User Tools

Site Tools


technical:dnsresolver

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
technical:dnsresolver [2020-04-30 14:39]
zorun Tweak page so that table is not hidden by the ToC
technical:dnsresolver [2023-12-10 16:15] (current)
lotusbleu
Line 1: Line 1:
 +# DNS resolvers
 +
 +This page lists open DNS resolvers that respect your privacy.
 +
 +You can also find documentation on how to run your own DNS resolver, and even how to run an open DNS resolver. Be warned: providing an open DNS resolver is not something you can improvise!
 +
 +## List of open DNS resolvers
 +
 +You can freely use the following open DNS resolvers.  It's probably a good idea to use one in your country, or in a nearby country.
 +
 +Some of them have a DNSSEC validation, but be careful; the DNS is not transported over TLS, so the content can be modified between the resolver and your computer even if the DNSSEC validation is working.
 +
 +You can also install a DNS resolver directly on your own computer, see below.
 +
 +^ Coun-try ^ IPv4 ^ IPv6 ^ Name ^ DNSSEC validation ^ Organisation ^
 +| FR | 80.67.169.12    | 2001:910:800::12       | ns0.fdn.fr           | No | [[http://www.fdn.fr|FDN]] |
 +| FR | 80.67.169.40    | 2001:910:800::40       | ns1.fdn.fr           | No | [[http://www.fdn.fr|FDN]] |
 +| FR | 80.67.188.188   | 2001:913::           | ns0.ldn-fai.net      | Yes | [[http://ldn-fai.net|LDN]] |
 +| FR | 89.234.141.66   | 2a00:5881:8100:1000::3 | recursif.arn-fai.net | Yes | [[http://arn-fai.net|ARN]] |
 +| FR | 185.233.100.100 | 2a0c:e300::100 | gaia-dns.aquilenet.fr | No | [[http://www.aquilenet.fr|Aquilenet]] |
 +| FR | 185.233.100.101 | 2a0c:e300::101 | hades-dns.aquilenet.fr  | No | [[http://www.aquilenet.fr|Aquilenet]] |
 +| FR | 45.67.81.23 | 2a0c:e300::1337 | dns.aquilenet.fr  | Yes | [[http://www.aquilenet.fr|Aquilenet]] [DoH](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DoT](https://en.wikipedia.org/wiki/DNS_over_TLS) check http://dns.aquilenet.fr |
 +| FR | 80.67.190.200   | 2a00:5884:8218::     | log.bzh              | Yes | [[https://www.gozmail.bzh/|gozmail]] hosted at [[https://grifon.fr/|grifon]] |
 +| DE | 85.214.20.141                          |                      | No  | FoeBud / Digital Courage |
 +| DE | 195.160.173.53  |                        | dnscache.berlin.ccc.de | No  | CCC Berlin |
 +| DE | 194.150.168.168 | 2001:4ce8::53          | dns.as250.net        | Yes | AS250 |
 +| DE | 84.200.69.80    | 2001:1608:10:25::1c04:b12f | resolver1.dns.watch | Yes | [[https://dns.watch|Ideal-Hosting]] |
 +| DE | 84.200.70.40    | 2001:1608:10:25::9249:d69b | resolver2.dns.watch | Yes | [[https://dns.watch|Ideal-Hosting]] |
 +| DK | 91.239.100.100  | 2001:67c:28a4:: | anycast.censurfridns.dk | Yes | [[http://www.censurfridns.dk/|censurfridns]] |
 +
 +
 +Please only add open DNS resolvers that respect the privacy of their users (so, no 8.8.8.8 please).
 +
 +## Setup your own local DNS resolver with unbound
 +
 +Instead of using somebody else's resolver, why not setup your own resolver, on your own computer?  It's actually super easy.
 +
 +The advantage is that you don't depend on any resolver, that could be shutdown or hijacked.  Besides, your resolver can perform DNSSEC validation locally, solving the last-mile trust issue.  The only disadvantage: a bit of latency the first time you resolve a name.
 +
 +On Linux, just install `unbound` from your distribution packages.  Then set your resolver to `127.0.0.1`.
 +
 +That's it, you are now using your own local DNS resolver!
 +
 +Note: on many distributions, the default configuration for `unbound` only allows queries from `localhost`, which is exactly what we want here.  If you want to provide DNS resolution to other computers, you'd have to configure some access control.
 +
 +## Setup an open DNS resolver with unbound
 +
 +If you want to operate an open DNS resolver, then you need to be aware of DNS-based [reflection attacks](http://en.wikipedia.org/wiki/Denial-of-service_attack#Reflected_.2F_spoofed_attack).  That is, **never provide an open DNS resolver without rate-limiting**.
