2024: Secure DNS on Pearlstone WiFi

City of Refuge

Secure DNS on Pearlstone WiFi

TL;DR steps

Background

Pearlstone is using Fortinet to spy on network traffic by providing misdirected DNS responses. This means that when a naive web client (Safari? Calendar for iOS?) tries to connect to google web sites, like https://google.com, it is instead directed to another computer which creates a fake certificate for google.com and presents that to the client. If the client isn’t stupid, it’ll look at the certificate and complain. When it complains, it’ll show a (justifiably!) scary dialog to you trying to explain that this is scary and asking what you want to do.

This happens on all three of Pearlstone’s open WiFi networks (pearl, pearl-2.4, and pearl-5ghz-MAX-speed). According to staff it would happen on their passworded networks as well.

This kind of monkey business is called a man-in-the-middle (MITM) attack.

Avoiding the man in the middle (MITM)

Thankfully, modern web technologies have a solution. The technology is called DoH (DNS over HTTPS). If you imagine the way web browsers work as similar to how you’d make a phone call (first you look up a number in a phone book, and then you call it) — they first look up a computer’s (IP) address in a directory (DNS) and then they connect to it. Browsers have been making secure connections to IP addresses for decades. DoH enables clients to use that same security technology (HTTPS) to perform the (IP) address lookup.

Install DoH profile on iOS

  1. Load cloudflare-https mobile config profile
  2. Click/tap on “Allow” button
  3. Go to System Settings => General => VPN, DNS & Device Management
  4. select downloaded profile and tap the “Install” button
  5. confirm a couple of times (this is intentionally scary, since you’re letting a specific entity control your address lookup — the entity we’re suggesting is well known and less evil than the one Pearlstone is providing)

Install DoH profile on macOS

  1. Load cloudflare-https mobile config profile

  2. Open the downloaded file
  3. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.) You may be asked to supply your password or other information during installation.
  4. In the Downloaded section, double-click the profile.
  5. Review the profile contents then click Continue, Install or Enroll to install the profile.

Use DoH in browsers

Follow the Cloudflare instructions for various web browsers.

References

Comments are closed.