These 5 Linux distros finally got DNS privacy right, and others don’t


Every time your system needs to know the IP address of a domain, it uses DNS. When contacting your DNS server, it sends the domain you’re trying to access in plain text for anyone in the middle to see. It also means that answers can be easily faked, so there are obvious risks.

Your Linux distro may have a way to narrow these security holes, but are you using it? By default, you’re probably blissfully unaware of the problem, so you should at least do more research. Or you can let one of these distros do the heavy lifting for you.

Tails OS

Extreme levels of privacy and security

Launching Tails OS.

Tails (The Amnesic Incognito Live System) is a distro derived from Gentoo that forgets everything you’ve done when you close it. Although there are some provisions for persistence, its default behavior is to run in RAM, avoid writing to the hard disk, and route all traffic through the Tor network for complete anonymity.

Tails is designed to act as a live distribution, ie you can run it entirely from a USB drive. Plug it into any computer, do your work, then unplug it, knowing that what you’re doing is anonymous, including any DNS lookups.

Due to its unique design, Tails can be slower than the alternatives. The Tor network is inherently slower because of the extra routing and encryption it performs. Running the OS in memory is great for performance, provided you have enough RAM; This is certainly not the case for older hardware.

Linux Kodachi

Not for the faint of heart, but a solid proposition

DNS management on Linux Kodachi.

Linux Kodachi is a Debian Linux-based distribution that focuses on computer security and anonymity. This It uses the DNSCrypt protocol To satisfy your DNS queries in several complementary ways:

  • First of all, DNSCrypt encrypts your DNS lookups using its own cryptographic protocol. It does not trust Certificate Authorities or the TLS protocol.

  • DNSCrypt also includes requests and responses, an additional security measure that protects useful information from hackers.

  • Finally, DNSCrypt adds another layer of privacy by routing your queries through additional resolvers.

Kodachi also uses the Tor network to route requests for another level of privacy. The distribution is quite unusual, but it has reasonable defaults, making it an excellent choice for a system dealing with very specific requirements. But you should be comfortable using a niche distro with a unique approach.

Red Hat Enterprise Linux

For business-centric peace of mind

redhat-10.0 firmware

Red Hat Enterprise Linux (RHEL) is a long-running commercial distribution targeting businesses and professionals. Hence, it focuses on stability, security and long-term support.

As part of its commitment to security, RHEL supports DNS over TLS (DoT) and does so starting from the installation process, meaning you’re always protected. Red Hat prefers DoT over competing DNS over HTTPS (DoH) because of its better support for routing requests.

RHEL also uses Unbound, a DNS caching resolver, to act as a local DNS proxy. It converts local unencrypted DNS queries to encrypted DNS queries before sending them to remote DNS servers.

NixOS

Complete control at your fingertips

My NixOS desktop installation.

NixOS is another distro with an unusual approach; this time related to package management and configuration. When you install NixOS, you specify exactly how you want to install the OS. Then, by reinstalling NixOS, you’ll install everything you need, with any conflicts automatically resolved, guaranteeing a stable system.

You can even revert to a previous version of the OS if you find yourself in an undesirable situation. Configuration via a text file provides a system that is very easy to reproduce when you upgrade your computer or need to repeat your setup on a second one.

NixOS also supports encrypted DNS, but it is disabled by default. However, the easy and repeatable configuration means that once you get the hang of setting it up, you should be good to go. The process can be as simple as editing /etc/nixos/configuration.nix and enable DoT:

networking.nameservers = ( "1.1.1.1" "9.9.9.9" );
services.resolved = {
  enable = true;
  dnsovertls = "true"; 
};

Ubuntu

Not perfect, but possible

Openbar automatic theme display-2.

You’re looking for assurance that your current stream can offer some of what others are doing. If your distro is Ubuntu (and it probably is), there’s good news. DNS encryption is also supported by Ubuntu, although not enabled by default; you just need to turn it on.

Ubuntu uses the systemd-resolved daemon to resolve network names. Edit to enable DNS encryption globally /etc/systemd/resolved.conf and make sure you have the following set of directives:

DNSOverTLS=yes

Protecting yourself from DNS leaks and spoofing is that simple.


Having a private DNS is nice, but it’s not as private as you might think

Most Linux distros choose to leave encrypted DNS disabled by default, although they usually provide full support for it. But some go the extra mile by maintaining DNS privacy as a basic service, and are worth checking out if the issue is important to you.

However, you should consider this even if encrypted DNS is enabled It’s not as private as you think.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *