01 Mar

Encrypted DNS using DNSCrypt

Writing this post from my hotel room in Kathmandu. I found that many of the servers appear to be DNS resolvers which is unusual.

E.g:

dig @anuragbhatia.com . ns +short
a.root-servers.net.
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.

dig @google.com . ns +short
b.root-servers.net.
c.root-servers.net.
d.root-servers.net.
e.root-servers.net.
f.root-servers.net.
g.root-servers.net.
h.root-servers.net.
i.root-servers.net.
j.root-servers.net.
k.root-servers.net.
l.root-servers.net.
m.root-servers.net.
a.root-servers.net.

 

This seems unusual and is the result of basically port 53 DNS hijack. Let’s try to verify it using popular “whoami.akamai.net” query.

dig @8.8.8.8 whoami.akamai.net a +short
202.79.32.164

dig @9.9.9.9 whoami.akamai.net a +short
202.79.32.164

dig @1.2.3.4 whoami.akamai.net a +short
202.79.32.164

So clearly something in middle is hijacking DNS queries and no matter whichever DNS resolver I try to use, the queries actually hit authoritative DNS via 202.79.32.164. This belongs to WorldLink Communications (ISP here in Nepal) and I am just 5 hops away from it.

 

So what can be done about these cases? Well, one way is VPN of course but with a setup where VPN server’s IP address is hardcoded in the client and not using DNS. It works and does the task but performance can vary greatly depending on how far is the tunnel server. A better and more modern way out of it is by using encryption in DNS by using a protocol named “DNSCrypt“. DNSCrypt offers to encrypt of DNS queries from clients to the DNS resolvers. (Beyond that resolver still, follow usual non-encrypted root chain to reach authoritative DNS servers).

 

So how does it work?

There’s no integrated support of DNSCrypt in OS’es at this time. There are number of projects like dnscrypt-osxclient available on GitHub which enable this support.  Once configured, the client changes system’s DNS resolver to a local IP which listens for port 53 (regular/non-encrypted) requests.

cat /etc/resolv.conf |grep nameserver
nameserver 127.0.0.54

The client often offers support of various open resolvers like OpenDNS, Quad9 etc.

dig @127.0.0.54 whoami.akamai.net a +short
67.215.80.66

 

 

Here it shows that DNS resolver in my case happens to be Cisco’s OpenDNS. As soon as the client gets port 53 DNS queries, it encrypts it and sends via UDP port 443 (UDP or TCP depending on provider and client configuration). The encyption is based on trusted root CA’s and associated chain as popularly used in HTTPS. This is also one of reasons why DNSCrypt is also known as DNS over HTTPS.

 

Here’s an example of a DNS query to resolve A record of google.com while running tcpdumps in parallel:

sudo tcpdump -i lo0 'dst port 53' -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo0, link-type NULL (BSD loopback), capture size 262144 bytes
04:36:04.429212 IP 127.0.0.54.50966 > 127.0.0.54.53: 31576+ A? prd.col.aria.browser.skypedata.akadns.net. (59)
04:36:04.532015 IP 127.0.0.54.54914 > 127.0.0.54.53: 623+ [1au] A? google.com. (39)
^C
2 packets captured
4 packets received by filter
0 packets dropped by kernel

This shows request went in clear text to 127.0.0.54 which is configured on loopback. While in parallel if I watch for traffic towards OpenDNS public IPs, I get:

sudo tcpdump -i en0 'dst 208.67.220.220 or dst 208.67.222.222' -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
04:39:56.827824 IP 192.168.0.4.53763 > 208.67.220.220.443: UDP, length 512
^C
1 packet captured
63 packets received by filter
0 packets dropped by kernel

Thus all that appears here is just an encrypted packet to Cisco OpenDNS over UDP port 443.

I ran another query and saved it in pcap file. Here’s how it looks like in wireshark:

 

 

 

That’s all about it for now. I am going to keep encryption enabled especially when travelling from now onwards. Time to get some sleep. 🙂

 

Useful Links:

  1. dnscrypt-osxclient – https://github.com/alterstep/dnscrypt-osxclient
  2. DNSCrypt Wikipedia – https://en.wikipedia.org/wiki/DNSCrypt
  3. DNS Over HTTPS (Google Public DNS) – https://developers.google.com/speed/public-dns/docs/dns-over-https
  4. DNS over TLS (Quad9) – https://quad9.net/faq/#Does_Quad9_support_DNS_over_TLS
24 Feb

APNIC Hackathon at APRICOT 2018

APNIC and RIPE NCC are doing a hackathon at APRICOT 2018. It just started today with some light interaction with various participating members yesterday.

https://2018.apricot.net/program/hackathon/

The theme of the hackathon is around IPv6. Many cool projects were suggested yesterday and teams started working today on certain shortlisted projects like:

