DNS-over-HTTPS (w/ Firefox, Pihole, & Wireshark)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] welcome to another heir code for 29 2002 day we will be talking about DNS over HTTP we will be talking about what DNS over HTTP is what is DNS how to implement DNS over HTTP how to test for it and what are the impacts to standard internet users and corporations alike so firstly I'd like to talk about the current DNS technology and how we resolve hostnames to IP addresses so the current technology and how we resolve URLs in the browser to get to our final destination looks like the scenario on the right imagine you're sitting at your laptop as the client and you want to go to air code 429 or Twitter or Apple calm the current implementation as a standard user would be to open up a browser go to the URL just type in where you want to go and hit Send now when you hit Send I'm just assuming that you're in your home network so you're behind your router so the request goes to the router and once it's at the router the router will then determine how to resolve that request and in routers they have their own DNS server entries where they define what DNS server they are going to reach out to in order to process that request so say you've got your router here and you just send out the request that you want it to go to err code 429 now somewhere there's another box up here that's just a DNS server and its main function is just to resolve this hostname into this final IP address so somewhere on internet land your router says okay I need to resolve this hostname to get the final destination so within the router it has the DNS entry it then sends that request all the way out to the DNS server that DNS server would then respond back saying okay err code 429 is at this IP address at which point your router says all right take me there it reaches out to the ISP and goes through multiple hops in order to get to the EC 429 router or switch at which point the router switch well send that request over to the actual server itself over port 443 at which point that request will be responded to sending it all the way back through the route back to your client so that is the standard implementation of DNS and it looks a little bit more different and complicated when you get into to corporate DNS servers but the main point is that when you make a request your traffic is going into a DNS server somewhere at which point that DNS server takes the URL you've typed in and gives back an IP address a final location but every single one of those requests that you make whether it be Twitter or Apple or Facebook or your internal email your internal admin portal anything that you type in is captured by that DNS server in plain text so even though our web traffic is encrypted with HTTPS or TLS all of the actual requests of where you're going are still logged in plain text and not only does your company see this through their DNS caching but anybody who runs an an endpoint a DNS server has the ability to see this over plaintext so anywhere you visit they know so the implementation of DNS over HTTP is to get rid of this DNS server here and have the request go over HTTP to a final DNS endpoint so that if there were to be a man-in-the-middle in your network they would not be able to see in plaintext those requests being made over the wire so what I want to talk about is just that DNS over HTTP it is currently being implemented by Firefox so a little bit more information about that I'm just going to the Firefox support page they talked a little bit about DNS over HTTP the benefits and just like we said do H or DNS over HTTP improves privacy by having domain name lookups from someone lurking on the public Wi-Fi or ISP or anyone else on the local network and then they give some more information on how to enable the actual service itself so you would just go to preferences scroll all the way down to network settings scroll down and enable DNS over HTTP and the only service provider is CloudFlare at the moment and that's how you implement it so the next part I'll be talking about how we test for if do H is working and how it looks different from the standard DNS implementation so what I've done is install title which is a DNS sinkhole which basically means that we are installing our own DNS server on our home network so instead of going outside of our network to get I had mentioned there was a DNS server out here somewhere on the internet instead of reaching out to that DNS server we have our own DNS server within our own network and we are utilizing that instead of an a DNS server owned by somebody else and also the advantage to having our own DNS server is we have the ability to whitelist and blacklist certain domains so we get to see all the traffic going in and out that means we get to block some the traffic coming in and block some of the traffic going out sort of like a firewall for DNS and I think if I just go to the actual page we'll be able to understand that a little bit more so I have a pile running on my home network and you can see it logs the total DNS queries it shows how many DNS queries have been blocked the percentage block the domains on the block list it gives you some nice graphics of traffic and clients on the network and what are how many times they're requesting what their traffic look like the types of requests they're getting back the domains they're going to top block domains the top clients you can see a little bit more about our network we have devices on our network at our reaching out if we go to a device in particular we can see what actual requests they are making so like I was saying anywhere that you visit can be logged so my current map device is at one and two dot one sixty eight dot one dot one fifty that is my device so if I were to go to let's say baseball calm [Music] okay let's reload this there we go baseball calm so for anyone who has a DNS server they can log like I was saying it's all of your requests to the sites that you want to go to because they have to resolve baseball calm into an IP address so by using piehole we are able to see all the requests going out and all the requests that are being blocked so Pikeville is a very nice service that you can use to bring in your own DNS server in the house and make your internet a bit quicker as you can see we're blocking 7% of traffic piehole comes with a pre-installed blacklist which knows which sites are bad and should be blocked and which sites are good and which should be allowed through so it helps with taking out some of the bad traffic on here on your internet making it quicker and providing a bit more security so let's test since we can now track our DNS entries the difference between making a DNS request over standard implementation and making a DNS request over HTTPS so as I mentioned my IP address is 119 I want to succeed that 1.1 50 and I am currently SS aged into the Raspberry Pi which is hosting the DNS server