DNSSEC on pfSense

_igor_

Are there any plans to implement DNSSEC in a near/far future or would it be a big problem to implement/activate that feature?

sullrich

Our built in resolver (DNSMASQ) already follows the guidelines for proxying DNS-Sec. Please see http://comments.gmane.org/gmane.network.dns.dnsmasq.general/4221

PS: we are looking at replacing dnsmasq in 2.1 with something else. Stay tuned.

kronso

pfSense doesn't have a full-fledged DNS server. I don't think there are plans to add one.

_igor_

Oh, i was thinking in ways like here explained: http://lacnic.net/documentos/lacnicxiii/presentaciones/tutorial-DNSSEC-en-32.pdf
and howto: http://www.isc.org/files/DNSSEC_in_6_minutes.pdf.
I didn't think about dnsmasq.

lyserge

My ISP uses DNSSEC and Firefox DNSSEC Validator add-on http://www.dnssec-validator.cz/ works well through dnsmasq on pfSense :)

http://test.dnssec-or-not.org/ :D

screen-capture.png_thumb

_igor_

Sounds good, but my intention was/is to have DNSSEC at router-side, not at client-side.

sullrich

@_igor_:

Sounds good, but my intention was/is to have DNSSEC at router-side, not at client-side.

We are looking at adding Unbound DNS Resolver which supports this. It might end up as a package before it makes it's way into 2.1.

_igor_

Oh, thanks much for your answer. I'll stay tuned! Thats great news

sullrich

Unbound package is in testing. Stay tuned! Borat is happy at least with it :)

sullrich

Unbound package has been added. Currently working on fixing a bug when you have host overrides / domain overrides in Services -> DNS Forwarder.

Our Unbound package written by Warren Baker is designed to drop right in and replace DNSmasq so you will find that it uses the defined entries in the DNS Forwarder screen.

If you are not using host /domain overrides go ahead and install the package and try it out if your running 2.0-Beta4. You'll want to visit Services -> Unbound and enable DNSSSec and click save after package installation.

sullrich

All known issues in the unbound package are fixed! Give it a try!

danswartz

Hmmm, this looks interesting. Will this be capable of serving up zone changes to a secondary? I have pfsense running as a virtual machine under virtualbox, but a downside of that is if pfsense is down, nothing (including the main server) can access any hosts on the lan by name, which sucks. I would like to run a secondary on the main server that would pull from the primary (unbound on pfsense.) Am I out to lunch or would this work?

sullrich

Yes, this would work fine if you define the servers under services -> dns forwarder.

danswartz

sweet! i'm going to take a shot at this tonight :)

jlepthien

Package installed fine on my Alix box. I have set up DNS with google servers 8.8.8.8 and 8.8.4.4. How can I check if this is running ok? Also now my local DNS is not resolving anymore. See screenshot for the DNS configuration. The DNS forwarder under services was automatically disabled btw…

Edit: Well, I disabled forwarding mode, because it is said so when enabling DNSSEC...

![Bildschirmfoto 2010-11-19 um 00.35.40.png](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png)
![Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb)

_igor_

Installed fine here too, but Name-resolving of my PCs on LAN doesn't work too. I tested with "Enable forwarding mode" enabled and disabled.

Here are the respective log-entries:

