The Unfriendly Internet - Turning Off Cleartext Lookups in September

by Tykling @ February 10, 2022 16:52

TL;DR Cleartext UDP and TCP DNS on port 53 (and on this service also 5353) is being turned off permanently in a little over 6 months, on September 1st, 2022. Encrypted lookups will continue to be supported like today.

The reason for this radical change is twofold: 1) I want encourage adoption of encrypted and authenticated DNS, and 2) I am sick of fighting UDP amplification attacks.

1) About Encrypted DNS

Encrypted DNS (between resolver and recursive server) is a modern replacement for regular cleartext DNS lookups. Two abbreviations you need to know when we are talking about encrypted DNS: DoT is DNS-over-TLS (RFC7858), and DoH is DNS-over-HTTPS (RFC8484).

Both these protocols transport regular DNS lookups, but they both do so in an encrypted and authenticated way. This guarantees that your DNS lookups can not be observed by just looking at the network traffic, and it also guarantees that you are actually communicating with the servers you think you are.

DoT has been supported on this service since mid 2017 and DoH has been supported since October 2020. I feel like the time is right to set a date now to turn off cleartext lookups in September 2022.

Many of you have already switched to one of the encrypted protocols, so you don't have to do anything. But if you are still using regular plaintext DNS you now have six months to get it done :)

I've created a new repository on Github for guides, how-tos, example configs and such to help with the transition. If you get DoT or DoH working for this service on some router, OS or phone then maybe make a PR in https://github.com/censurfridns/client-configs to explain how.

For now the Stubby example config has all the servers and public key pinsets for both RSA and ECDSA keys already in place, so that is a good place to start.

I don't have much spare time these days so I really hope you will all help with contributing example configs and guides and stuff to the repo! :) I will try to get some basic repo stucture in place soon.

2) About UDP Amplification Attacks

So, all DNS server operators have to deal with spoofed UDP traffic, doubly so for open recursive server operators. It requires a lot of fiddling with limits in the software used to detect attacks to adapt the constantly changing attack landscape. Sometimes the attacks look so much like regular traffic that it is tricky to tell attackers apart from real users, which is why many of you have had the unfortunate experience of being blocked as a false positive.

Without getting too technical: UDP traffic can be spoofed. This is primarily true because of lazy or incompetent ISPs not enforcing proper filters on their outgoing traffic. Whatever the reason, with the ability to spoof the sender address of UDP traffic an attacker who wants to attack (example IP) can send some DNS lookups with spoofed sender IP to my servers, maybe asking for a lot of data like some DNSSEC keys, and having the large responses go to

The net result is that the servers involuntarily participate in the attack against - at least for a while until the anti ddos stuff I use catch on and block the IP. The difference between the bandwith used by the attacker and the bandwith sent to the victim is called the amplification ratio.

Since both DoT and DoH run over TCP that means no more UDP when I disable cleartext DNS lookups in September, eliminating quite a big source of problems. I am looking forward to it!

Tags: doh dns dot