DNSSEC on pfSense

danswartz

sweet! i'm going to take a shot at this tonight :)

jlepthien

Package installed fine on my Alix box. I have set up DNS with google servers 8.8.8.8 and 8.8.4.4. How can I check if this is running ok? Also now my local DNS is not resolving anymore. See screenshot for the DNS configuration. The DNS forwarder under services was automatically disabled btw…

Edit: Well, I disabled forwarding mode, because it is said so when enabling DNSSEC...

![Bildschirmfoto 2010-11-19 um 00.35.40.png](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png)
![Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb](/public/imported_attachments/1/Bildschirmfoto 2010-11-19 um 00.35.40.png_thumb)

_igor_

Installed fine here too, but Name-resolving of my PCs on LAN doesn't work too. I tested with "Enable forwarding mode" enabled and disabled.

Here are the respective log-entries:

Nov 19 13:07:17	unbound: [42280:0] info: start of service (unbound 1.4.7).
Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:17	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
Nov 19 13:07:17	unbound: [42280:0] notice: Restart of unbound 1.4.7.
Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:07:17	unbound: [42280:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 19 13:07:17	unbound: [42280:0] info: service stopped (unbound 1.4.7).
Nov 19 13:07:16	unbound: [42280:0] info: start of service (unbound 1.4.7).
Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 1: iterator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:16	unbound: [42280:0] notice: init module 0: validator
Nov 19 13:07:16	check_reload_status: syncing firewall
Nov 19 13:07:16	unbound: [7052:0] info: 0.131072 0.262144 1
Nov 19 13:07:16	unbound: [7052:0] info: lower(secs) upper(secs) recursions
Nov 19 13:07:16	unbound: [7052:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:07:16	unbound: [7052:0] info: histogram of recursion processing times
Nov 19 13:07:16	unbound: [7052:0] info: average recursion processing time 0.139544 sec
Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:07:16	unbound: [7052:0] info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch
Nov 19 13:07:16	unbound: [7052:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:26	unbound: [7052:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:26	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
Nov 19 13:06:26	unbound: [7052:0] notice: Restart of unbound 1.4.7.
Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:06:26	unbound: [7052:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 19 13:06:26	unbound: [7052:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:25	unbound: [7052:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 1: iterator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:25	unbound: [7052:0] notice: init module 0: validator
Nov 19 13:06:24	check_reload_status: syncing firewall
Nov 19 13:06:24	unbound: [57813:0] info: 1.000000 2.000000 2
Nov 19 13:06:24	unbound: [57813:0] info: 0.524288 1.000000 1
Nov 19 13:06:24	unbound: [57813:0] info: lower(secs) upper(secs) recursions
Nov 19 13:06:24	unbound: [57813:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:06:24	unbound: [57813:0] info: histogram of recursion processing times
Nov 19 13:06:24	unbound: [57813:0] info: average recursion processing time 1.129489 sec
Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: requestlist max 2 avg 0.666667 exceeded 0
Nov 19 13:06:24	unbound: [57813:0] info: server stats for thread 0: 3 queries, 0 answers from cache, 3 recursions, 0 prefetch
Nov 19 13:06:24	unbound: [57813:0] info: service stopped (unbound 1.4.7).
Nov 19 13:06:04	unbound: [57813:0] info: start of service (unbound 1.4.7).
Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 1: iterator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
Nov 19 13:06:03	unbound: [57813:0] notice: init module 0: validator
Nov 19 13:06:03	check_reload_status: syncing firewall
Nov 19 13:06:03	unbound: [35917:0] info: 0.524288 1.000000 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.262144 0.524288 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.131072 0.262144 2
Nov 19 13:06:03	unbound: [35917:0] info: 0.065536 0.131072 1
Nov 19 13:06:03	unbound: [35917:0] info: 0.032768 0.065536 1
Nov 19 13:06:03	unbound: [35917:0] info: lower(secs) upper(secs) recursions
Nov 19 13:06:03	unbound: [35917:0] info: [25%]=0.032768 median[50%]=0.065536 [75%]=0.131072
Nov 19 13:06:03	unbound: [35917:0] info: histogram of recursion processing times
Nov 19 13:06:03	unbound: [35917:0] info: average recursion processing time 0.325781 sec
Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:06:03	unbound: [35917:0] info: server stats for thread 0: 10 queries, 4 answers from cache, 6 recursions, 2 prefetch
Nov 19 13:06:03	unbound: [35917:0] info: service stopped (unbound 1.4.7).
Nov 19 13:04:46	php: /pkg_mgr_install.php: Successful login for user 'admin' from: 10.112.35.2
Nov 19 13:02:17	check_reload_status: reloading filter
Nov 19 13:02:12	unbound: [35917:0] info: start of service (unbound 1.4.7).
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
Nov 19 13:02:12	unbound: [35917:0] notice: init module 0: iterator
Nov 19 13:02:00	unbound: [29695:0] info: 0.524288 1.000000 1
Nov 19 13:02:00	unbound: [29695:0] info: 0.016384 0.032768 1
Nov 19 13:02:00	unbound: [29695:0] info: lower(secs) upper(secs) recursions
Nov 19 13:02:00	unbound: [29695:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 19 13:02:00	unbound: [29695:0] info: histogram of recursion processing times
Nov 19 13:02:00	unbound: [29695:0] info: average recursion processing time 0.279019 sec
Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 19 13:02:00	unbound: [29695:0] info: server stats for thread 0: 4 queries, 2 answers from cache, 2 recursions, 0 prefetch
Nov 19 13:02:00	unbound: [29695:0] info: service stopped (unbound 1.4.7).
Nov 19 13:01:59	check_reload_status: syncing firewall
Nov 19 13:01:47	unbound: [29695:0] info: start of service (unbound 1.4.7).
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
Nov 19 13:01:47	unbound: [29695:0] notice: init module 0: iterator
Nov 19 13:01:47	dnsmasq[50197]: exiting on receipt of SIGTERM

