Hi,
is there any available Unbound port for ARM/x86 Android devices?
I’d really like to have my DNS under control on my handy
Best
Marek
Marek Sebera writes:
is there any available Unbound port for ARM/x86 Android devices?
I’d really like to have my DNS under control on my handy
I like this idea as well. I assume the device would need to be rooted to take advantage of it, however.
I think it could be done in two ways:
1) Library (native possibly) to integrate with applications (not requiring root obviously)
2) System demon with full unbound-configuration (important for various private networks, requires root device access)
Also could help us with sneaky ISPs 
Hello list,
I’d like to continue in discussion I’ve started here more than 1 year ago.
I was finally able to give it some time, and successfully cross-compiled Unbound DNS in version, and I’ve documented and automated the process a bit, you can see here:
https://github.com/smarek/android-unbound-dns
So now the real question is, is there still demand for securing Android using Unbound DNS resolver, or did I made this for no one?
Final idea is to have Unbound Android application which will start the DNS service on unprivileged port (such as 5353) and will be used as optional DNS resolver for masses.
Or, having the installer package, will replace default Android resolver, either through IPTables (re-routing all 53 traffic through unbound on 5353) or modifying actual ROM.
Which effectively means, we won’t have to have ROOTed device to run the resolver and option we’ll be able to set it in WIFI/Cell-APN/Proxy/VPN settings.
Best Regards
Marek Sebera
Hello list,
Hi,
I’d like to continue in discussion I’ve started here more than 1 year ago.
I was finally able to give it some time, and successfully cross-compiled
Unbound DNS in version, and I’ve documented and automated the process a
bit, you can see here: https://github.com/smarek/android-unbound-dns
Absolutely incredible! Thanks for working on this.
So now the real question is, is there still demand for securing Android
using Unbound DNS resolver, or did I made this for no one?
Including myself, I can think of a few groups & other individuals that do
have a need for this, please keep up the terrific work. Unfortunately, I am
unsure when I will have the time to deploy something.
Final idea is to have Unbound Android application which will start the DNS
service on unprivileged port (such as 5353) and will be used as optional
DNS resolver for masses. Or, having the installer package, will replace
default Android resolver, either through IPTables (re-routing all 53
traffic through unbound on 5353) or modifying actual ROM.Which effectively means, we won’t have to have ROOTed device to run the
resolver and option we’ll be able to set it in WIFI/Cell-APN/Proxy/VPN
settings.
All great ideas, any chance on seeing the package available via f-droid.org?
Hi,
I'm glad at least somebody finds this project useful.
I'm sincerely not currently in state, where I'd have the wrapper / control application ready,
but that should be matter of 1-2 weeks, if I can gather enough time.
I'll do follow up in this mailing list as soon as it is available.
For sure, sources will be available under Apache 2.0 (or similar) license,
and I've worked with F-Droid team before (ie. my app Simple Dilbert), so I'll let them know of this project,
Also If anybody is willing to contribute, I'd really use some help, as my free time dispositions
are not very good right now.
Best Regards
Marek Sebera
Zitat von Marek Sebera via Unbound-users <unbound-users@unbound.net>:
Hi,
I'm glad at least somebody finds this project useful.
I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO. I hope that someday (soon) a validating resolver will be the default for Android, at least in the more technical driven projekts like cyanogenmod.
Regards
Andreas
I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO.
I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally.
In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you).
There are a multitude of attack vectors in the local network, but because of that, creating mechanisms for those to do a better job will make things better. And I am specifically thinking of the ability for a recursive resolver to do validation.
So, I definitely think DNSSEC is useful even if validation is not happening in the local device.
In Sweden, more than 95% of resolvers do validate DNSSEC signed responses (I think it was, according to Geoff measurements), and that is A Good Thing. More ISPs and cellphone providers etc should immediately turn on validation!
Unfortunately statements like the one above I hear as arguments for not doing so.
That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment.
I hope that someday (soon) a validating resolver will be the default for Android, at least in the more technical driven projekts like cyanogenmod.
Completely agree with this!
Patrik
Zitat von Patrik Fältström <paf@frobbit.se>:
I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO.
I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally.
In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you).
At least for mobile Devices the user has no real way to decide if the DNS provided is really secure or not. Because of this it is preferable to do DNSSEC per Device and ignore the resolver provided by DHCP if possible.
There are a multitude of attack vectors in the local network, but because of that, creating mechanisms for those to do a better job will make things better. And I am specifically thinking of the ability for a recursive resolver to do validation.
So, I definitely think DNSSEC is useful even if validation is not happening in the local device.