pile and we can see that the local address is 192 168 1 dot 116 so what I'm going to do is actually just tail the log of DNS entries DNS requests that are being processed by the server from this IP address so I have two web browsers open I have Google which is going over the standard DNS implementation and I have Firefox which is going over DNS over HTTPS so the difference is that Google since it's not going over HTTP has to make a DNS request to a DNS server and currently it's pointed at my pool server so if we were go to tennis comm we would see everything is getting lost so as soon as I type that in and made a request it's getting tracked tennis comm and all of the different sites trackers advertisers analytics that come with that so let's get out of that too now it's done there's no more sites that are that are being resolved let's do the same thing in Firefox let's go to tennis calm as you can see there are no dns resolutions being made everything that we saw was from chrome and we never saw anything again from Firefox let's try ping pong comm nothing nothing coming through ping-pong calm so you can see the side-by-side difference between DNS and DNS over HTTP but what if you would actually like to see what it looks like over the wire so here we go again we have Wireshark open capturing traffic from our IP source which is my Mac to the IP destination which is the piehole DNS server so if we type in comm we don't get anything probably because it's cached so let's go to a site that we haven't think to dock or haven't been to yet let's try a hockey calm there we go so the old query did not come through because it was cached and it already knew where that was but if we type in a name that it doesn't know it has to make that DNS request and we see it right here we can perform the same thing in Firefox so I don't believe that has been cached in Firefox so let's try that and we don't see anything coming through on this end for for hockey comm from Firefox so our last test is we want to see that DNS over HTTP is working so as we saw in our preferences the network settings DNS is going over CloudFlare in cloud flairs DNS server is that one dot one dot one dot one so we can put our destination address as 1.1.11 actually let's stop this redo it just so we get a clean slate so now let's make sure that it's working so let's pick another site we I'm good too maybe Nike calm here we go data going to one 1.1.1 from the mac-10 nike.com and if we look it's encrypted the TCP connection is encrypted and the TLS connection which is HTTP is encrypted so no we're here using Firefox do we get any sort of communication over the wire that we can track so what are some of the the implement implementations or implications of doing this obviously as a user this is huge for anonymity and not letting big corporations or internet service providers or people hosting your DNS server to be able to see and track what websites you visited and some of the main providers of DNS servers are those like Google and they not only have all of your information online in terms of the accounts you have but they also have all the information of all the websites that you visited so if you've ever wondered how can Google know what what sites you visited well you're making a request to their DNS server and it shows them all the data that you've ever visited just like here in piehole if I want to see all the web sites I've ever visited you have that information at your fingertips so for the standard user the anonymity aspect of DNS over HTTP is huge it's another step just like HTTP being able to encrypt your web traffic it's another step towards user privacy but I also want to talk about the trade-off between being able to hide that data and also the impact to network visibility so one of the main benefits from being able to see this traffic as a corporation is having that situational awareness and visibility into what your users are doing and not even from a we are just monitoring them since you can start to predict anomalies and you can see traffic outside of your organization that is bad or malicious or should be blacklisted so if I'm a corporation and I want to see let me see if I can show my blacklist here okay so if I'm a corporation I want to see what's been blocked and I want to be able to control how to block outside organizations that I think are bad if one of the users in my organization their client gets compromised and when I say client I mean their thin client they're their computer basically if if one of my users gets compromised and they make in their they have malicious software on their computer and that software or trojan or rootkit or anything of that nature wants to call home to the command and control server and I discover that command and control server I want to be able to blacklist that server so that nobody else in my organization can make a request to get to that location however if everything is going from DNS over HTTP you lose all that Network visibility as a corporation so you are no longer able to see the good and bad traffic within your company so you can't see whether our users been compromised and reaching out to a known command and control server you can't see if an employee is watching pornography or visiting explicitly bad sites on your network because all of that traffic is encrypted now so as a corporation one of the the main tools where you can have a little bit of oversight over some security is through DNS but by implementing DNS over HTTPS you lose one of those main tools in your toolkit for security so I wanted to bring up this thought of when is DNS over HTTPS most useful one should we use it when should we not use it when it provides us a tool for anonymity when it provides us a useful tool that's for the better and it would be used that's not for better that's actually hindering us so I just wanted to bring that up I thought this was a very cool implementation Firefox is currently the only one who has implemented it with CloudFlare as their back-end compatible with DNS over HTTP server Google was currently working on it but I have not found a way to implement it myself I have tried many times but it is currently something that they are not offering to the public and this technology is not going away it is definitely here to stay and it is something where the board level your security directors are going to have to talk about the implications of enabling this tool inside your organization what happens if you do enable it what happens if you don't enable it so I thank everyone for watching and if you like this video leave a comment give it a thumbs up and let me know if you have any questions

Info

Channel: errorcode 429

Views: 6,414

Rating: undefined out of 5

Keywords: DoH, DNS-over-HTTPS, Firefox, Chrome, Wireshark, Pihole, Cybersecurity, DNSec, DNS Security, Security

Id: t71--yEkZyY

Channel Id: undefined

Length: 23min 7sec (1387 seconds)

Published: Fri Aug 16 2019