  1. A tool for ranking CDNs – A tool based on RIPE Atlas data to rank CDNs based on latency across different regions.
  2. An IPv6 fun word game – Where anyone with a member account can suggest a word, and compete with other members who share more IPv6 addresses. It may include things like showcasing creative use of hexadecimal strings in an IPv6 address like Facebook popularly does face:b00c in their IPv6 pools.
  3. IPv4 and IPv6 network security  – Study of attacks and overall security in IPv6. It would involve study and possibly a report on various attack vectors in the IPv6 domain.
  4. A countrywide report on IPv6 deployment – I have yet to see how it is different from existing other reports.
  5. IPv6 tunnel detection – Figuring out where tunnels used and figuring out the IPv4 address of those endpoints via a javascript plugin and possibly comparing IPv4 Vs IPv6 performance.

Let’s see how things go in next 12hrs. Super fun. Things should show up on Github in next few hours. 🙂

Disclaimer and misc points:

  1. It’s a hackathon and final thing may vary greatly from the original idea. Let’s see how things evolve.
  2. The final tool which uses such idea/code may be awesome but for next 12hrs it will be more around proof of concept and small demo instead of a full-fledged tool in certain cases.
  3. I am part of the jury for the hackathon.

 

01 Apr

India’s digital slum problem

India has a slum problem as many of us know. Slums are a serious problem and there’s just no easy way to fix them. One cannot just push thousands and thousands of people out while at the same time quality of life in slums is terrible. One thing which happens a lot in India is the fact that Govt. does nothing when slums are getting established and once they are established situation gets out of control.

 

 

Coming to digital slums

This exact problem is applicable even to digital India. Optical fibre is one of the key and extremely important components of the “Digital India”. While Digital India may sound more like a fancy marketing word but one cannot simply expect much unless connectivity is there and with connectivity I mean affordable, reliable, super-fast connectivity with low latency. Most of the wireless technologies cannot deliver it or simply cannot scale up. So we need more and more fibre. Just like everywhere else we need to push fibre closer to the end user. Our approach in that design needs to be far different from Western world especially US, UK, etc. They lag behind considerably in last mile fibre deployment and the conditions are far different in deployments over there Vs of India.

Say for instance:

  1. Fixed line infra using twisted copper & coax is well built and is present in most parts of the Western world. In India, it’s almost missing.
  2. The cost of replacing existing infra is high in the Western world due to the expectation of certain quality, compliance etc and that makes it extremely expensive in terms of per user cost of delivering FTTH. I have read a number of estimates where it can cost $2000 – $3000 per household in an urban FTTH deployment.Even if it’s half of this it’s still on the quite higher side. In India, it’s a fraction of the cost.
  3. “Fibre to the node and something else beyond” can give high bandwidth. It may not be able to give 1Gbps but can easily do 50-100Mbps. Technologies like VDSL, DOCSIS 3.0 (and upcoming 3.1), use of cat5e / cat6 wiring inside buildings can give high bandwidth for a fraction of the cost. In India, that’s not an option (at large scale) due to a number of issues ranging from location/real estate cost of mini-PoP, cooling requirements, reliable & backup power requirements & ensuring no one steals the stuff! All that makes FTT(n) harder than FTTH in India. 

 

So is the picture so rosy and everything is fantastic? Can we expect lot’s of FTTH deployment now and for a really low price? Before I come to that, let me post some of the pictures I took recently of Salte Lake Electronic Complex, Kolkata.

 

It’s ugly, unscalable, will soon have reliability issues and of course it’s extremely likely illegal. It’s not just about Kolkata. Pick any of commercial areas in any of large Indian city and it would be similar. These are what we can call as “Digital slums”. Govt. isn’t focusing on them, they are coming up, getting established, serving gigs of capacity to various high revenue generating companies around. Same is true not just for India but most of developing countries around us.

 

Some pictures from streets in Dhaka

 

Some pictures from Kathmandu

 

and some pictures from last month’s travel to Ho Chi Minh, Vietnam:

 

Here’s a quick video showing it feels like over there…

 

That’s about Vietnam. Things would be scary if we try to replicate such model in a country like India. Thus one can clearly establish that this is going be a major problem and needs to be addressed.  At this point of time, one may ask why fibre gets deployed in this way? I asked this to a number of Indian networks and here is the summary of why:

  1. Rights of way are deadly expensive. Rights of way or RoW is referred to the charge network operators need to pay to local municipal bodies because of interruption when the fibre is deployed. Cost depends on a lot on the area but in key areas in Delhi, it can be as high as 80lakhs – 1crore per KM ($1.54k). Remember we are not talking about the cost of fibre (which is very low) or even hardware, or anything. This is a one-off cost that goes to municipal bodies. In my own city, I have 3 telco pits within 400m of my house and one of the telcos gave me an unofficial quote of 15lakhs ($23000!) for extending their fibre 400m.
  2. Because of above there’s a huge market of so-called LCOs (Local Cable Operators) and they lay the fibre. LCOs have (mostly) unofficial contracts with other LCOs and a considerable amount of last mile infra is not of any telco or ISP, it’s indeed of LCOs.
  3. The above model does not scale up since multiple LCOs put multiple fibre cables & a large part of it is illegal, undocumented and hence not worth much money on paper resulting in “hard to prove asset” for any private funding for expansion.

