Table of Contents
- Never Forget
- DNS transport security
- apt transport security
- apt transport privacy
- apt transport privacy - scripted
Never Forget
Never Forget DSA-3733: Validating Signatures > MitM > RCE.
The Debian developer community refused to implement transport cryptography for updates because “signing packages is secure enough”. Incompetence. This post is about "the how". If you want to read about "the why", please read my earlier post: https://yawnbox.is/blog/privacy-proposal-for-debian/
This guide will help significantly improve the privacy and security of your Ubuntu server. It requires the installation of apt-transport-tor, an application that will allow apt transfers to occur over Tor. There is also an application called apt-transport-https that is already installed in all modern versions of Ubuntu.
The Wikimedia Ubuntu repo has a good TLS configuration, IPv6 and IPv4 support, and they don't block Tor. See their Qualys SSL Labs grade: https://www.ssllabs.com/ssltest/analyze.html?d=mirrors.wikimedia.org&latest
First, secure the transport of the DNS request. The following guide enables DNS over TLS (DoT) for outbound DNS queries with built-in functions.
Note: If you are reading this and know of a way to push DoT or DoH traffic out Tor (like with a SOCKS5 proxy pointing to 127.0.0.1:9050 or something), please send me a message!
DNS transport security
Works on Ubuntu 22.04 - 24.04.
Edit resolved.conf by
- enabling enabling Quad9's IPs with coresponding DoT FQDNs
- enabling Cloudflare's IPs with coresponding DoT FQDNs as fallback
- enabling strict DNSSEC validation
- enabling strict DoT
sudo vim /etc/systemd/resolved.conf
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
FallbackDNS=1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
DNSSEC=yes
DNSOverTLS=yes
If these hardening changes for DNSSEC or DNSoverTLS don't work for you, these are optional, weaker replacements:
DNSSEC=allow-downgrade
DNSOverTLS=opportunistic
I also enable these settings:
MulticastDNS=no
LLMNR=no
Cache=no-negative
DNSStubListener=yes
Restart systemd-resolved:
sudo systemctl restart systemd-resolved
Edit Netplan (depending on your system, there should be one *.yaml file in /etc/netplan by default. Edit that one.):
sudo vim /etc/netplan/01-netcfg.yaml
Under nameservers, add the local DNS stub listener only:
nameservers:
addresses:
- 127.0.0.53
Apply the netplan changes:
sudo netplan apply
DoT Validation
You can validate the exclusive use of DoT by using ufw. If, like me, you are denying all outbound (ufw default deny outgoing), all you have to do is delete the allow out 53/udp rule, and add an allow out 853/tcp rule. Otherwise, add a deny out 53/udp rule and test.
sudo ufw delete 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload
or
sudo ufw deny out 53/udp
sudo ufw allow out 853/tcp
sudo ufw reload
You can also check the status of resolvectl:
resolvectl status
This should say something like:
Global
Protocols: -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: stub
Current DNS Server: 2620:fe::9#dns.quad9.net
DNS Servers: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net
2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net 127.0.0.53
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com
2606:4700:4700::1111#cloudflare-dns.com
2606:4700:4700::1001#cloudflare-dns.com
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 127.0.0.53
DNS Servers: 127.0.0.53
Watch local legacy DNS queries, if any:
sudo tcpdump -i any -n port 53
Watch local DoT queries, if any:
sudo tcpdump -i any -n port 853
Try an outbound web request, like with sudo apt update! If it works, then your DNS queries are TLS encrypted to Quad9! Pinging domains is also a sound check:
ping4 google.com
If you have IPv6 configured on your system:
ping6 google.com
apt transport security
If you only want increased apt transport security, this is what your apt sources should look like.
Ubuntu 22.04 Jammy
sudo vim /etc/apt/sources.list
deb https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse
deb https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse
Ubuntu 24.04 Noble
sudo vim /etc/apt/sources.list.d/ubuntu.sources
Types: deb
URIs: https://mirrors.wikimedia.org/ubuntu/
Suites: noble noble-updates noble-security noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
apt transport privacy
If you want security and privacy, use tor, via apt-transport-tor.
sudo apt install tor apt-transport-tor
Ubuntu 22.04 Jammy
sudo vim /etc/apt/sources.list
deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse
Ubuntu 24.04 Noble
sudo vim /etc/apt/sources.list.d/ubuntu.sources
Types: deb
URIs: tor+https://mirrors.wikimedia.org/ubuntu/
Suites: noble noble-updates noble-security noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg
Validate with:
sudo apt update
apt transport privacy - scripted
This is a shell script I made for Jammy that will also install the Tor Project's PGP key and install the most recent version of Tor from Tor Project.
Ubuntu 22.04 Jammy
sudo vim jammy_apt_upgrade.sh
Cut and paste this in there:
#!/bin/bash
mv /etc/apt/sources.list /etc/apt.sources.backup1
touch /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] https://deb.torproject.org/torproject.org jammy main' >> /etc/apt/sources.list
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt update
apt install tor deb.torproject.org-keyring apt-transport-tor -y
mv /etc/apt/sources.list /etc/apt.sources.backup2
touch /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-updates main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-backports main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb tor+https://mirrors.wikimedia.org/ubuntu/ jammy-security main restricted universe multiverse' >> /etc/apt/sources.list
echo 'deb [arch=amd64] tor+https://deb.torproject.org/torproject.org jammy main' >> /etc/apt/sources.list
apt update && apt dist-upgrade -V
sudo chmod +x jammy_apt_upgrade.sh
Run:
sudo sh ./jammy_apt_upgrade.sh
Or, if you trust me, run this script (for Jammy):
curl -s https://yawnbox.is/scripts/jammy_apt_upgrade.sh | sudo sh