From Fedora Project Wiki
(Created page with "= DNS Over TLS = == Summary == Fedora will attempt to use DNS over TLS (DoT) if supported by configured DNS servers. == Owner == * Name: Michael Catanzaro...")
 
mNo edit summary
 
(24 intermediate revisions by 3 users not shown)
Line 14: Line 14:
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [[Releases/34 | Fedora 34 ]]  
December 2023 note: This change proposal failed because of [https://bugzilla.redhat.com/show%20bug.cgi?id=2006393 this bug] and [https://bugzilla.redhat.com/show%20bug.cgi?id=2054482 this bug]. Opportunistic DNS over TLS in systemd-resolved is currently too broken to enable. For now, users will unfortunately have to enable DNS over TLS manually if desired.
 
* Targeted release:
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/2486 #2486]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1889901 #1889901]
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/590 #590]


== Detailed Description ==
== Detailed Description ==


We will build systemd with `-Ddefault-dns-over-tls=opportunistic` to protect DNS queries against passive. An active network attacker can trivially subvert this b
We will build systemd with `-Ddefault-dns-over-tls=opportunistic` to protect DNS queries against passive network attackers. An active network attacker can trivially subvert this protection, but we cannot make DoT mandatory because other operating systems do not do so and many (or most?) DNS servers do not support it. DoT will only be used if the configured DNS server supports it and if it is not blocked by an active network attacker.


Note that DoT is different from DNS over HTTPS (DoH). In particular, DoT is not an anti-censorship tool. It does not look like regular HTTPS traffic, and can be blocked by network administrators if desired.
Note that DoT is different from DNS over HTTPS (DoH). In particular, DoT is not an anti-censorship tool like DoH. It does not look like regular HTTPS traffic, and it can be blocked by network administrators if desired, so it should not be a problem for corporate networks.


== Feedback ==
== Feedback ==


<!-- Summarize the feedback from the community and address why you chose not to accept proposed alternatives. This section is optional for all change proposals but is strongly suggested. Incorporating feedback here as it is raised gives FESCo a clearer view of your proposal and leaves a good record for the future. If you get no feedback, that is useful to note in this section as well. For innovative or possibly controversial ideas, consider collecting feedback before you file the change proposal. -->
[https://bugzilla.redhat.com/show_bug.cgi?id=1879028 systemd-resolved currently does not handle DNSSEC records properly.] Critics of the proposal want systemd-resolved to properly support DNSSEC before enabling DNS over TLS. However, these technologies are not related, and there is no technical reason for DNS over TLS to be blocked on DNSSEC changes.


== Benefit to Fedora ==
== Benefit to Fedora ==


DNS queries are encrypted and private by default, if the user's ISP supports DNS over TLS. Users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit from DNS over TLS.
DNS queries are encrypted and private by default, if the user's ISP supports DoT. Most probably don't, but users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit.


== Scope ==
== Scope ==
* Proposal owners: change meson flags in systemd.spec
* Proposal owners: change meson flags in systemd.spec
* Other developers: N/A (nothing should be required)
* Other developers: N/A (nothing should be required)
* Release engineering: [https://pagure.io/releng/issues#9772] (a check of an impact with Release Engineering is needed)
* Release engineering: [https://pagure.io/releng/issue/9772 #9772] (a check of an impact with Release Engineering is needed)
* Policies and guidelines: N/A (nothing should be required)
* Policies and guidelines: N/A (nothing should be required)
* Trademark approval: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
Line 46: Line 48:


== How To Test ==
== How To Test ==
TODO
Load any website in a web browser. If you succeed, then name resolution probably works.
 
Try using `resolvectl query fedoraproject.org` to see that resolvectl still works.
 
Bonus points: set your DNS server to 1.1.1.1 or 8.8.8.8, then use Wireshark to see if your DNS is really encrypted or not.


== User Experience ==
== User Experience ==
Users should not notice any difference in behavior, unless checking how DNS is sent in Wireshark.
Users should not notice any difference in behavior.


== Dependencies ==
== Dependencies ==
Line 57: Line 63:


* Contingency mechanism: revert the change
* Contingency mechanism: revert the change
* Contingency deadline: F34 beta freeze
* Contingency deadline: can be done at any time, before F34 beta freeze would be best
* Blocks release? No
* Blocks release? No
* Blocks product? No
* Blocks product? No
Line 65: Line 71:


== Release Notes ==
== Release Notes ==
TODO
systemd-resolved now enables DNS over TLS (DoT) support by default, in opportunistic mode. DoT will be used only if supported by your DNS server, and provides only best-effort encryption to protect against passive network observers. For compatibility with existing DNS servers, systemd-resolved will fall back to unencrypted DNS if DoT does not appear to be supported, reducing the security benefit. If you wish to manually configure systemd-resolved to prevent fallback to unencrypted DNS, set `DNSOverTLS=yes` in `/etc/systemd/resolved.conf`.
 
