2001:db8:1:2:6c65:ec27:7a25:8aa www.eu.org. AAAA IN
Dec 21 17:20:12 dahu1 unbound[25626]: [25626:0] info: 2001:db8:1:2:6c65:ec27:7a25:8aa www.eu.org. A IN

And the certificate is:

%  openssl s_client -showcerts -connect dns-resolver.bortzmeyer.org:853 | openssl x509 -text
depth=2 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support at cacert.org
verify return:1
depth=1 O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
verify return:1
depth=0 CN = dns-resolver.bortzmeyer.org
verify return:1
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 172663 (0x2a277)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = CAcert Inc., OU = http://www.CAcert.org, CN = CAcert Class 3 Root
        Validity
            Not Before: Dec 21 16:42:26 2016 GMT
            Not After : Dec 21 16:42:26 2018 GMT
        Subject: CN = dns-resolver.bortzmeyer.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
...
    X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            Authority Information Access: 
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.cacert.org/class3-revoke.crl

            X509v3 Subject Alternative Name: 
                DNS:dns-resolver.bortzmeyer.org, othername:<unsupported>

More information about the discuss mailing list