phiffer.org

Dan Phiffer Dan Phiffer is an Internet enthusiast based in Troy, NY

Configuring DNS-over-TLS on macOS

Until yesterday I hadn’t thought too much about DNS metadata leakage. Here’s how it works: your computer sends out a request to resolve a DNS hostname, let’s say “topsecretwebsite.example,” and your DNS server responds back with its IP address in a way that’s easy to eavesdrop on. It’s wild that the Internet works like this by default.

What happened yesterday is a company called CloudFlare (a popular and free content delivery network) announced a new DNS service at the IP address 1.1.1.1. (Yes it launched on April 1, no it’s not a joke.) The service supports a couple of interesting privacy protecting options: DNS-over-HTTPS and DNS-over-TLS. Those technologies don’t guarantee your DNS lookups are accurate (check out DNSSEC for that), or that the DNS provider won’t someday betray you, they just make it’s harder to collect metadata by listening in on DNS’s cleartext port 53.

I asked for pointers on Twitter, for how to set this up, and landed on these notes from Daniel Kahn Gillmor (aka dkg) from a workshop he offered at the most recent Internet Freedom Festival. (Thanks for the pointer Jen!)

This all got me to set up my own DNS resolver on my laptop, which runs macOS 10.13.4.

  • I’m running a local instance of knot-resolver (the same software that runs CloudFlare’s 1.1.1.1)
  • macOS is configured to lookup DNS at 127.0.0.1 on the usual port 53
  • My local knot-resolver (aka kresd) is configured to send requests upstream to 1.1.1.1 over TLS

1. Install knot-resolver

I used Homebrew to install.

brew install knot-resolver

Then I installed a service to run it on startup.

sudo brew services start knot-resolver

2. Configure knot-resolver

Then I edited the config file.

nano /usr/local/etc/kresd/config

I added the following to the end of the file:

policy.TLS_FORWARD({{'1.0.0.1', hostname='cloudflare-dns.com.', ca_file='/usr/local/etc/kresd/DigiCertGlobalRootCA.crt' }})

3. Download the CA certificate

In order to verify the identity of the DNS server, you’ll need to configure the TLS_FORWARD with either a hash of its certificate or the hostname and CA certificate. We are using the latter method, since it’s more readable and less prone to breaking when they rotate out their SSL certificate.

First, inspect the SSL certificate from https://1.1.1.1/. Some internet connections won’t load that website, I’ve actually found https://1.0.0.1/ to be more reliable. The way you can find the certificate is clicking on the green lock icon next to the URL. Then navigate to the details and export the Certificate Authority (CA) certificate.

How to export the CA certificate file.

Finally, move the .crt file you exported into /usr/local/etc/kresd to match the path configured above.

4. Restart kresd

Restart the service for your change to take effect.

sudo brew services restart knot-resolver

5. Test the “before”

Now you want to configure your system to use the local DNS service. First, see how it responds before we add our own DNS server into the mix.

kdig plannedparenthood.com

You should see some results resolving plannedparenthood.com to its IP address 104.18.62.117, with this detail at the bottom about where the results came from (yours will be different).

;; From 10.67.104.1@53(UDP) in 753.2 ms

Basically my computer just broadcast in cleartext, over UDP port 53, “hey 10.67.104.1 do you know where I can find PLANNEDPARENTHOOD.COM?” This happens each time you load up a website.

6. Configure macOS

Now go to Apple Menu > System Preferences > Network > Advanced > DNS and add 127.0.0.1 as your DNS server.

7. Test the “after”

Try kdig plannedparenthood.com again. Now you should see your local address at the bottom.

;; From 127.0.0.1@53(UDP) in 1648.7 ms

You’ll get the same IP address result, but now delivered to you with the privacy of TLS encryption. Hooray!

What else?

If that doesn’t work for you, you may want to check out the log file /usr/local/var/log/kresd.log for errors.

Also consider using other privacy-protecting DNS services beyond 1.1.1.1. I applaud CloudFlare for drawing attention to how we can improve our network privacy, but if we all use the same service it creates a single point of failure. Alternatively you could go with 9.9.9.9, or pdns.greenhost.net, or dns.cmrg.net (dkg’s own service), or something else.