There are networks where it indeed is no problem to do central DNSSEC validation, but mostly if the network is seperated from the internet and is some form of managed network like in company environments. We do it that way since .de is signed.
In Sweden, more than 95% of resolvers do validate DNSSEC signed responses (I think it was, according to Geoff measurements), and that is A Good Thing. More ISPs and cellphone providers etc should immediately turn on validation!
It doesn't harm, but for devices using random untrusted networks it is best to do DNSSEC on the device, so you will always be sure that the DNS replies are as save as possible.
Unfortunately statements like the one above I hear as arguments for not doing so.
Possibility for doing better shold never be a excuse for doing nothing. My only point was that Unbound or something similar should be on stock Android soon, so the ones who care about secure DNS can simply activate it.
That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment.
The only cases where i have seen DNSSEC completely fail is if UDP *and* TCP Port 53 is not possible unfiltered. There are some stupid SOHO routers which always direct all Port 53 traffic to itself, but fail to handle DNSSEC in a useful way.
Regards
Andreas
Zitat von Patrik Fältström <paf@frobbit.se>:
I also find it very useful because DNSSEC should be integrated per Device to be useful/secure IMHO.
I must say I disagree with the statement, because it sounds like if usefulness of DNSSEC is black and white, yes or no. And that it is useless today as no validation is happening locally.
In reality, you already today must trust various pieces of the zeroconf tussle, and one of them is the recursive resolver of your choice (or rather, the one your [trusted] DHCP server is giving to you).
At least for mobile Devices the user has no real way to decide if the DNS provided is really secure or not. Because of this it is preferable to do DNSSEC per Device and ignore the resolver provided by DHCP if possible.
It is always preferable to do DNSSEC in the device. Do not misunderstand me.
I was just against wording that could be interpreted as if DNSSEC was useless if that was not the case.
Unfortunately statements like the one above I hear as arguments for not doing so.
Possibility for doing better shold never be a excuse for doing nothing. My only point was that Unbound or something similar should be on stock Android soon, so the ones who care about secure DNS can simply activate it.
Agree. We should always have as a goal to Do The Right Thing.
That said, I completely agree that the goal must be to have validation to happen locally, although that will in some cases (various mixed IPv6/IPv4 environments for example) will not work. But in those you are doomed anyway if you do not trust the local environment.
The only cases where i have seen DNSSEC completely fail is if UDP *and* TCP Port 53 is not possible unfiltered. There are some stupid SOHO routers which always direct all Port 53 traffic to itself, but fail to handle DNSSEC in a useful way.
In 6to4 environments, you have to also trust the gateway that synthesise the IPv6 addresses for the IPv4 addresses you want to access. But that is to some degree an environment you talk about as the device do not have IPv4 at all (i.e. UDP:53 and TCP:53 are blocked on IPv4, as the device do not have IPv4).
Patrik
Hopefully we will get something like validation on each device + workarounds
like dnssec-trigger and
https://fedoraproject.org/wiki/Networking/NameResolution/DNSSEC/UnboundMixedMode
installed by default.
That would allow us to have reliable DNSSEC validator everywhere.
Let's see how this goes on Fedora (which is quire often used on mobile
devices, too) and then we can port it to Android.
Hello guys,
I'd like to follow up on Android Unbound DNS porting status.
- We have working binaries for ARM platform, statically linked and all..
- We have Android application, which provides UI to configure and control the Unbound DNS service
!! State of Things report (android screenshots included) can be found here: https://github.com/smarek/android-unbound-dns/issues/6
! Binaries and Android application can be downloaded here: https://github.com/smarek/android-unbound-dns/releases
I'd like to have your opinion on where should the project go next and if anybody is interested in taking part in development.
Thank you
Best Regards
Marek Sebera
Hello guys,
I'd like to follow up on Android Unbound DNS porting status.
- We have working binaries for ARM platform, statically linked and all..
- We have Android application, which provides UI to configure and control the Unbound DNS service!! State of Things report (android screenshots included) can be found here: https://github.com/smarek/android-unbound-dns/issues/6
! Binaries and Android application can be downloaded here: https://github.com/smarek/android-unbound-dns/releases
I'd like to have your opinion on where should the project go next and if anybody is interested in taking part in development.
Hello,
Fedora project and namely Tomas Hozza <thozza@redhat.com> is working on a
module for Unbound which should help with working around local broken DNS
proxies while still maintaining ability to DNSSEC-validate signed domains &
use local DNS view/split-DNS configuration.
It was targeted to laptops/roaming users so Android sounds like a very good
target, too. The module is not part of upstream Unbound yet, but there was a
plan to submit it one day.
Contact Tomas if you are interested!
Petr^2 Spacek