Be aware that Fedora will only encrypt traffic between you and your DNS server, and then only if supported by your DNS server. For example, if you are connected to a home router, then your router is usually your DNS server. DNS between your laptop and your router will be encrypted if supported by your router, but this change has no impact on what happens between your router and your ISP. Accordingly, most Fedora users will not benefit from this change until DoT is deployed more widely in the future.
 
Also note that DoT is different than DNS over HTTPS (DoH) in that it does not use HTTPS. Since it is easy to distinguish from HTTPS traffic, it is not an anticensorship tool, unlike DoH.

Latest revision as of 16:40, 19 December 2023

DNS Over TLS

Summary

Fedora will attempt to use DNS over TLS (DoT) if supported by configured DNS servers.

Owner

Current status

December 2023 note: This change proposal failed because of this bug and this bug. Opportunistic DNS over TLS in systemd-resolved is currently too broken to enable. For now, users will unfortunately have to enable DNS over TLS manually if desired.

  • Targeted release:
  • Last updated: 2023-12-19
  • FESCo issue: #2486
  • Tracker bug: #1889901
  • Release notes tracker: #590

Detailed Description

We will build systemd with -Ddefault-dns-over-tls=opportunistic to protect DNS queries against passive network attackers. An active network attacker can trivially subvert this protection, but we cannot make DoT mandatory because other operating systems do not do so and many (or most?) DNS servers do not support it. DoT will only be used if the configured DNS server supports it and if it is not blocked by an active network attacker.

Note that DoT is different from DNS over HTTPS (DoH). In particular, DoT is not an anti-censorship tool like DoH. It does not look like regular HTTPS traffic, and it can be blocked by network administrators if desired, so it should not be a problem for corporate networks.

Feedback

systemd-resolved currently does not handle DNSSEC records properly. Critics of the proposal want systemd-resolved to properly support DNSSEC before enabling DNS over TLS. However, these technologies are not related, and there is no technical reason for DNS over TLS to be blocked on DNSSEC changes.

Benefit to Fedora

DNS queries are encrypted and private by default, if the user's ISP supports DoT. Most probably don't, but users who manually configure a custom DNS server (e.g. Cloudflare or Google) will automatically benefit.

Scope

  • Proposal owners: change meson flags in systemd.spec
  • Other developers: N/A (nothing should be required)
  • Release engineering: #9772 (a check of an impact with Release Engineering is needed)
  • Policies and guidelines: N/A (nothing should be required)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: Nope

Upgrade/compatibility impact

DoT will be enabled automatically on upgrade to F34. If DoT is unsupported, systemd-resolved will fall back to unencrypted DNS, so there should be no compatibility impact.

How To Test

Load any website in a web browser. If you succeed, then name resolution probably works.

Try using resolvectl query fedoraproject.org to see that resolvectl still works.

Bonus points: set your DNS server to 1.1.1.1 or 8.8.8.8, then use Wireshark to see if your DNS is really encrypted or not.

User Experience

Users should not notice any difference in behavior.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: revert the change
  • Contingency deadline: can be done at any time, before F34 beta freeze would be best
  • Blocks release? No
  • Blocks product? No

Documentation

See the section DNSOverTLS= in the manpage resolved.conf(5)

Release Notes

systemd-resolved now enables DNS over TLS (DoT) support by default, in opportunistic mode. DoT will be used only if supported by your DNS server, and provides only best-effort encryption to protect against passive network observers. For compatibility with existing DNS servers, systemd-resolved will fall back to unencrypted DNS if DoT does not appear to be supported, reducing the security benefit. If you wish to manually configure systemd-resolved to prevent fallback to unencrypted DNS, set DNSOverTLS=yes in /etc/systemd/resolved.conf.

Be aware that Fedora will only encrypt traffic between you and your DNS server, and then only if supported by your DNS server. For example, if you are connected to a home router, then your router is usually your DNS server. DNS between your laptop and your router will be encrypted if supported by your router, but this change has no impact on what happens between your router and your ISP. Accordingly, most Fedora users will not benefit from this change until DoT is deployed more widely in the future.

Also note that DoT is different than DNS over HTTPS (DoH) in that it does not use HTTPS. Since it is easy to distinguish from HTTPS traffic, it is not an anticensorship tool, unlike DoH.