Host Your Own Encrypted DNS Server

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's up guys today I'm going to show you how to host your own encrypted recursive DNS server on a remote VPS or you could probably follow this guide to host one locally which would actually be a little bit faster especially once you've been able to build up a cache of DNS records on your own server now the reason that you would want to do this without getting two verbose into how DNS works is for privacy reasons DNS queries contain information about the name of the site you visited and a time stamp of when you visited that site so historically all of this DNS stuff was sent in the clear so anybody who's listening on The Wire like the alphabet boys could see all that information as well but these days most popular DNS servers that are run by Google cloudflare and others actually use encrypted DNS over TLS or DNS over https which we're going to be doing as well but since we're hosting our own DNS server we can be absolutely 100% sure that the records about what sites we visit and when that are cached on every DNS server or our DNS server in this case are not going to be sold to anybody who wants to buy them so this is about as private as you can get with DNS in the DNS world and like I said if it's posted locally it can actually end up being a whole lot faster now one thing that I do have to mention is this setup does not yet support encrypted client hello but it should in the near future uh because encrypted client hello is going to be making its way into open SSL soonish I mean there's a poll request that's been open for it here and I guess uh this person here sft CD is going to be doing some refactoring and you know splitting the poll request into three different poll requests so maybe that's going to make it take a little bit longer but it's going to be added in the near future and this is then going to add encrypted client hello support to hopefully most of the internet or at least most people out there who are going to be running the latest version of op SSL because this I'm pretty sure is the most popular SSL Library that's out there on the internet um now if you're um a bit more of an advanced user and you don't want to wait for this pull request to um you know get merged into open SSL you could probably get encrypted client hello working if you configure whatever you know DNS software you're using to use the boring SSL Library instead because as far as I know this is the most popular SSL library that does currently support encrypted client hello uh which is as you can see maintained by the chromium project but like I said I'm just going to wait for it to get merged into open SSL and then start using encrypted client hello from there so I'm going to be using a volter VPS I also have an affiliate Link in the description of this video and the pin comment that would give me some credits with volter if you sign up with it I believe it also gives you some credits as well and volter is actually a pretty good cloud provider they have a lot of applications that you can easily deploy I actually use them for my base. win woocommerce store they aren't so great for email though because I guess a lot of people have used them for spam in the past so getting them to open up the ports for email can be a little bit difficult and personally I just run my email server on Len no but thanks in advance for those of you that use that affiliate link uh so I'm just going to go fast forward through the boring stuff with setting up this Debian box and I'll see you guys in a little [Music] bit [Music] okay so now I have an updated Debian box with my new user Kenny I've generated SSH keys and secured SSH to only allow log in with those keys and only allow uh Kenny to log in or at least I've prevented root logins um and I've also gone ahead and set up the reverse DNS in volter for my dnsb dowin domain name and I've done the forward DNS in pork bun which is currently what I'm using for my um registar for b. win since Google domains is dead um and I've also already generated a let's encrypt certificate I had one from when I was testing I mean I didn't see any reason to generate a new one uh especially because with let's encrypt you're only able to generate I think it's like 12 or so um like certificates for the same domain within a certain period of time so I think it's really just best practice to you know back up those certificates for a domain like if you're testing and then deploy those same certificates to um your actual production server uh so anyway let's just go ahead and get started with the rest of the setup and I'll make this a little bit bigger so you guys can see uh so bind nine is what I'm going to be using for my uh DNS software um there's a number of free and open source DNS softwares out there that you can use this is one of them probably one of the more popular ones as well so we'll go ahead and install that and now we need to enable bu n's domain name server Damon which is called name d all right and then we need to [Music] allow b nine through the firewall we also need to allow HTTP and https through our firewall as well and at this point now we just need to configure our uh name d configuration file and um actually I think I have to do this as root ET cbind Nam d.c. options and it actually looks like it has a little bit of a configuration already generated let's see uh we got our DNS SEC validation on but there's a few more things that need to be added all right so we'll do recursion yes allow recursion any listen on any and uh let's see I think I'm going to skip V6 and let's see DNS SEC validation is at the bottom oh and we actually have listen on V6 configured anyway all right cool so we'll right quit this and let's check our configuration file make sure it's good check conf let see [Music] bind named d.c. options okay and no output is good that means that there's no issues with our configuration file [Music] and we'll restart name d okay and now we can test our DNS configuration with a dig command so this is not encrypted yet this is just you know very basic old school you know in the clear plain text uh DNS that I'm doing right now all right and you can see that uh you know it's just regular unencrypted DNS but now we're going to set up the encrypted version of it um so couple other configurations obviously generate your let's encrypt certificates if you haven't done that already or you know restore them if you're uh you know if you had backup ones like I did and you need to make some configurations to app armor AR