Default DNS Provider Discussion for Kicksecure (not Whonix!)

It’s not a simple as “yeah, enable DNSEC validation” and “yeah, add configuration option DNS_ENCRYPTION=true”, done, call it a day…

A)

B)

Then a specific server needs to be chosen. It’s okay if the user decides to use such a setup and manually sets it up. The user is free to decide to stop using their default ISP’s DNS server and choose a specific one hosted by a specific organisation.

But when considering to apply such a change by default for an operating system, which server (speak organization) should be configured by default to be used?

• digitalcourage.de?
• digitale-gesellschaft.ch?
• Cloudflare? That’s what Mozilla decided to use for Firefox. That might not be a decision to get applause for or at least it would need to be thoroughly thought through, discussed and documented.
  • The policy question. Should Cloudflare (or replace the name Cloudflare with any other organization) have the power to resolve all the DNS for all users?
  • The reliability question: What if it’s offline? Then DNS for all users will break at the same time.
• A randomly selected server?

Perhaps no server should be enabled by default and the user should have a wizard graphical utility that can easily change the DNS server, which starts at boot?

• Maybe, but easy to see that the development effort just got a lot higher.
• What about CLI version?
• Should the user really be bothered with a question such as “Do you want to keep using your ISPs DNS server or do you want to use iterative, encrypted (DoT), validating DNS using a DNS server from one of the following organizations?”

This isn’t trivial to decide and not even trivial to discuss as it required prior essential knowledge about DNS such as “recursive or iterative?”

I dont think there is better DNS than cloudflare (security features that cloudflare doesnt has), other options ah yeah we say we dont log, we are in x country not US… all of these are technically rubbish and meaningless and can be overturned easily without anybody noticing (happy to be improved wrong by any other DNS provider which has better features).

There is no real reliable way to overcome this. Its how DNS work.

Due to choosing something global like CF or any big DNS provider this idea is very unlikely to happen.

Changing DNS in OS is not rocket science though, if user doesnt want X then he can change it to Y, but what we ship is the best choice available as much as our resources can get.

Cloudflare censoring a website (which then all users would rely on) is different than all the ISPs of all the users in all the regions censoring a website.

What is the technical protection that X ISP DNS provides that is different from Cloudflare DNS?

When you mention censoring, are you referring to the act of monitoring your online activities or blocking specific content?

If you mean monitoring your online activities, that’s why we would want to use ECH. Even without ECH, both X ISP DNS and Cloudflare DNS have the capability to see and log what you are doing.

As for blocking access to specific websites, I’m not sure if Cloudflare DNS blocks any access to particular sites (unless someone is using the family Cloudflare DNS, which blocks adult content, but that’s not the case here).

There isn’t a technical protection. But there’s widely different policies.

Blocking.

But monitoring is also a different point. The capability of monitoring all DNS would be moved from the user’s ISP to cloudflare or similar.

I didn’t research if there are already specific examples where Cloudflare specifically is blocking any webistes however this is about the shift of the power balance through such a change.

A bit theoretic and about principles but not too theoretic.

For example, a different but for this discussion compareble US based organization, Let’s Encrypt was forced to block a website for residing in a territory (Donetsk) that the US government decided that shall be ineligible. Source: Dnr-online.ru certificate was revoked - Help - Let's Encrypt Community Support

Now the contents of the variable of the specific blocking here (US, Let’s Encrypt, Donetsk, the website) don’t matter for the general principle.

Something similar might happen with cloudflare or any other default selected DNS provider.

Something (DNS) with default settings (user default DNS) would be functional while the improvement by Kicksecure (changing default DNS server) would be moving that power to block away from their local region to some other region.

I don’t know why but could this be the reason why Firefox enabled DOH (DNS over HTTPS) for US only and not globally?

Indeed, this is unrelated and I wouldn’t mention this here since that would be a conscious, manual user opt-in.

We care and talk here about technical stuff, i can bring DNS or VPN saying we protect our users we dont log trust us… = yeah but how do you prove that technically? none.

Discussion of policies is lost case because its based on “believe me”.

Ah we need to have real examples otherwise we cant blame such service without evidences.

When it happens thats another topic and its not hardcoded on a rock anyway, change can be made by user or by us.

Other countries want to monitor their people as well, having this flying in the air even made UK questioning what the hell is going on we want our monitoring part.

