DNS Resolver security implications
-
Hi,
How safe is to use PfSense DNS Resolver in forward mode to CloudFlare DNS Servers?
There are any DNS CVE in 2.6.0-RELEASE? What are the best practices do implement it well?
That's my config, is it good enough?
Best regards.
-
@luquinhasdainfra said in DNS Resolver security implications:
How safe is to use PfSense DNS Resolver in forward mode to CloudFlare DNS Servers?
I'm curious why you would limit yourself to their servers only -- if they are offline you lose all DNS service.
-
-
@luquinhasdainfra said in DNS Resolver security implications:
I'm actually using Cloudflare AND OpenDNS servers
So, again, when they do not work (overloaded, etc) you lose your DNS.
You don't need to forward. It's some kind of 'plan B' solution. pfSense, out of the box, has a working DNS, and it doesn't forward.
'Plan A' is as the internet was designed way back in around 1970 : resolve.Btw : when you forward, disable DNSSEC.
-
@luquinhasdainfra said in DNS Resolver security implications:
I'm actually using Cloudflare AND OpenDNS servers
This is not good idea.. One filters, other doesn't - so you have no idea which one your going to ask. So something might be filtered, or it might not. Even when they both filter, they sure will not be filtered exactly the same..
If your going to forward, you want to make sure that any of the servers your going to forward too are using the same filtering list, or do not filter at all, etc.
-
-
Hi,
Thanks for your anwser,
Found out that CloudFlare has some filters and i remove it,
Now i using servers that do not do validation but i'm using PfBlocker to block malicious domains,
-
@luquinhasdainfra said in DNS Resolver security implications:
Now i using servers that do not do validation
Most dns services do dnssec on there own - there is no reason to set it in unbound if your forwarding.. Dnssec is for a resolver.. If you forward and you want dnssec, then make sure where you forward to is doing it.
https://support.quad9.net/hc/en-us/articles/4409274993677-DNS-Forwarders-Best-Practices
- Disable DNSSEC Validation
Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.
What dns are you forwarding too - some of them have special IPs that don't do dnssec, but you still shouldn't turn it on if forwarding. dnssec again is for a resolver.
-
@luquinhasdainfra said in DNS Resolver security implications:
But why do i have to disable DNSSEC when forwarding?
A clean, short and precise anwer exists already on this forum, here in the DNS forum.
The most smallest answer (more a declarartion) is : When you forward, DNSSEC is not for you.
DNSSEC needs the resolver (the function you out sourced) to resolve from top to bottom.A bit longer :
Consider a DNSSEC enabled domain : https://dnsviz.net/d/test-domaine.fr/dnssec/ (I 'own' that domain name, as the used domain name servers).At the top is the current DNSSEC root key. the one with the id=20326.
This root certicate signs the root servers.
The root servers will give you the TLD '.fr.'in this case. The TLD's are signed by the root servers.
The TLD will give you the two (my own) domain name servers. These have records signed by the TLD server.
In parallel with the classic record A (or AAAA) resolving, the DS key info is also resolved. The certificate chain has to match all the way. If it works out, a flag indicates that the DNS answer 'rock solid'.dig test-domaine.fr +trace +dnssecBtw : 1.1.1.1 does DNSSEC checking.
You 'only' have to trust that they didn't 'lie' to you when they answered you.
Doing your own DNSSEC tests in parallel yourself (by unbound) removes completely the one and only advantage they offer : an answer a bit faster.