Illegal but ethical?

While a lot of that is purely illegal I cannot say it should not be allowed at all and Govt. should remove all of them right away. I know many smaller ISPs operating in tier 2, tier 3 cities and they provide excellent service, great competition and very good network built on fibre and mostly with GPON / GEPON etc. Almost all of them offer an excellent competition to state-run BSNL which is poor in most of the aspects of service deployment to technology, from sales to customer support. In other words, we very much need smaller private players to lay networks and they can do really well. Which makes the whole problem similar to “slums” and hence we can call it “India’s Digital Slum” problem. We can’t just get rid of them while we ignored and still very much ignoring the problem as it’s building up.

 

Possible solution?

So what can be a solution to this problem? Cheap RoW is not a solution. Already Indian cities struggle very much with basic infrastructure and cheap RoW will result in excessive digging, more broken roads, and more outages in utility services. While there has been a lot of innovation in the application layer, layer 3 as well as even transport layer there’s not much in the optical fibre. What I am trying to point out essentially is that fibre optic cables are more of a commodity now and single mode cables are cheap. The overall technology whether one does active ethernet or passive PON – the cost of technology is very low. A design of 100% underground cables is needed and will be ideal setup with the flexibility of adding more networks. If the optical fibre is laid by one or few players it can lead to the dangerous non-competition condition. While Govt’s efforts to do FTTH via BSNL & MTNL are nothing but a terrible waste of taxpayers money in the inefficiencies of those organisations. While interestingly other Govt. players who are doing fibre on long haul are doing much better. Take the case of RailTel or Powergrid Telecom. Both very much compete with their private counterparts for IP transit as well as high capacity circuits on long haul  (we refer those as NLD in India).

Here’s a possible solution for last mile deployment without ugly cables & which can work:

  1. A cabinet on each and every street in the city rolled out in phased manner across the country. One can have a single cabinet at inter- section. (This already exists at large scale for BSNL’s & MTNL’s copper infra btw!)
  2. Cabinet has to be active (with power!) so that one can put a switch or GPON OLT. Logic has to be to the aggregate traffic of all homes in the neighbourhood.
  3. It should be Govt. which lays cables from each of this street cabinet to atleast one of 4-5 neutral exchanges across a city (whichever is nearby). Number of exchanges very much depend on the size of the city. So, for instance, Delhi or Kolkata would need lot more. As long as there is 288 strand fibre available from core exchange area to the street, one can have as many as 100 ISPs + (each taking two strands up to cabinet). Now ISPs can decide which last mile technology to use. One can do with lower strand depending on the city. Even a 48 core can give over 20 ISPs per area which is fair amount of competition. Ideal would be to connect each cabinet to two exchanges so ISPs can create their own “rings” for redundancy reasons.
  4. From cabinets to each home ideal would be to have underground fibre laid by Govt. but doing that will be terribly expensive. It makes lot more sense to have overhead (well planned) cables from cabinet to each home. This won’t look as ugly as one may think and reduces cost significantly. Overhead at such shorter scale gives the option of “connecting home as demand comes”. While entire underground approach has to cover all and that doesn’t work well in terms of very low internet penetration.
  5. Connectivity beyond the central exchanges can be very well done with 100% underground fibre with existing expensive RoW since fibre beyond this point will be of telcos and by logical design would be used by lot’s of players with DWDM and cost won’t be a challenge. It’s similar to existing significant underground fibre reaching BTS sites across the country.

 

So under such design one can have a number of larger networks building their own fibre or simply buying waves from existing fibre players to reach exchanges in the city, a number of smaller ISPs can colocate their routers in neutral exchanges and take 2 strands of fibre to any of the streets via cross connect. And put a switch or OLT or any other technology which comes later or even a direct patch all the way from one central exchange in the city to end user. I cannot imagine any other solution which can possibly work without either making it more expensive or existing illegal way. Such model can have very least dependency on Govt. as the Govt can do basic pipes and neutral passive infra while leaving service deployment, plans & packages, marketing and various other aspects of a connection to private players. Such infra can very well be used for small cell sites which can service that neighbourhood and hence makes it possible to reduce strain on larger sites. Models like Stokab project followed in Stockholm is impressive. It tells how it can be done by Govt. / Municipal without burning tax payer’s money and in fact generate revenue out of it. Current Indian approach of overhead cables works and is fine for a shorter time but will be a massive “digital slum problem” in near future as more and more people are connected.