Policies matter. Cloudflare (US) is for now not too widely criticized. How about using a DNS server by default in lets say Russia, Iran, one that does block things by default? Seems suddenly like not such a great idea. This is to illustrate the point that policies do matter.

Real examples are problematic. Otherwise discussions on “is this or that blocking ok or not” risk the technological neutrality. Best to think this through before such issues come up.

Let’s speculate for the sake of discussion that Cloudflare starts blocking Donesk region too (similar to how Let’s Encrypt did). Now what?

• Option A): Keep using Cloudflare.
• Option B): Stop using Cloudflare.

Option B might risk legal issues for supporting to circumvent sanctions or weird law of some countries (such as US) which unfortunately are apparently enforced extraterritorial, in many regions. Too many to be able to ignore these in theory if one would want this.

Choosing an organization with wide power (such as blocking) over the operating system is a huge decision.

Too big an issue. I consider this ticket a blocker.

If its in RU or Iran or even china and doesnt block nonsense stuff with latest security features, im signing for it.

Isnt almost any country at the moment in the world blocks certain set of websites anyway? e.g:

• Germany: torrent videos in the background. Hence, they will be considered illegal in Germany…etc
• Switzerland: *In December 2002 a local Swiss magistrate ordered several Swiss ISPs to block access to three Web sites hosted in the United States that were strongly critical of Swiss courts… * several providers of online games of luck and chance that were blocked…etc
• US: Share the same problems…
  …

That’s why I believe that if we immerse ourselves in the game of policies, we will drown. We should simply approach things from a technical point of view, and that’s it. This is what I consider in my humble opinion to be the best option.

Quote Tor Browser Essentials chapter Tor Censorship in Whonix wiki

The CDN provider Cloudflare is used by millions of websites. [73] Many of the top websites are using Cloudflare. See also the Great Cloudwall / Stop Cloudflare / #deCloudflare #Crimeflare project (This redirection link might always link to a functional version.) (on hackernews), which has (non-exhaustive list):

• English version readme / non-English versin contains a long list of arguments why cloudflare should not be used,
• ethics,
• anti-cloudflare citations, memes, outage report collections,
• incidents,
• list of websites using cloudflare,
• list of Tor blocking websites

history:

Cloudflare has a questionable history of weird policy decisions. Cloudflare is one of the top reasons why the internet is broken with captachs or outright access denied messages.

Cloudflare is blocking Tor in weird ways. Though sometimes there’s an exception for Tor Browser to be granted access, access with other browsers or command line downloaders such as wget or curl over Tor is blocked.

centralization:

The internet should be centralized.

Cloudflare wants to host the world’s DNS. For free. This operation must cost a ton of money. And they’re just doing it for the public benefit. I don’t buy it.

I think it’s a bad idea without any strong rationale to roll over and concede the internet’s DNS to Cloudflare. If more and more people use Cloudflare everything, then Cloudflare’s power goes exponential.

If it’s a new trend that browsers (such as Firefox started) and operating systems (that latter which we’re discussing here) stop using the user’s ISPs DNS server but instead pre-configure a specific DNS server, then at some point ISPs can deprecate their own DNS servers or in a transitional period just be a wrapper and point them to Cloudflare etc. That would harm the bit of DNS decentralization which still exists.

It also makes Cloudflare a more and more interesting target for attacks as well as from governments.

Putting all eggs into one basket is usually not a great idea.

location:

Due to Cloudflare being in the US, it is very reasonable to assume that Cloudflare received NSLs, gag orders, whatnot. Buisness as usual as we learned through the Snowden revelations. The same isn’t necessarily true for all the regions where Kicksecure can be used.

legal issues:

conclusion:

Cloudflare could be a choice. One choice among many in a list of servers. But Cloudflare won’t become the default DNS provider for Kicksecure without user choice in form of some graphical user interface (GUI) wizard.

Quote Kicksecure - Secure by Default Operating System

Kicksecure update servers know neither the identity nor IP address of the user because all upgrades are downloaded over Tor by default.

This mitigates against targeted, malicious software upgrades.

Configuring 1 central server (DNS) over clearnet seems counter to the design goal of avoiding targeted attacks.

There are other superior non-profit organizations that respect user privacy and freedom who run DNS servers. Cloudflare is definitely one of the absolute WORST options.