Nov 19 13:07:17	unbound: [42280:0] info: start of service (unbound 1.4.7).
Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 19 13:07:17	unbound: [42280:0] info: service stopped (unbound 1.4.7).
Nov 19 13:07:16	unbound: [42280:0] info: start of service (unbound 1.4.7).
Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:16	check_reload_status: syncing firewall
Nov 19 13:07:16	unbound: [7052:0] info: 0.131072 0.262144 1
Nov 19 13:07:16	unbound: [7052:0] info: lower(secs) upper(secs) recursions
Nov 19 13:07:16	unbound: [7052:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:07:16	unbound: [7052:0] info: histogram of recursion processing times
Nov 19 13:07:16	unbound: [7052:0] info: average recursion processing time 0.139544 sec
Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch
Nov 19 13:07:16	unbound: [7052:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:26	unbound: [7052:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 19 13:06:26	unbound: [7052:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:25	unbound: [7052:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:24	check_reload_status: syncing firewall
Nov 19 13:06:24	unbound: [57813:0] info: 1.000000 2.000000 2
Nov 19 13:06:24	unbound: [57813:0] info: 0.524288 1.000000 1
Nov 19 13:06:24	unbound: [57813:0] info: lower(secs) upper(secs) recursions
Nov 19 13:06:24	unbound: [57813:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:06:24	unbound: [57813:0] info: histogram of recursion processing times
Nov 19 13:06:24	unbound: [57813:0] info: average recursion processing time 1.129489 sec
Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: requestlist max 2 avg 0.666667 exceeded 0
Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: 3 queries, 0 answers from cache, 3 recursions, 0 prefetch
Nov 19 13:06:24	unbound: [57813:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:04	unbound: [57813:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
Nov 19 13:06:03	check_reload_status: syncing firewall
Nov 19 13:06:03	unbound: [35917:0] info: 0.524288 1.000000 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.262144 0.524288 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.131072 0.262144 2
Nov 19 13:06:03	unbound: [35917:0] info: 0.065536 0.131072 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.032768 0.065536 1
Nov 19 13:06:03	unbound: [35917:0] info: lower(secs) upper(secs) recursions
Nov 19 13:06:03	unbound: [35917:0] info: [25%]=0.032768 median[50%]=0.065536 [75%]=0.131072
Nov 19 13:06:03	unbound: [35917:0] info: histogram of recursion processing times
Nov 19 13:06:03	unbound: [35917:0] info: average recursion processing time 0.325781 sec
Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: 10 queries, 4 answers from cache, 6 recursions, 2 prefetch
Nov 19 13:06:03	unbound: [35917:0] info: service stopped (unbound 1.4.7).
Nov 19 13:04:46	php: /pkg_mgr_install.php: Successful login for user 'admin' from: 10.112.35.2
Nov 19 13:02:17	check_reload_status: reloading filter
Nov 19 13:02:12	unbound: [35917:0] info: start of service (unbound 1.4.7).
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
Nov 19 13:02:00	unbound: [29695:0] info: 0.524288 1.000000 1
Nov 19 13:02:00	unbound: [29695:0] info: 0.016384 0.032768 1
Nov 19 13:02:00	unbound: [29695:0] info: lower(secs) upper(secs) recursions
Nov 19 13:02:00	unbound: [29695:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:02:00	unbound: [29695:0] info: histogram of recursion processing times
Nov 19 13:02:00	unbound: [29695:0] info: average recursion processing time 0.279019 sec
Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: 4 queries, 2 answers from cache, 2 recursions, 0 prefetch
Nov 19 13:02:00	unbound: [29695:0] info: service stopped (unbound 1.4.7).
Nov 19 13:01:59	check_reload_status: syncing firewall
Nov 19 13:01:47	unbound: [29695:0] info: start of service (unbound 1.4.7).
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
Nov 19 13:01:47	dnsmasq[50197]: exiting on receipt of SIGTERM

danswartz

Hmmm, I had other things going on last night, so I didn't get a chance to install and test this. Looks like that was a good thing, as there seem to still be issues.

wagonza

@_igor_:


Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content

Looks like the default root.hints file was not downloaded correctly. You can see if it has data in it by ls -l /usr/local/etc/unbound/
Unbound should still use internal hints for resolving - although its slightly slower. When saving/restarting unbound it will check that file and download it again if needs be.

With regards to your non PC resolving - try install the pkg again. I have fixed both host and domain overrides.
Let me know if you have any other problems please.

wagonza

Oh and I fixed some XML problem which would have caused some other problems:)

jlepthien

Will try it…

And how can I check if the DNSSEC is working correctly?