 +
 +If you know what you are doing, here is a the bit of configuration for unbound to become an open DNS resolver:
 +
 +    server:
 +        # Open DNS resolver
 +        # NOTE: only do that if you setup a firewall-based rate limiting!
 +        interface: ::
 +        interface: 0.0.0.0
 +        access-control: ::/0 allow
 +        access-control: 0.0.0.0/0 allow
 +
 +Currently, `unbound` does not support rate limiting.  See below for a firewall-based rate-limiting approach.
 +
 +### Firewall-based rate-limiting
 +
 +If your DNS software cannot do rate limiting itself, you can do it with a firewall.  A useful reference (in French) is at [Stéphane Bortzmeyer's blog](http://www.bortzmeyer.org/rate-limiting-dns-open-resolver.html).
 +
 +Here is the (advanced) IPv6 configuration for iptables, courtesy of LDN:
 +
 +    ip6tables -A FORWARD -d $IP/128 -p udp -m udp --dport 53 -j DNS-RATE-LIMIT
 +    ip6tables -A FORWARD -d $IP/128 -p udp -m udp --dport 53 -m comment --comment "COMPTABILITE : * -> recursif" -j ACCEPT
 +    ip6tables -A FORWARD -s $IP/128 -p udp -m udp --sport 53 -m comment --comment "COMPTABILITE : recursif -> *" -j ACCEPT
 +    ip6tables -A DNS-RATE-LIMIT -m u32 --u32 "0x0>>0x16&0x3c@0x14&0xffffff00=0xff00" -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 56 -m comment --comment "RATE-LIMIT ANY ." -j DROP
 +    ip6tables -A DNS-RATE-LIMIT -m u32 --u32 "0x0>>0x16&0x3c@0x14&0xffdfdfdf=0x3495343&&0x0>>0x16&0x3c@0x18&0xffdfdfdf=0x34f5247&&0x0>>0x16&0x3c@0x1c&0xffffff00=0xff00" -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 56 -m comment --comment "RATE-LIMIT ANY isc.org" -j DROP
 +    ip6tables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 56 -m comment --comment "RATE-LIMIT ALL 10/s-20/s" -j DROP
 +
 +Same for IPv4:
 +
 +    iptables -A FORWARD -d $IP/32 -p udp -m udp --dport 53 -j DNS-RATE-LIMIT
 +    iptables -A FORWARD -d $IP/32 -p udp -m udp --dport 53 -m comment --comment "COMPTABILITE : * -> recursif" -j ACCEPT
 +    iptables -A FORWARD -s $IP/32 -p udp -m udp --sport 53 -m comment --comment "COMPTABILITE : recursif -> *" -j ACCEPT
 +    iptables -A DNS-RATE-LIMIT -m u32 --u32 "0x0>>0x16&0x3c@0x14&0xffffff00=0xff00" -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 24 -m comment --comment "RATE-LIMIT ANY ." -j DROP
 +    iptables -A DNS-RATE-LIMIT -m u32 --u32 "0x0>>0x16&0x3c@0x14&0xffdfdfdf=0x3495343&&0x0>>0x16&0x3c@0x18&0xffdfdfdf=0x34f5247&&0x0>>0x16&0x3c@0x1c&0xffffff00=0xff00" -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 24 -m comment --comment "RATE-LIMIT ANY isc.org" -j DROP
 +    iptables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS --hashlimit-srcmask 24 -m comment --comment "RATE-LIMIT ALL 10/s-20/s" -j DROP
 +
 +
 +## Setup an open DNS resolver, ARN way
 +
 +All of our configuration, our tests and remarks are detailed there (in French, sorry): [[https://www.guiguishow.info/2014/08/23/comment-mettre-en-place-un-serveur-dns-recursif-cache-ouvert-dans-de-bonnes-conditions/|Comment mettre en place un serveur DNS récursif-cache ouvert dans de bonnes conditions]]. Here, we will only make a synthesis of the most important steps to set up an open recursive-cache DNS server without going into further details.
 +
 +### Enable DNSSEC validation 
 +
 +Enable DNSSEC validation, even if it will only profit your local users, because of the so-called last mile problem.