Provided that we are able to make a list of trustworthy options we simply choose one with the most robust availability stats by default while keeping the others a a backup

Absolutely not. The less popups and user questions, the better the UX. We should be making these decisions and packaging sane defaults.

Hm, seems here that by definition, iterative resolvers are recursive.

Perhaps the distinction we are looking for is stub vs recursive?

The current system as it stands is very centralized, even in the very best case scenario where the protocol between the local resolver and the authoritative servers is encrypted. The only way to make it “less evil” is to use servers that are known not to censor unless compelled by sanctions orders or data-mine their users.

Second consideration is to opt for the least code running on the user system to minimize attack surface via RCE - which is ideally just stub resolvers. However if having a reiterative daemon will force us to have dependency on malicious organizations, then we are better off considering the smallest and lightest option we can.

Going off the extreme end, one can have their own authoritative DNS running locally… but that is probably not a set and forget thing running in the background on a user machine. There might yet be a better idea:

We already leverage Tor as a way to implement a secure time daemon even on KS. Why can;'t we have a locally installed DNS resolver that is configured in such a way as to tunnel and resolve all DNS requests via Tor exits?

This gives us a de-centralized implementation by default and some exits run their own servers with unbound. It’s another example where anonymity and security are very much overlapped.

DNS is certainly being politicized.

Russia and Ukraine of all the countries get this first. Two countries at war. Great timing too because the war just started in March 2022.

And of course cloudflare DNS does analytics.

https://labs.apnic.net/index.php/2022/08/31/doh-dot-and-plain-old-dns/

Some data deals where some data is made avaialble to a selected few.

I don’t think it’s easy to win the argument against Cloudflare on technical immediate merits. As already mentioned, there isn’t anything remotely close to reliability when it comes to DNS on the Internet.

The fact that they offer free DNS portability with free solid SSL certificates and DDOS protection makes it an easy choice for most websites. They don’t actually block Tor per se, and the choice is left to webmasters. There were cases when the defaults were changed towards a more aggressive stance, and it was felt immediately.

Being a fairly large corporation, they have much more muscle to flex when it comes to takedown/censorship requests, something a not-for-profit like Quad9 can never dream of having available.

By having so many websites protected behind their edge, ECH privacy is also maximized: an observer can see a generic connection to Cloudflare rather than a connection to a private IP.

And their free gifts don’t stop. With the rise in censorship these days, they offer WARP, a free and lightweight (based on WireGuard) VPN for end users too. So, you get premium, private, access to those aforementioned protected websites, sometimes, in a non-intuitive way, even better than what your ISP offers.

Cloudflare’s popularity won’t wane anytime soon, if the DNS outage of 2020 and last years’ service failure - events that took out a good chunk of the public web - is any indication.

If all these arguments seem like a commercial to Cloudflare, it’s not. I fear them and their power to control the Web at both ends more than GAFAM that are always in the spotlight. Considering that most websites nowadays don’t even bother with certificates and the TLS connection is terminated at the Cloudflare edge, they have the power to examine what each and every one does. And all of GAFAM started with offers so good you can’t pass, only to turn out worse for everyone when enough victims were captured.

If someone asks me for the least problematic browser today that just works, can I easily argue against Chrome? I wouldn’t use it, I don’t recommend it, and I know using it is a disservice to myself and others. I clump Cloudflare in the same category.

My first reaction to the introduction of Cloudflare’s DoH in Firefox was to rejoice for my non-technical friends. Then I realized that not only do I have no friends, but the people I know who still use Firefox are actually almost exclusively technical people, and they were really bothered by Mozilla’s decision to ignore their well-defined DNS system.

There are even more reasons to wait for the inclusion of ECH, or even DoH in Kicksecure, in addition to the cost of implementation/maintenance:

• the choice of default servers will inevitably be a compromise between reliability, availability, responsiveness, security and privacy that will not satisfy everyone.
• Kicksecure has secure in its name. Introducing more software (especially not the most mature) increases the attack surface not only with programs, but especially in their interaction with the rest of the programs in the system. It can also give a false sense of security which may be worse when expectations are not met.
• unless I’m wrong, unlike Whonix, Kicksecure is used by more technical people with particular strong opinions and peculiar configurations. They would have to work against the default implementation.
• if the Kicksecure configuration conflicts with Whonix, it may need more adjusting before integrating it.
• both Kicksecure and Whonix have ample documentation that could be extended and referred if the user is really interested in not implementing their own system and also in avoiding the service of their ISP.

