Reviews for DNSSEC
DNSSEC by Antoine POPINEAU
Review by Firefox user 13645153
Rated 2 out of 5
by Firefox user 13645153, 7 years agoUsing fixed remote/public DNSSEC DNS Server/Resolver over unencrypted connection is NOT secure habit/procedure. And Google is known to LOG/record usage for-ever ! https://developers.google.com/speed/public-dns/privacy
Please add option for users, to specify their own local DNSSEC DNS validating servers/resolvers (like: Unbound, BIND, etc) or redirectors/resolvers (like: Stubby, GetDNS, etc) in this addon. Local DNSSEC resolvers or redirectors can run/respond on IP 127.0.0.1, 127.0.0.2, etc, Port 53.
ISP corporations can see+record/log (aka, profile) user's all DNS resolving IP data, etc usage, when DNS query/answer going over UDP/TCP unencryptedly into their or any other DNS server/resolver. If a trustworthy 3rd-Party(3P) public DNSSEC-DNS Server/Resolver service(s) is(are) used (who has publicly publicized that they absolutely do not record user's any DNS usage), then that(those) service(s) can help to maintain privacy (little bit better). When encrypted/TLS connections are used, then ISP cannot see data inside encrypted packet (but can see+record(profile) IP adrs of "from"/"source" and "to"/"destination") unless ISP also obtained required+related decryption cert+key. But tracking/recording/profiling still possible (from 3P to DNS-servers/resolvers traffic), as all DNS servers/resolvers are not yet using DNS-over-TLS, and, DNS by nature need to connect with known/established IP addresses.
When DNS Data & Content Data authenticity can be verified by using unchangeable (but updateable with newer data) records from public p2p ledger (i.e: blockchain), and content data is obtained via multiple random p2p network based multiple peer computers, then full/complete profiling will not be possible.
Unbound DNSSEC server/resolver software also supports Encrypted DNSSEC resolving (DNS-over-TLS https://tools.ietf.org/html/rfc7858 ) on Port 853 when user will use+specify+load custom cert+key in Unbound-resolver & in client (firefox/unbound/libunbound, etc). And when SOCKS5 (tunnel/proxy etc) used by firefox/user/host-computer, then Encrypted DNSSSEC resolving is very necessary.
If this addon (will be) using "libunbound", then also please add option for users to manually specify/add their own "root.key", and/or add PEM/cert for dnssec-rootkey webpage/site, and add/specify cert+key for encrypted/TLS DNS-resolving, etc.
Unbound: https://www.unbound.net/
Quad9 https://quad9.net/ DNSSEC resolving (online) service supports (Encrypted) DNS over TLS, on IP 9.9.9.9 & 2620:fe::fe , Port 853. And GetDnsApi https://getdnsapi.net/ service supports (Encrypted) DNSSEC DNS over TLS on IP 185.49.141.37 & 2a04:b900:0:100::37 , Port 853. Both Quad9 & GetDnsApi also supports unencrypted DNS over UDP/TCP on Port 53. More IP: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
The "getdns"/"Stubby" https://getdnsapi.net/ , https://github.com/getdnsapi/getdns , https://github.com/getdnsapi/stubby , etc redirectors/resolvers software can also be used (instead of Unbound/BIND server software) to forward/resolve all local DNS queries over TLS/encrypted connection.
Almost all OS have option to load Unbound (or other Full Validating DNSSEC DNS Server/Resolver, etc), either directly, or thru 3rd-party(3P) package-management software (CygWin, MacPorts, HomeBrew, etc).
Also check out the alternative DNSSEC-Validator (XUL based) firefox addon/extension https://www.dnssec-validator.cz/ which allows using custom/local/remote DNSSEC resolver/server with firefox below v57, (and dnssec-validator does not yet have a Web-Extension (W-E) based addon/extension for firefox v57+ (when i posted this message here Dec-30-2017), but their chrome extension should+can be converted to be used with firefox v57+).
DANE/TLSA is best part of DNSSEC. if this addon is already not doing this, then please also add these options: Display DANE verification related status ICONs in toolbar for HTTPS based websites which are DNSSEC signed, so that user can know/view different ICONs for different types of verification/unverification status.
Please add option for users, to specify their own local DNSSEC DNS validating servers/resolvers (like: Unbound, BIND, etc) or redirectors/resolvers (like: Stubby, GetDNS, etc) in this addon. Local DNSSEC resolvers or redirectors can run/respond on IP 127.0.0.1, 127.0.0.2, etc, Port 53.
