Secure DNS setup for companies and professional users

BACK

Series: License free with open source in the company

Professional GDPR friendly IT setup

Professional DNS setup

As users unfortunately have little knowledge of the functions in the Internet, DNS is one of the most overlooked services in the operation of IT infrastructure and Internet services. In many cases, the essential necessity of several well-functioning DNS for the functionality is not known in the necessary depth and this results in massive problems for the security of the operation and the privacy of the users.

We generally differentiate between DNS setups for DNS queries from the company network and setups for your own public DNS server to answer queries about your own domains. This entry deals with “DNS queries from the company network”, but there will be another part for your own domains.

The problems of security and privacy are caused by the mostly unencrypted communication with the DNS servers. This means that even if the data traffic with the website visited or the service used is subsequently encrypted, even non-technical people can easily read which websites or services users are visiting.

The installation of tcpdump and the command:

tcpdump port 53

in order to read which system asks for which name before actually visiting the website or the service is enough. Unfortunately, even in large companies, DNS setups are often carried out in such a way that they are sent to DNS servers on the Internet in unencrypted, all readable queries. In this way, you reveal essential properties of your network to your provider, local authorities, as well as many unknown third parties and also enable the behavior of users to be fully monitored by third parties when surfing.

This looks like this to find the IP of the service you want to visit and takes place in real time without any further action on the part of the supervisor:

In the LAN, an admin must prevent users’ devices from sending DNS queries directly and encrypted to servers on the Internet. This would mean that many safeguards, DNS block lists and functionalities in the LAN and intranet would be ignored or deactivated. In addition, he must protect the queries from being read on the Internet and possibly also in the LAN.

The blocking of port 53 for DNS and 853 for DoT (an encrypted query option) is simple, but since the introduction of DoH (DNS over http) there has been the problem that these DoH queries use the same TCP port as https websites and the blocking so that is more difficult.

The setup steps

LAN

In the LAN, it must be ensured that all devices can only use the DNS provided. This also applies to “Bring your own device” networks, which, similar to the DMZ, are structured in such a way that smartphones, tablets and notebooks are operated in their own network and only have minimal, preferably only RDP, access to a virtual workstation in the LAN. Devices that were once connected directly and without protection via LTE, external WLAN or networks in the Internet should generally never be connected in the LAN again via compliance. This could mean that a Trojan, virus or malware would be transmitted to all LAN workstations and servers, invisible to the firewall and without protection.

The structure is as follows:

  • The firewall on the LAN port allows DNS port 53 and 853 to the DMZ DNS server
  • The firewall on the LAN port blocks all other connections to ports 53 and 853
  • In the case of large setups, round robin cache DNS servers can be added in the DMZ.
  • The firewall on the LAN port blocks all connections to known DNS IP’s on port 443. We are currently blocking around 20,000 IP addresses. You can download a basic list from https://public-dns.info/ (all nameservers). This makes it almost impossible for devices that try to bypass the DMZ DNS via DoH to be successful.
  • Normally, with a professional setup, devices are only allowed to access the Internet via a proxy server in the DMZ and a direct connection is preferably prohibited in order to minimize further security risks.
  • The requests to the DMZ DNS server can also be encrypted via DoT via port 853 in the LAN. This also excludes local readers in the LAN.

DMZ

The purpose of the DMZ (demilitarized zone) is an area separated from the LAN and the Internet in order to prevent successful attacks as much as possible. The DMZ contains web servers, Internet offers and services such as the current DNS server.

The DNS server in the DMZ handles all DNS requests from the LAN and the servers in the DMZ. The use of pure Bind DNS servers is completely easy to set up and covers the basic requirements.

In professional usage for companies, it is advisable to set up a free, open source, pi-hole solution (https://pi-hole.net) to block, without any installation of an AD blocker on every device, advertising server, tracker and other undesired IP addresses and host names central, DNS based. Pi-hiole is equipped with extensive block lists.

The Pi-hole solution saves you a lot of work and requirements that are impossible to meet. With the correct LAN/DMZ/Internet setup, everything can be controlled centrally on the DNS server in the DMZ. It can be set up on a small virtual machine without any problems. With larger networks, a round-robin load balancing setup is also easily feasible.

It is now very important that the DMZ DNS transmits the requests that are passed on to the Internet in encrypted form. Only then the inquiries are protected and secure from interested readers.

Various DNS servers in the Internet can be used as forwarder DNS servers, as described below in the Internet setup.

Internet Setup

The DNS server in the DMZ now requires additional DNS servers, which process the requests in such a way that they are transmitted in encrypted form. To do this, the DMZ DNS sends its requests via DoT or DoH to its forwarders. These then do the real job of converting host names into IP addresses.

As can be seen in the above drawing, we recommend at least two forwarders in round robin failover and load balancing mode in order not to suffer any failures.

You have to know that these servers now process the encrypted request via the root DNS server and the servers that actually offer the DNS of the domains. This may then be unencrypted, but takes place outside of your provider, even better outside of your home country.

In general, it is not advisable to use large public DNS servers, even with DoH support, as this provides a theoretical possibility of creating user profiles. As a successful company, you do not want to become dependent on a centralized system and operate the services you need under your own control.

In order to be independent and more or less unmonitorable, it is advisable to set up two DNS servers on VPS in other countries. E.g., if you are based in Austria, one VPS in the USA and one in Germany. Any combination is possible. Using the round robin load distribution method, one server and the other will answer the requests. Since everything happens across countries and by avoiding large free providers, the own VPS DNS first query the root server and then the respective DNS that offers the domain zone, the highest level of security against monitoring and other readers is given.

With this, easily maintainable setup, which is solved without any license costs, purely with open source software, you have a perfect solution to make it as good as impossible for others to track you via DNS inquiries in the Internet or to create user profiles via DNS about you.

In my opinion, a must for small and large companies, also to prevent special forms of industrial espionage, blackmail through user profiles and other unpleasant events in advance. A professional DNS setup is the indispensable basis of a well-installed IT.

This DNS knowledge is part of the absolute basic knowledge of every administrator and also website and web service developers cannot create professional, secure, non-monitorable solutions without this knowledge.

This series will be continued later with information about operating your own public DNS server for your own domain.

Commercial customers

The CTS IT Solutions founded by me offers commercial customers perfect and well-tested IT solutions! We would be happy to advise you on all questions relating to IT!

Enterprise Support

EURAFRI Matrix Group Chat

We look forward to active participation in the EURAFRI project and ask you to also visit the EURAFRI reception in the matrix.

https://matrix.to/#/#eurafri-reception:matrix.ctseuro.com

Your EURAFRI TEAM

Author: Karl M. Joch
© KMJ.at, Permission to publish the article on EURAFRI.com @20210528

BACK