danswartz

Hmmm, I had other things going on last night, so I didn't get a chance to install and test this. Looks like that was a good thing, as there seem to still be issues.

wagonza

@_igor_:


Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:02:12	unbound: [35917:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content
Nov 19 13:01:47	unbound: [29695:0] warning: root hints root.hints: no NS content

Looks like the default root.hints file was not downloaded correctly. You can see if it has data in it by ls -l /usr/local/etc/unbound/
Unbound should still use internal hints for resolving - although its slightly slower. When saving/restarting unbound it will check that file and download it again if needs be.

With regards to your non PC resolving - try install the pkg again. I have fixed both host and domain overrides.
Let me know if you have any other problems please.

wagonza

Oh and I fixed some XML problem which would have caused some other problems:)

jlepthien

Will try it…

And how can I check if the DNSSEC is working correctly?

wagonza

Go to http://test.dnssec-or-not.org/ and Borat should give you the thumbs up or

dig @ <ip>edu +dnssec

Look for the flags section which should contain 'ad' in them. For example:

; <<>> DiG 9.6.2-P2 <<>> @192.168.1.14 edu +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60486
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;edu. IN A

;; AUTHORITY SECTION:
edu. 900 IN SOA a.edu-servers.net. nstld.verisign-grs.com. 1290192544 1800 900 604800 86400
edu. 900 IN RRSIG SOA 7 1 900 20101126184904 20101119183904 44056 edu. tj/QsEt14ht17PeaydNQvSlsYt/vs9vj4y6OOICt1TcctDEwwNZ/1S+C mXpUZtYAyiIT8XUtFoSRhdMD0gpsLh6Qw+cBnBC4R//5khW9GJ+jHhU6 YA6aEPaQdmWt5i2TqLdxV8ebGQj3EP+rxe/GmFONoV4crT5aw+s5PTvZ QLc=
9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN NSEC3 1 1 0 - 9F7PCDK9UL86ESUV8TM11L35AKSI4MB4 NS SOA RRSIG DNSKEY NSEC3PARAM
9DHS4EP5G85PF9NUFK06HEK0O48QGK77.edu. 86400 IN RRSIG NSEC3 7 2 86400 20101126182049 20101119181049 44056 edu. mLNYbHkzpQK3uJAZxkbhDHb1ZpPuhoVU3hBwAzUdCq41KWFyv8FL6CEA mshyGLs91asDcOtYatdC+EL6XB6tGOP4u1pio+rPH5NiMF3JDrGpBwiz qEcCglxeWArA3KZd1HYwoeDZ1fv8aODVgm9/ANPoyl+GWEPwKNn07V44 qiI=

;; Query time: 2614 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Fri Nov 19 20:49:35 2010
;; MSG SIZE rcvd: 513</ip>

jlepthien

Hey wagonza,

thanks for the answer. I now get Borat, so this looks good. Still, I can't resolve my local hostnames as before with dnsmasq.
What kind of info do you need? It is working with dnsmasq…

Thanks for your help!

wagonza

Plz PM me the contents of your unbound.conf file (/usr/local/etc/unbound/unbound.conf) also the output of unbound-checkconf

serangku

thanks for unbound package …

theres alternative with unbound or dnsmasq

_igor_

Here it does NOT run. Say, at http://test.dnssec-or-not.org/ i don't see Borat. I reinstalled unbound, no change.
Nor local hosts resolve.

unbound-checkconf shows this:
unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf

Logs here:

