Skip to content

Secure DNS: A Footnote

  • 6 min read
Dot and doh

I’ve successfully managed to setup Pi-Hole on a Raspberry Pi server at home for all of my home-based devices to use for secure DNS Lookups. That’s all very well, but my internet-based servers don’t have that luxury. As they are directly connected to the internet, any DNS lookup they are doing (which would mainly be to check for updates etc.) will be over plain text and to the cloud providers DNS service.

But isn’t that internal to your provider?

Yes it is. But using the same arguments I used in Secure DNS: Something We Should Do? it wouldn’t be faithful to that philosophy if I didn’t configure secure DNS on that server, looking up (securely) from Quad9, the DNS servers used by my Pi-Hole server.

Didn’t you look into this already?

Yes I did. In fact, it was one of the earlier questions when considering BIND9 or Pi-hole: Which One Is Better. In the end of course, I went for Pi-Hole, for the secure DNS lookups, the logging and the ad blocking.

In fact, I started my whole journey of secure DNS discovery with looking at whether I could configure BIND9 to do secure forwarding lookups. At the time I looked at it, the answer was a pretty solid no, as the version of BIND9 that is installed by default on Ubuntu 24.04 doesn’t support secure forwarding at all. And that was the bit I was interested in, so my focus became firmly fixed on Pi-Hole with cloudflared.

But as previously mentioned: that doesn’t affect my internet-based server.

The internet-based server

My one and only internet-based server (on which runs this very fine website) is a VPS (virtual private server). I prefer a VPS over web hosting, as it gives me much more control over security and is far more flexible than having just one set of web hosting that I have limited configuration options on. Apart from that, it’s faster and cheaper to run a VPS than hosting (ostensibly). But of course the (not very) downside is that although the VPS is provisioned for me (as Ubuntu 24.04) I have to configure, secure and maintain the VPS. Which is absolutely no problem for me whatsoever.

Having provisioned a new VPS recently, it once more raised the question: can I do secure DNS lookups from it?

Time for some research…

DoT. DoH.

There’s two types of secure DNS lookup, both of which achieve the same thing: establishing an encrypted connection to a secure DNS server to perform a DNS lookup. The difference is in the type of encryption used for the connection: one method is to use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).

During my initial research, I’d looked at the version of BIND9 on my server (9.18). Looking that version up on the isc website it states in the documentation that DoT and DoH for forwarders is not yet implemented for version 9.18. However, it also states that as of BIND 9.20.2 (released in 2024), the software supports forwarding DNS queries over DNS-over-TLS (DoT). This is achieved by using the tls argument within the forwarders statement in the BIND configuration. This enhancement allows BIND to forward queries securely to DoT-enabled upstream servers.

However, BIND 9.20 does not natively support forwarding DNS queries over DNS-over-HTTPS (DoH). While BIND can act as a DoH server, it lacks the built-in capability to forward queries to upstream DoH servers. To achieve DoH forwarding, an external proxy or forwarder that translates standard DNS queries to DoH is required. ​

Therefore, BIND 9.20 supports DoT for forwarding DNS requests but does not natively support DoH for this purpose.

At that point in my initial research, I abandoned the concept of secure DNS with BIND and travelled down the bifurcated trousers of time towards Pi-Hole. I didn’t fancy (at that point) trying to upgrade BIND and potentially suffering “consequences”. I just wanted to get on with it!

Dot. With BIND 9.20

Revisiting the subject (months later), I thought I’d have a look at installing BIND 9.20 and seeing if I could configure secure forwarding over TLS for the internet server. Turns out it was pretty simple in the end.

First thing to do was to upgrade BIND. Natively it’s version 9.18. I require 9.20 to take advantage of the TLS forwarding. That means (as it’s not an official Canonical package) I’ll have to use a PPA. Fortunately, there’s an official ISC PPA that provides a production approved deployment of BIND 9.20 for Ubuntu 24.04 (and others). Yes, it’s an untrusted PPA. No, I don’t mind.

Configured the PPA and installed/upgraded BIND to version 9.20.7, keeping the original config files (as they contain my already configured DNS zones).

The next step was to configure the named.conf.options file (in /etc/bind) to forward requests to Quad9 over TLS.

This is my config:

tls quad9-tls { remote-hostname "dns.quad9.net"; };
options {
directory "/var/cache/bind";
forwarders port 853 {
9.9.9.9 tls quad9-tls;
149.112.112.112 tls quad9-tls;
};
};

It’s quite a simple config – just one provider to forward requests to: Quad9’s primary and secondary DNS servers – and use TLS to do so.

The final step is to configure the local network card to perform DNS lookups from itself on the localhost adaptor: 127.0.0.1. A reboot of the server (to restart BIND and apply the new local DNS setting and it’s done.

Tested from the command line with: dig +short txt @127.0.0.1 -p 53 proto.on.quad9.net. (don’t forget the full-stop on the end!)

The response from that should be “dot.” indicating that DNS-over-TLS was used for the lookup.

Job done!

That final step has (almost) completed my whole secure DNS journey. I’m now performing secure DNS lookups from all the devices and servers that I own, whether they are based at home or internet based.

Has it made a difference? I think it has in terms of speed of lookups. It’s probably my imagination, but I am under the impression that web pages are loading slightly faster than they did before. Which is nice.

And of course, I can now sleep soundly in the knowledge that whatever device or server I own and use, I am protected against ISP monitoring, DNS hijacking and have a modicum of protection through Quad9’s filtering.

Which is also nice.

Postscript

Yes, I’m aware that outside of the confines of my home network/Wi-Fi, my SIM-enabled devices aren’t going to be using secure DNS. They’re going to be using my telephone provider’s DNS services. Now I could go the whole hog and configure my one and only SIM-enabled device to use secure DNS outside of my network, but I use my phone very, very infrequently for browsing and whatnot, so it’s just not worth my time investing in configuring it. But I am aware.

I’m also aware that if I use a VPN then I will also be using the VPN provider’s DNS services. Again, it’s infrequent use and they’re based in Sweden. I’m OK with that.

Tags: