Table of Contents

Originally written April 2016, updated August 2024

Never Forget

Never Forget DSA-3733: Validating Signatures > MitM > RCE.

The Debian developer community refused to implement transport cryptography for updates because “signing packages is secure enough”. Fuck that incompetence. This post is about "the how". If you want to read about "the why", please read my earlier post: https://yawnbox.is/blog/privacy-proposal-for-debian/

This guide will help significantly improve the privacy and security of your Ubuntu server. It requires the installation of apt-transport-tor, an application that will allow apt transfers to occur over Tor. There is also an application called apt-transport-https that is already installed in Ubuntu 22.04.

The Wikimedia Ubuntu repo has a good TLS configuration, IPv6 and IPv4 support, and they don't block Tor: mirrors.wikimedia.org

Qualys SSL Labs grade: https://www.ssllabs.com/ssltest/analyze.html?d=mirrors.wikimedia.org&latest

The following is written for Ubuntu 22.04 LTS Jammy and should also work with 20.04 Focal. The apt configs need futher updates in Ubuntu 24.04 Noble, that is not documented here.

First, secure the transport of the DNS request.

DNS transport security

Note: If you are reading this and know of a way to push DoT or DoH traffic out Tor (like with a SOCKS5 proxy pointing to 127.0.0.1:9050 or something), please send me a message!

This guide enables DNS over TLS (DoT) for outbound DNS queries with built-in functions.

Edit Netplan:

sudo vim /etc/netplan/01-netcfg.yaml 

Add Quad9 nameservers:

      nameservers:
              addresses:
                      - 9.9.9.9
                      - 149.112.112.112
                      - 2620:fe::fe
                      - 2620:fe::9

Apply netplan changes:

sudo netplan apply

Edit resolved.conf by enabling DoT, DNSSEC, and enabling Quad9's IPs with coresponding DoT FQDNs:

sudo cp /etc/systemd/resolved.conf /etc/systemd/resolved.backup1

sudo sed -i 's/#DNSOverTLS=no/DNSOverTLS=yes/g' /etc/systemd/resolved.conf

sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf

sudo sed -i 's/#DNS=.*/DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net/g' /etc/systemd/resolved.conf

sudo cat /etc/systemd/resolved.conf

Output should look like (with some other lines that we didn't change):

[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
DNSSEC=yes
DNSOverTLS=yes

Restart systemd-resolved:

sudo systemctl restart systemd-resolved

You can validate thse exclusive use of DoT by using ufw. If, like me, you are denying all outbound (ufw default deny outgoing), all you have to do is delete the allow out 53/udp rule, and add an allow out 853/tcp rule. Otherwise, add a deny out 53/udp rule and test.

sudo ufw delete 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload

or

sudo ufw deny out 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload

You can also check the status of resolvectl:

resolvectl status

This should say:

Global
        Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
        resolv.conf mode: stub
        Current DNS Server: 9.9.9.9#dns.quad9.net
        DNS Servers: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net

Then simply try an outbound web request, like with sudo apt update! If it works, then your DNS queries are TLS encrypted to Quad9!

apt transport security

If you only want increased apt transport security, this is what your /etc/apt/sources.list should look like for Ubuntu 22.04:

deb https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse

If you want security and privacy, use tor, via apt-transport-tor.

apt transport privacy - scripted

#!/bin/bash

mv /etc/apt/sources.list /etc/apt.sources.backup1

touch /etc/apt/sources.list

echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] https://deb.torproject.org/torproject.org jammy main' >> /etc/apt/sources.list

wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import

gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

apt update

apt install tor deb.torproject.org-keyring apt-transport-tor -y

mv /etc/apt/sources.list /etc/apt.sources.backup2

touch /etc/apt/sources.list

echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] tor+https://deb.torproject.org/torproject.org jammy main' >> /etc/apt/sources.list

apt update && apt dist-upgrade -V

Or, if you trust me, run this script:

curl -s https://yawnbox.is/scripts/jammy_apt_upgrade.sh | sudo sh

yawnbox