3

I have set up an DNS resolver and nginx upstream server as a working "DNS over TLS" server. (and DNS over HTTPS but android uses TLS)

This works great so far, but my wish is to make it private with some kind of authentication.

Only specific Users should be able to use it.

The problem is ..... for example in android devices, it is only possible to enter one single "private DNS Server" - i have found no suitable authentication method for this scenario.

Does anyone has an idea how to "make my DNS over TLS Server private with Android 9" ?

possible "almost solution": Configure nginx to allow only connections from specific IP addresses. (generate allow IP-Address-list via script and include)

This has the major problem, that when the IP changes, maybe the client is no more able to resolve the DoT neither the DynDNS Provider.

Not tested yet, but this should not be the preferred solution I think. Suggestions welcome.

Machavity
  • 846
  • 10
  • 26
Patric
  • 33
  • 4
  • i aint know what you try if you want to protect the site use htaccess or similar, dns has nö authentification by design – djdomi Aug 20 '19 at 21:09
  • On a box there could be multiple users, launching multiple applications. Each application will use the OS provided DNS features that can use a local nameserver or not. But once the query reaches the DNS server, it has no idea which "user" asked for it, and not even the application. Of course some specific queries, because of the name requested, can give hints who is behind (hence the QNAME minimization RFC), but this is far from always or completely reliable. Traditionally, IP level access was the rule to be enforced. – Patrick Mevzek Aug 21 '19 at 15:54
  • You can run a proxy on top of an existing DNS server. This proxy will deal only with TLS level problems, and hence can mandate in general a specific certificate from client. But then you need to find out a DOT client that can work with client certificates (not sure that exists). – Patrick Mevzek Aug 21 '19 at 15:55

1 Answers1

4

Neither DoT nor DoH are really specified or implemented with client authentication in mind.

Even though one could imagine leveraging protocol features like client certificates (either) or HTTP authentication mechanisms (DoH) or even TSIG (either), actual normal clients don’t implement these.

For DoH, however, you have the option of just putting a secret in the path component of the URL. So there you have a simple option that doesn’t require that the client even knows that it’s authenticating.

Other than requiring client functionality that is not normally in place, I think you’ll have to resort to limiting access by IP for DoT.
(In theory I guess you could inspect SNI, expecting a secret in the hostname, but that would be very weak as the supposed secret would not be kept secret. Doesn’t really fly, but the hostname is the only config parameter for eg the Android client so there aren’t really a lot of options.)

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • I think there is no really good chances to achieve this, marked your answer as solution thx, you're correct with secret via URL, but i think this will obmnly work for DoH, the tls mechanism of Android won't support this. Thx guys – Patric Aug 21 '19 at 16:25