[Solved] How to set your DNS resolver to DNSSEC and stop apps from calling home

zaphod · February 23, 2020, 11:56pm

Following this article I’m having a hard time to determine which DNS resolver my archlabs install uses. It looks like archlabs is using dnsmasq, however adding

address=/opera.technology/127.0.0.127
address=/opera.com/127.0.0.127

to /etc/dnsmasq.conf and doing a

systemctl restart dnsmasq.service

doesn’t blacklist opera’s domains and subdomains. /etc/hosts isn’t helping here since I do not know all the names of opera’s subdomains.

Also I would like use dnssec and to switch to 9.9.9.9 as my system’s primary nameresolver instead of using my router’s or my provider’s DNS resolver.

systemctl status systemd-resolved.service
systemctl status NetworkManager.service

tell me, that NetworkManager is enabled and running, systemd-resolved is neither enabled or running.

edit: getting closer

/etc/NetworkManager/NetworkManager.conf is surprisingly taciturn, however putting additional .conf files in /etc/NetworkManager/conf.d might serve the purpose.

https://wiki.archlinux.org/index.php/NetworkManager#DNS_management

I’ll let you know in case I manage to achieve the forementioned objectives and how.

edit: sorry, I don’t get it.

Added cache.conf and dnssec.conf to /etc/NetworkManager/dnsmasq.d/ and restarted NetworkManager, but NetworkManager is still using my WLAN’s default. Any help would be greatly apprechiated.

Head_on_a_Stick · February 17, 2020, 2:49pm

To get dnsmasq working with NM follow https://wiki.archlinux.org/index.php/NetworkManager#dnsmasq

zaphod · February 19, 2020, 6:20am

Hi there, dnsmasq is used by default in archlabs (see ps aux | rg dnsmasq). However, obviously only when a /etc/NetworkManager/conf.d/dns.conf is NetworkManager explicitly instructing so, the settings in /etc/NetworkManager/dnsmasq.d/ are loaded.

So I put a dnssec.conf in/etc/NetworkManager/dnsmasq.d/:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
server=9.9.9.9
cache-size=1000

address=/opera.technology/127.0.0.127
address=/opera.com/127.0.0.127

and a dns.conf in /etc/NetworkManager/conf.d/:

[main]
dns=dnsmasq
peerdns=no

After a nmcli general reload my resolver is running on DNSSEC now AND is preventing chatty software from calling home.

Thanks for your help, Head_on_a_Stick!

zaphod · February 18, 2020, 9:35am

just for the record:

in case you are running VMs on that host you might want to tell their NetworkManager to use DNSSEC as well.

zaphod · February 19, 2020, 6:44am

Hmmmm, ok, that doesn’t work without any hassle… after a reboot I encountered further issues… dnsmasq.service has to be disabled now that NetworkManager starts dnsmasq:

systemctl disable --now dnsmasq.service

And obviosly one has to tell each and every network-connection to ignore the individual dhcp mediated dns resolver:

nmcli con mod ‘network-name’ ipv4.ignore-auto-dns yes
[…]
nmcli general reload
nmtui (offers the ignore-auto-dns setting also)

Originally I had assumed that

peerdns=no

in /etc/NetworkManager/conf.d/dns.conf does that for me.

Any ideas how to make peerdns=no work?

Also, I’m not entirely convinced that subdomains of above mentioned domains are redirected to localhost. Have been digging through Pi-Hole’s git repository (i.e. https://github.com/pi-hole/pi-hole/blob/master/advanced/01-pihole.conf) to figure out how Pi-hole’s dnsmasq achieves that.

Furthermore, systemctl status NetworkManager.service gives me quite a bunch of

Insecure DS reply received, do upstream DNS servers support DNSSEC?

Are those answers discarded? Is there a log in which I could look to clarify? In /var/log no file jumps at me.

Head_on_a_Stick · February 21, 2020, 10:47pm

journalctl --unit NetworkManager.service

zaphod · February 23, 2020, 11:51pm

Thanks for your help, Head_on_a_Stick. I tried

journalctl --unit NetworkManager.service -r -o verbose

which gave me far too much output. So I limited it a bit by

journalctl --unit NetworkManager.service -S ‘2020-02-17 17:48:52’ -o verbose

which tells me that dnsmasq is responsible for

Insecure DS reply received, do upstream DNS servers support DNSSEC?

but no further details on which process did the dns-request and why the request was forwarded to a non-dnssec resolver.

So I decided to revert all changes and try a different approach:

sudo su
cd /etc/NetworkManager
rm conf.d/dns.conf
rm dnsmasq.d/dnssec.conf
nmcli con mod ‘networkname’ ipv4.ignore-auto-dns no
systemctl restart NetworkManager.service
systemctl enable --now dnsmasq.service
nmcli general reload

zaphod · February 23, 2020, 11:56pm

By chance I stumbled across this article and so I decided to give dnscrypt-proxy a try:

sudo su
pacman -Syu
pacman -S dnscrypt-proxy
cd /etc/dnscrypt-proxy
ls -al
systemctl stop dnsmasq.service
rg -Nv ‘#’ dnscrypt-proxy.toml | rg . > dnscrypt-proxy.new
mv dnscrypt-proxy.toml dnscrypt-proxy.toml.backup
mv dnscrypt-proxy.new dnscrypt-proxy.toml
nano dnscrypt-proxy.toml

changed

listen_addresses = ['127.0.0.1:53000', '[::1]:53000'] (line 1)
require_dnssec = true (line 7)

cd /etc/
mv dnsmasq.conf dnsmasq.conf.backup
nano dnsmasq.conf

filled file with

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
no-resolv
server=::1#53000
server=127.0.0.1#53000
listen-address=::1,127.0.0.1

cd /etc/NetworkManager/conf.d
nano dns.conf

filled file with

[global-dns-domain-*]
servers=::1,127.0.0.1

and restarted / enabled the services concerned:

systemctl enable --now dnscrypt-proxy.service
systemctl start dnsmasq.service
systemctl restart NetworkManager.service
nmcli general reload

The whole thing seems to work stable now. The service dnscrypt-proxy obviously offers quite a bunch of features (i.e. a blacklist.txt ), but I haven’t had time to read into the details so far.

Hope I could inspire fellow forum members to make the internet a safer place.