 +
 +#### Example with BIND (/etc/named/named.conf.options under Debian GNU/Linux):
 +
 +    dnssec-enable yes;
 +    dnssec-validation auto;
 +    # dnssec-lookaside auto; # not really necessary anymore nowayadys
 +
 +#### Example with Unbound (/etc/unbound/unbound.conf under Debian GNU/Linux):
 +
 +    auto-trust-anchor-file: "/var/lib/unbound/root.key"
 +
 +#### Stay informed about the root's KSK rollovers. It normally goes well, but…
 +
 +### Have a valid "abuse" e-mail address 
 +
 +Have a valid "abuse" e-mail address associated with your IPv4 and IPv6 blocks in the RIPE database (or any other RIR). You can use [[https://apps.db.ripe.net/search/abuse-finder.html|this form]]: enter the IPv4 and IPv6 addresses of your recursive server, it must return an valid up-to-date email address.
 +
 +### Graph and monitor your recursive server
 +
 +Especially the outgoing traffic: thoughput and packets per second. At ARN, the monitoring setup emits an alert when the outgoing throughput goes beyond 250 kbps over 5 minutes. This limit represents 10 times the average traffic.
 +
 +### Prepare a safe configuration 
 +
 +Prepare a safe configuration (recursive only answering on your IPv4 and IPv6 blocks) that you will be able to load/apply in case of emergency (large sustained attack).
 +
 +#### Example with BIND (/etc/named/named.conf.options under Debian GNU/Linux):
 +
 +  #allow-query { 127.0.0.1; ::1; <your_IPv4_block>; <your_IPv6_block>; };
 +  #allow-query-cache { 127.0.0.1; ::1; <your_IPv4_block>; <your_IPv6_block>; };
 +  #allow-recursion { 127.0.0.1; ::1; <your_IPv4_block>; <your_IPv6_block>; };
 +
 +#### Example with Unbound (/etc/unbound/unbound.conf under Debian GNU/Linux):
 +
 +  server: 
 +  [...]
 +      #access-control: 127.0.0.1/32 allow
 +      #access-control: ::1/128 allow
 +      #access-control: <your_IPv4_block> allow
 +      #access-control: <your_IPv6_block> allow
 +
 +### Limit attacks with Netfilter
 +
 +  * There still is a doubt on whether Response Rate Limiting (RRL) on a recursive is effective or appropriate. This is why we don't use it.
 +
 +  * We clean up traffic on our two routers to avoid internally transporting useless unwanted traffic, but these filters can also be applied directly on the recursive. To do so, you need to replace the FORWARD with INPUT.
 +
 +#### IPv4
 +
 +  iptables -N  DNS-RATE-LIMIT
 +  
 +  iptables -A FORWARD ! -s <your_IPv4_block> -d <IPv4_of_your_recursive_server> -p udp -m udp --dport 53 -j DNS-RATE-LIMIT
 +  
 +  iptables -A DNS-RATE-LIMIT -m string --hex-string "|0000ff0001|" --algo bm --from 28 --to 65535 -m hashlimit \ --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS-ANY-v4 --hashlimit-srcmask 24 -m comment --comment "RATE-LIMIT ANY QTYPE 1/s burst 2" -j DROP
 +  
 +  iptables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS-GLOBL-v4 --hashlimit-srcmask 24 -m comment --comment "RATE-LIMIT ALL QUERIES 10/s burst 20" -j DROP
 +
 +
 +#### IPv6
 +
 +  ip6tables -N  DNS-RATE-LIMIT
 +  
 +  ip6tables -A FORWARD ! -s <your_IPv6_block> -d <IPv6_of_your_recursive_server> -p udp -m udp --dport 53 -j DNS-RATE-LIMIT
 +  
 +  ip6tables -A DNS-RATE-LIMIT -m string --hex-string "|0000ff0001|" --algo bm --from 48 --to 65535 -m hashlimit --hashlimit-above 1/sec --hashlimit-burst 2 --hashlimit-mode srcip --hashlimit-name RL-DNS-ANY-v6 --hashlimit-srcmask 56 -m comment --comment "RATE-LIMIT ANY QTYPE 1/s burst 2" -j DROP
 +  
 +  ip6tables -A DNS-RATE-LIMIT -m hashlimit --hashlimit-above 10/sec --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name RL-DNS-GLOBL-v6 --hashlimit-srcmask 56 -m comment --comment "RATE-LIMIT ALL QUERIES 10/s burst 20" -j DROP
 +
 +
 +  * Remember to use netfilter-persistent to apply those filters at boot time.
 +
 +
 +### Reduce the maximal size on UDP
 +
 +Reduce the maximal size of the answers your recursive will send over UDP.  The idea being to ask the client to come back asking over TCP its question creating a large answer.  If it was a real client, it will come back; otherwise it won't.  
 +
 +With BIND (/etc/named/named.conf.options under Debian GNU/Linux) or Unbound (/etc/unbound.conf under Debian):
 +
 +  max-udp-size 1460;
 +