Seems like maybe I need to get the terminology right first, which is important. The important distinction is is:

• A) Is a DNS daemon running that contacts root servers and tracks down the destination DNS through an iterative process? → full DNS resolver, recursive DNS resolver?
• B) Not contacting root servers. Only contacting (for most users usually their ISP’s DNS server) to resolve the DNS. → forwarding DNS resolver? stub resolver?

Yes.

Yes. Currently we’re using the stub resolver just as any other Linux distribution that I am aware of at time of writing. It’s unencrypted and ISP often don’t support DNSSEC but but it’s less attack surface because less code.

With a full resolver, we’d be talking to the whole world. Whatever DNS needs to be resolved, the DNS daemon would contact the root server (or use cached results) and then other DNS server down the line. No dependency on any specific organization, well, except if you consider the DNS root servers.

In that case, DNS root servers do not support encryption yet.

That’s certainly interesting to consider.

Needs to be tested how fast and reliable that is. But I am not too hopeful…

• There’s a lot tampering / blocking of DNS traffic. → Unbound fails to resolve DNS if the system has IPv6 enabled but IPv6 connectivity is broken · Issue #908 · NLnetLabs/unbound · GitHub
• There are rate limits on how often (root) servers can be contacted. Therefore a recursive DNS server according to my understanding always needs to be also a caching DNS server. However, over Tor or even over VPNs these limits might already be exceeded.

A recursive DNS resolving over clearnet: Then ISPs can tamper with it also as per the same link as in above bullet point.

As much as I like (and prefer) the idea of recursive DNS resolving (even if root servers will take ages until they support encryption), it might not be reliable.

The only realistic option then again might be using DoT / DoH where then we’re having the burden of choosing a hardcoded, default DNS server, some organization hosting the DNS server.

Right.

I am not sure about more/less technical but indeed…

True.

That small part is a non-issue. The DNS configuration would be in a separate package. Kicksecure has meta packages different from Whonix. So it’s trivial to only install some package by default in Kicksecure or only in Whonix but not vice-versa.

True.

Also the next step before considering default would be offering this as an opt-in package only as I can see from the current complexity, non-reliability that this isn’t a trivial thing to change.

Apologies if Quad9 has been mentioned before and was not considered

However, if it hasn’t been discussed, I think Quad 9 would be a very suitable alternative to cloudflare.

Can choose several of the available options. The default one is probably the best even though it might have some possible censorship based on classifying “malware”

Quad9 is a Swiss-based non-profit with a very strong privacy and security centered approach.

Also I am not too sure jumping on the DNSSEC bandwagon is great idea as while it seems sensible in theory, there are many valid arguments against its somewhat increasing rate of adoption. Maybe better of implementing solid DNS over TLS/HTTPS for the time being?

This is what is being discussed in Use DNSCrypt by default in Kicksecure? (not Whonix!) and in this forum thread here.

Use DNSCrypt by default in Kicksecure? (not Whonix!) is about the technical challanges.

This forum thread is about the challenge of default DNS provider selection.

Disregarding DNSSEC would allow to use DNSCrypt which doesn’t perform local DNSEC validation at time of writing as mentioned in the other forum thread.

Arguments against DNSSEC? Sounds like that deserves a dedicated forum thread.

Here are incomplete compilations of some DNSSEC downsides:
https://sockpuppet.org/blog/2015/01/15/against-dnssec/
https://sockpuppet.org/stuff/dnssec-qa.html
https://www.rfc-editor.org/rfc/rfc3833#section-3

I am not an expert on DNS, however it seems some of these issues pointed out over years appear to exist today.

Using DNSCrypt, we can also potentially use Anonymised DNS but that would clearly reduce the number of providers.

Overall, I think forcing DNSSEC as a default may not be the best for compatibility as we do not really know how well it would work with domains in any random users locale.

Regarding securing DNS, probably best to use DoH as it uses TCP port 443 (identical to HTTPS) and so decent levels of obfuscation is provided by default. In contrast, DoT uses TCP port 853 and so is very easy to block on an admin level.

Also one day DNSCurve would probably make a good replacement to DoH/DoT.