You should also know there are situations where you need to use a specific DNS server. For example, if you are on a corporate network it might rely on hostnames that aren’t hosted anywhere but on the internal DNS servers. So realize that adjusting your DNS settings means things may break in the future. Try to remember this for when you end up with mysterious network issues in the future!

Thanks to Daniel Kahn Gillmor for providing feedback on a draft of this post.

287(g) public hearing

Tonight my first radio segment for Hudson Mohawk Magazine aired on WOOC 105.3 FM in Troy, NY. To provide some context on the public hearing, maybe I’ll just post the lead in script I provided for the hosts.

At Wednesday night’s Public Forum at the County Legislature, Troy residents Nora McDowell and Alexander Ferrer (FER-ERR) spoke out against the proposed 287(g) funding application that Sheriff Patrick Russo has sought from the Department of Homeland Security. Under the arrangement, Rensselaer County would be the first in New York State to collaborate with federal ICE agents. After the forum, WOOC reporter Dan Phiffer (FIE-FUR) spoke to County Legislator Peter Grimm.

You can also read more on no287g.com, a small website I created for the (cancelled) protest.

MP3 download

RIP Joe Frankbeta.prx.org

One of the great radio voices is gone. This is from Time- Old from a collection of Hearing Voices on PRX.

If billions of years preceded our existence on Earth, billions of years will surely follow after our existence as well. So that our life here is like one flash of a strobe light. The wink of an eye. And if your life is merely a microscopic blip in the vast dimension of time, is its importance to you just an illusion?

Also worth a listen: Dreamers on Unfictional

Link

Introducing smol-slowtvgithub.com

This year for xmas I made Raspberry Pi video players for everyone in my family, so they could share my love for BergensBanen minutt for minutt HD:

When the Pi boots up, it updates its time using ntpdate, pulls down any updates from this git repo, then plays back starting from a specific timestamp based on the current UTC time. This allows for a communal slow TV viewing experience.

Link

Without Net Neutrality, Is It Time To Build Your Own Internet?

I was happy to provide comments for an article by Eileen Guo about Net Neutrality and mesh networking. It was was helpful in formulating my thoughts on the FCC’s recent decision to rescind Net Neutrality rules (see also: my last email newsletter).

I’m including the emailed questions for the article and my responses here in full.

Eileen: There has been a lot of interest in net neutrality in the past, does this time feel any different?

Me: Compared to the 2010 battle over SOPA/PIPA, this year’s FCC vote has felt like there’s way more at stake. The political landscape has shifted so dramatically this year. I’m still trying to figure out if Net Neutrality advocates are all spread thin protesting other issues, or if 2017 is when resistance became normalized along with Trump normalizing creeping authoritarianism. Dismantling what paltry telecom oversight was in place feels like just another front on the Trump administration’s war on journalism and civic discourse. The response coming from state government and congress has me cautiously optimistic, but this last year has conditioned me to expect that the fight will only demand more organizing and collective action.

Eileen: Is mesh internet technology in the U.S. now at the point where mesh can be an alternative to ISPs?

Me: What’s interesting to me about mesh technology is that you can build out the infrastructure without digging up a trench. However, it occupies a place in the public imagination that may not always sync up with the boring reality. A lot of what people think about when they hear “mesh” are community mesh projects like Catalonia’s GUIFI or NYC Mesh. The two parts aren’t tightly coupled: the mesh technology and the peer-to-peer community possibilities can be understood separately. For example, the ISP I have in Troy, NY, MassiveMesh, uses mesh networking technology, but aside from the antenna on my roof it provides a service that is entirely equivalent to Comcast or Spectrum. On the other hand, my wifi darknet project occupy.here relies on the community dynamics you find in community mesh, but does not actually use mesh technology.

Listening to Ajit Pai’s statement during the FCC vote had me nodding in agreement when he listed big Internet tech companies that aren’t scrutinized, but it was a bad faith attempt at whataboutism, and belies his disinterest in actually regulating the industry he came from himself as a former Verizon attorney. Yes, we should be concerned about tech monopolies, as Nathan Schneider argued well in his Quartz piece. But we should understand why smaller firms, like my local ISP, are less likely to treat me poorly compared to the bigger players who monopolize broadband markets. Sometimes regulation is designed to protect the bigger players from local upstarts, like my mesh ISP. We need to be arguing in terms of human rights and not technical minutiae that are boring and difficult to understand.