ISP corporations can see+record/log (aka, profile) user's all DNS resolving IP data, etc usage, when DNS query/answer going over UDP/TCP unencryptedly into their or any other DNS server/resolver. If a trustworthy 3rd-Party(3P) public DNSSEC-DNS Server/Resolver service(s) is(are) used (who has publicly publicized that they absolutely do not record user's any DNS usage), then that(those) service(s) can help to maintain privacy (little bit better). When encrypted/TLS connections are used, then ISP cannot see data inside encrypted packet (but can see+record(profile) IP adrs of "from"/"source" and "to"/"destination") unless ISP also obtained required+related decryption cert+key. But tracking/recording/profiling still possible (from 3P to DNS-servers/resolvers traffic), as all DNS servers/resolvers are not yet using DNS-over-TLS, and, DNS by nature need to connect with known/established IP addresses.
When DNS Data & Content Data authenticity can be verified by using unchangeable (but updateable with newer data) records from public p2p ledger (i.e: blockchain), and content data is obtained via multiple random p2p network based multiple peer computers, then full/complete profiling will not be possible.
Unbound DNSSEC server/resolver software also supports Encrypted DNSSEC resolving (DNS-over-TLS https://tools.ietf.org/html/rfc7858 ) on Port 853 when user will use+specify+load custom cert+key in Unbound-resolver & in client (firefox/unbound/libunbound, etc). And when SOCKS5 (tunnel/proxy etc) used by firefox/user/host-computer, then Encrypted DNSSSEC resolving is very necessary.
If this addon (will be) using "libunbound", then also please add option for users to manually specify/add their own "root.key", and/or add PEM/cert for dnssec-rootkey webpage/site, and add/specify cert+key for encrypted/TLS DNS-resolving, etc.
Unbound: https://www.unbound.net/
Quad9 https://quad9.net/ DNSSEC resolving (online) service supports (Encrypted) DNS over TLS, on IP 9.9.9.9 & 2620:fe::fe , Port 853. And GetDnsApi https://getdnsapi.net/ service supports (Encrypted) DNSSEC DNS over TLS on IP 185.49.141.37 & 2a04:b900:0:100::37 , Port 853. Both Quad9 & GetDnsApi also supports unencrypted DNS over UDP/TCP on Port 53. More IP: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
The "getdns"/"Stubby" https://getdnsapi.net/ , https://github.com/getdnsapi/getdns , https://github.com/getdnsapi/stubby , etc redirectors/resolvers software can also be used (instead of Unbound/BIND server software) to forward/resolve all local DNS queries over TLS/encrypted connection.
Almost all OS have option to load Unbound (or other Full Validating DNSSEC DNS Server/Resolver, etc), either directly, or thru 3rd-party(3P) package-management software (CygWin, MacPorts, HomeBrew, etc).
Also check out the alternative DNSSEC-Validator (XUL based) firefox addon/extension https://www.dnssec-validator.cz/ which allows using custom/local/remote DNSSEC resolver/server with firefox below v57, (and dnssec-validator does not yet have a Web-Extension (W-E) based addon/extension for firefox v57+ (when i posted this message here Dec-30-2017), but their chrome extension should+can be converted to be used with firefox v57+).
DANE/TLSA is best part of DNSSEC. if this addon is already not doing this, then please also add these options: Display DANE verification related status ICONs in toolbar for HTTPS based websites which are DNSSEC signed, so that user can know/view different ICONs for different types of verification/unverification status.
Developer response
posted 7 years agoFirstly, we do not use unencrypted connections, everything is done through HTTPS.
Then, the developers of the former DNSSEC-Validator said themselves they would not port their extension because of missing APIs in Firefox 57+. As mentionned in another comment, as far as we know, there is no way of crafting and executing a raw UDP or TCP packet in Firefox 57+. We are therefore forced to use HTTPS to perform all DNS queries through HTTP resolvers.
That being said, I agree using Google by default is not a good choice, and a choice that was made as a proof of concept. I am in the process of forking OpenDNS HTTP resolver to support reporting DNSSEC status, so you can self-host your resolver and use it with this extension instead of Google's.
But that self-hosted resolver will always be an option. The extension has to work on first run, for non-technical people, and must use a publicly-hosted HTTP-based DNS resolver. If you have any service that does that outside Google, I'll be happy to integrate it.
Then, the developers of the former DNSSEC-Validator said themselves they would not port their extension because of missing APIs in Firefox 57+. As mentionned in another comment, as far as we know, there is no way of crafting and executing a raw UDP or TCP packet in Firefox 57+. We are therefore forced to use HTTPS to perform all DNS queries through HTTP resolvers.
That being said, I agree using Google by default is not a good choice, and a choice that was made as a proof of concept. I am in the process of forking OpenDNS HTTP resolver to support reporting DNSSEC status, so you can self-host your resolver and use it with this extension instead of Google's.
But that self-hosted resolver will always be an option. The extension has to work on first run, for non-technical people, and must use a publicly-hosted HTTP-based DNS resolver. If you have any service that does that outside Google, I'll be happy to integrate it.