mdns caching via dnsmasq

DNS has been one of the longest standing insecure protocols. it’s becoming more secure, but adoption is not widespread yet.

In most cases when you make a DNS request to a server such as your IP, they are trivially able to determine the website you’re visiting! This has enabled a world of DNS ad blocking services, and privacy-concious users should lock down this egress point to preserve their privacy.

understanding DNS

DNS is short for Domain Name Resolution, and it’s a crucial part of visiting a website in a browser. DNS servers are directories that serve the corresponding IP address to registered domain names! Without DNS, you cannot visit a website in many cases without the exact IP.

When you visit a browser and type your link, a high level overview will involve:

  • checking /etc/hosts
    • if you have a local website, you can define it here to inform your machine
  • checking /etc/nsswitch.conf
    • this controls the order of resolution. it helps the resolver decide the order of services to check the domain from
  • checking /etc/resolv.conf
    • the localtion of your DNS servers

rolling your own DNS

rolling a local DNS server offers huge benefits, and are very tangible compared to a default address such as 1.1.1.1 or 8.8.8.8.

  • repeated requests are cached, resolving at an external server like 1.1.1.1 or 8.8.8.8 can shave off .2s on every visit for free.
  • network-wide service, you can point your devices that have limited DNS controls at your DNS server and they will benefit from the speed increases
  • filtering, DNS servers can be used to block at a system level. blocking ads locally on request is another speed boost relatively, it has the power to block network ads on limited phones or tvs
  • monitoring, you can use the server as a chokepoint to track stray DNS queries made by your devoces. this often revelas the presence of malware and information leakage

what is the best server?

well, it depends. i tried to settle on one, but i found limitations with my use cases. therefore i have settled on giving my clients dnsmasq and forwarding them to a dnscrypt-proxy server.This allows me to benefit from caching, the extensive dnsmasq integrations, while still benefitting from the enchanced security and privacy controls offered by dnscrypt-proxy.

dnsmasq

I have tried a few solutions, and for my use case dnsmasq comes out ontop of unbound and others for a local DNS cache.

dnscrypt-proxy

That is not to say using secure DNS is worth less. you will preferable have a cascade of dns servers and a choke point to determine the domains on your network. All of my dnsmasq clients will forward uncached requests to this. I can then check the machine running dnscrypt-proxy to see the uncached requests all my clients are making. This helps me detect room for optimization in my network.

firewall rules

for external clients to respond to mdns

sudo ufw allow proto udp from 10.0.0.0/24 port 5353 to 10.0.0.0/24

for static interface

sudo ufw allow proto udp from 10.0.0.0/24 port 5353 to 192.168.123.0/24

References

[1] https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2013q4/007757.html