o do D [Music] local we're going to create this file got too many forward slashes okay so in here we're just going to paste this right here so this is going to allow uh name d to be able to access our let en Crypt folder and then we're going to reload app armor b. name d okay and I still think I need to change the file permissions of um let's encrypt so let me do that real quick boy my Internet is slow today uh okay bind Etsy let's encrypt live DNS base. win private key and um sudu chod let's encrypt live DNS priv key okay so now we should be able to make our changes to binds configuration or name D's configuration rather all right so we want to add at the top of the file our uh key file insert file for let encrypt so the priv key.pem and full chain. pem and you need the full directory to them uh then we're going to add HTTP local HTTP server endpoints DNS query okay and then in the options um we're going to do listen on okay listen on Port 53 and I got to remember to change that for V6 as well actually why don't I just do it right now listen on V6 53 okay [Music] and oh actually I need to put port in there Port 53 and gota do the same thing down here okay and put HTTP Port 80 https Port 443 and I'm going to copy these two lines because they're kind of long listen on Port 443 TLS local blah blah blah and then same thing for V6 okay so we're going to save that now and we're going to again check it to make sure or check the configuration file to make sure that it's okay so named check comp Etc [Music] bind name d .com. options let me see check C checked conf needs to be check conf okay that's working and now we're going to reload name d uh we don't need to restart the whole Damon this time just reload the file and let me see we're getting a TLS error so let me try to figure out what's wrong with this here all right so I finally got my configuration working after trying a bunch of different things and thinking that I didn't have let's encrypt installed properly turns out I simply did not run this extra chod command so that's the reason why it didn't have access to TLS you know that's just how things go in Linux okay file permissions they cause a lot of problems okay so I should be able to now dig plus https s at dn. base.in g.org a and as you can see we got the response with https enabled great so we've got a working DNS server doing DNS over https and our configuration file has it set to only do DNS over HT PS so now we're going to go ahead and configure this on our system now there's several ways to do this uh the best way if you wanted to you every single device on your network to use this DNS server would be to configure it on your router to use this DNS server and then telling all your devices to just use the router's config but I'm probably not going to do that until I can set up a local DNS server which will be a lot faster with encrypted client hello so right now I'm just going to set this up on my browser or I'm going to set it up on my system do a dig command and then I'm also going to set it up on my browser to show you you know multiple different tests that this is indeed working so we'll go into Etsy resolve. comp if you're on a l system and all we have to do is comment out these uh default settings and then change it to the um DNS base. wiame server you know whatever the name of your DNS uh server is so now if I do the Dig command here uh dig Plus htps at DN n s.b. when g.org a um okay what did I do wrong in my resolve. comp ah let's see name server DNS base. when me try it just with the IPS only all right there we go so you see it is working on my system now and then let's go over to the browser now in Firefox you need to go into your settings privacy and security and um when you've got the default protection like it can be a little bit confusing in Firefox cuz with default protection doesn't let you change your DNS server so just choose um you know one of these options and then you get this drop down menu for custom and then I've got my dnsb dowin already in here from when I was testing so let's first do a DNS leak test to verify that we are only using this DNS server and this is my real public IP guys okay so please don't dos me as you saw my internet is not great here in uh ruval land you'll probably end up taking out my whole ISP if you dos me all right so this is going to do um the extended tests which I think does like five or six query rounds and um you know it's going to try to see if it can somehow someway use a different DNS server but it's going to be impossible because I've configured Firefox to only use DNS base. when and of course you could do this configuration in um chromium base browsers uh it's probably a little bit more straightforward to actually configure your own custom DNS in a chromium based browser because it doesn't have that weird set setting that Firefox does you know where you have to change your default protection to increase protection or Max protection or something else in order to get that that other setting so here you see the IP for my server host name dnsb dowin ISP says volter just because that's you know where the box is located so boom confirmation that we don't have any DNS leaks and now we're going to use cloud flares secure DNS check so this is going to check for a bunch of different things um including encrypted client hello which is not enabled so that test is going to fail but all the rest should pass uh DNS SEC and um encrypted DNS you know do do is what it should uh show up as all right and so you can see secure DNS well it it says it's not sure about secure DNS because they're only really sure if you use 1.11.1 but you know we've got DNS SEC working in TLS 1.3 working nobody snooping on The Wire can see the certificate of the website you made a TLS connection to and no encrypted Sni not yet wamp wamp but very soon very very soon but that is it for this video guys please like it and share it to hack the algorithm and check out my merch on based. win where you can save an additional 10% automatically on checkout storewide as long as you pay in Monero XMR have a great rest of your day

Info

Channel: Mental Outlaw

Views: 105,965

Rating: undefined out of 5

Keywords: Mental Outlaw, mental, outlaw, based.win, based, DNS, encrypted DNS, DoH, host your own DoH, DNS over HTTPS, DNS over TLS, self hosted DNS over HTTPS, self hosted DNS over TLS, cloudflare, private DNS, secure DNS, how to setup my own DNS server, how to setup your own DNS server

Id: pj_jyVG7sB4

Channel Id: undefined

Length: 24min 20sec (1460 seconds)

Published: Thu Dec 28 2023