So, while I’m pleased to have a good mesh ISP option where I live, I am still going to fight hard for those who don’t have that privilege.

Eileen: I wanted to clarify: you can connect to your community ISP (and would that be the correct term?) completely separately from mesh, but you ALSO connect to a mesh Internet network, right? Do you share wifi from your ISP on mesh with others that don’t have it? And is this allowed by your ISP’s user agreement?

Me: I honestly haven’t read the fine print for MassiveMesh, but now I am curious if they allow customer peering beyond their own infrastructure. Basically they use rooftop mesh connections to create a point-to-point network from their office outward to each customer. Each time they stand up an antenna it means they can reach new customers who have line of sight to that structure. I don’t think of it as “community mesh” (even though it is local) because I can’t connect to the other customers directly. At least, I can’t connect to the other customers on the application layer of the network, we are connected on the lower-level physical layer. One thing that is different is that they agreed to give me a public static IPv4 address for a reasonable $5/month extra charge. Basically it’s a locally-run, non-monopolizing ISP that also happens to use mesh technology to minimize infrastructure costs.

I am a big fan of community mesh projects like NYC Mesh, which I think of as being defined by volunteerism and mutual aid. But for my ISP, that I depend on for my work, I am happy with the arrangement to pay MassiveMesh so I don’t need to be the one to debug problems when they arise.

One other related project: Dhruv Mehrotra’s Othernet.

Another big Twitter daytwitter.com

You may have heard that today the FCC voted against Net Neutrality rules. During the deliberations Republican Commissioner Michael O’Rielly said:

Clearly there are cases today, and many more that will develop in time, in which the option of a paid prioritization offering would be a necessity based on either technology or needs of consumer welfare. I for one see great value in the prioritization of telemedicine and autonomous car technology over cat videos. (1:43:20 into the C-Span archive)

My response on Twitter seems to have struck a chord:

I liked how An Xiao Mina responded in her quote tweet:

This is now more popular than my previous big day on Twitter and sadly they’re both about things breaking on the Internet.

Link

Learning from Alabamatwitter.com

I called into this morning’s Brian Lehrer show. I am “Dan from up in Troy” and I have a cold, so I probably sounded terrible. My question was inspired by this Twitter thread describing tactics the Mobile County NAACP (and other groups) used in the AL Senate special election. I think there’s a lot to learn here for turning out votes in the 2018 Midterm Elections.

Link

Pancakes recipe

This recipe makes 15 pancakes

I made pancakes this morning, based on an Oatmeal Buttermilk Blueberry Pancakes recipe Ellie suggested from the NYTimes. It uses yogurt instead of buttermilk, since that’s what we had around. At some point I should resolve this with my Dad’s pancakes recipe.

  • ½ cup rolled oats
  • 1 cup regular milk
  • 1 cup plain yogurt
  • 1 cup whole wheat flour
  • ½ cup unbleached all-purpose flour
  • 2 teaspoons baking powder
  • 1 teaspoon baking soda
  • 1 tablespoon sugar
  • ¼ teaspoon salt
  • 2 large eggs
  • 1 teaspoon vanilla extract
  • 3 tablespoons peanut oil
  • 1 cup fruit and walnuts (I used a pear, next time I’ll chop it into larger chunks)

Combine the milk, yogurt, and rolled oats in a bowl, and set aside.

Combine the flours, baking powder, baking soda, sugar and salt in another bowl.

In a third larger bowl, whisk the eggs. Then whisk in the vanilla extract and the oil.

Mix everything into the larger bowl and quickly whisk together. Do not overbeat; a few lumps are okay.

We ate them with butter, maple syrup, whipped cream, and some homemade cranberry sauce leftover from Thanksgiving.

The digital hippies want to integrate life and work—but not in a good waywww.theguardian.com

WeWork as the new company town:

In WeWork’s future, the hastily privatised public space is returned to citizens. However, it comes back as a commercial service provided by a lavishly funded data company, not as a right. Meetup’s civil society will keep on talking, inside WeWork’s buildings. But the struggle against alienation will now consist of applying even more data analytics and nudging to the tortured souls of overworked cognitive workers, who, in escaping alienated workplaces in the comfort of makerspaces and face-to-face meetings, have discovered that the workplaces have colonised their non-work lives instead.

Link

Thursday, Thursday, Friday

Three things coming up later this week in NYC:

hello, archive.org_bot