Nov 20 17:35:49	unbound: [63765:0] info: start of service (unbound 1.4.7).
Nov 20 17:35:49	unbound: [63765:0] notice: init module 1: iterator
Nov 20 17:35:49	unbound: [63765:0] notice: init module 1: iterator
Nov 20 17:35:49	unbound: [63765:0] notice: init module 0: validator
Nov 20 17:35:49	unbound: [63765:0] notice: init module 0: validator
Nov 20 17:35:49	check_reload_status: syncing firewall
Nov 20 17:35:49	unbound: [53712:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 20 17:35:49	unbound: [53712:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 20 17:35:49	unbound: [53712:0] info: service stopped (unbound 1.4.7).
Nov 20 17:35:40	unbound: [53712:0] info: start of service (unbound 1.4.7).
Nov 20 17:35:40	unbound: [53712:0] notice: init module 1: iterator
Nov 20 17:35:40	unbound: [53712:0] notice: init module 1: iterator
Nov 20 17:35:40	unbound: [53712:0] notice: init module 0: validator
Nov 20 17:35:40	unbound: [53712:0] notice: init module 0: validator
Nov 20 17:35:39	check_reload_status: syncing firewall
Nov 20 17:35:39	unbound: [37568:0] info: 1.000000 2.000000 1
Nov 20 17:35:39	unbound: [37568:0] info: lower(secs) upper(secs) recursions
Nov 20 17:35:39	unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 20 17:35:39	unbound: [37568:0] info: histogram of recursion processing times
Nov 20 17:35:39	unbound: [37568:0] info: average recursion processing time 1.647413 sec
Nov 20 17:35:39	unbound: [37568:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 20 17:35:39	unbound: [37568:0] info: server stats for thread 0: 2 queries, 1 answers from cache, 1 recursions, 0 prefetch
Nov 20 17:35:39	unbound: [37568:0] info: service stopped (unbound 1.4.7).
Nov 20 17:34:38	check_reload_status: reloading filter
Nov 20 17:34:37	php: /pkg_edit.php: Reloading Squid for configuration sync
Nov 20 17:33:04	check_reload_status: syncing firewall
Nov 20 17:33:10	unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0
Nov 20 17:33:10	unbound: [37568:0] info: server stats for thread 0: 5 queries, 5 answers from cache, 0 recursions, 2 prefetch
Nov 20 17:33:03	check_reload_status: syncing firewall
Nov 20 17:29:08	kernel: xl0: tx underrun, increasing tx start threshold to 180 bytes
Nov 20 17:29:08	kernel: xl0: transmission error: 90
Nov 20 17:28:10	unbound: [37568:0] info: 1.000000 2.000000 1
Nov 20 17:28:10	unbound: [37568:0] info: 0.524288 1.000000 1
Nov 20 17:28:10	unbound: [37568:0] info: lower(secs) upper(secs) recursions
Nov 20 17:28:10	unbound: [37568:0] info: [25%]=0 median[50%]=0 [75%]=0
Nov 20 17:28:10	unbound: [37568:0] info: histogram of recursion processing times
Nov 20 17:28:10	unbound: [37568:0] info: average recursion processing time 1.237340 sec
Nov 20 17:28:10	unbound: [37568:0] info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0
Nov 20 17:28:10	unbound: [37568:0] info: server stats for thread 0: 3 queries, 1 answers from cache, 2 recursions, 0 prefetch

jlepthien

Had another problem with the package. Sometimes after the dhcp lease is over, the client doesn't get my pfSense box as a DNS server, but the DNS servers I provided in general settings. Then my clients can't connect to the internet, because dns is not allowed for them, only to the pfSense box. Why do these servers sometimes get pushed to the clients?

jlepthien

Updated to version 1.2.2 and still my clients do not get the pfSense LAN ip address as the dns server but the ones configured in general dns settings. Why is that? dnsmasq correctly pushes my pfSense LAN IP to the clients…

wagonza

Sorry im currently on vacation until Sunday so will try do as much as I can while away. @jlepthien - will investigate.

jlepthien

Take your time m8…

_igor_

I updated today pfSense 2.0-BETA4 (i386) built on Mon Nov 22 02:54:15 EST 2010 and unbound to v 1.22. But no luck:

Nov 22 19:50:52 php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err```
or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:52 unbound: [56312:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:52 unbound: [56312:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:52 check_reload_status: syncing firewall
Nov 22 19:50:16 unbound: [56312:0] info: start of service (unbound 1.4.7).
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 1: iterator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:16 unbound: [56312:0] notice: init module 0: validator
Nov 22 19:50:15 check_reload_status: reloading filter
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0
Nov 22 19:50:14 unbound: [53850:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch
Nov 22 19:50:14 unbound: [53850:0] info: service stopped (unbound 1.4.7).
Nov 22 19:50:13 check_reload_status: syncing firewall
Nov 22 19:49:58 unbound: [53850:0] info: start of service (unbound 1.4.7).
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] warning: root hints root.hints: no NS content
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 1: iterator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 unbound: [53850:0] notice: init module 0: validator
Nov 22 19:49:58 check_reload_status: syncing firewall
Nov 22 19:48:27 check_reload_status: reloading filter
Nov 22 19:48:26 php: : Reloading Squid for configuration sync
Nov 22 19:48:14 check_reload_status: syncing firewall
Nov 22 19:48:14 php: /pkg_mgr_install.php: Beginning package installation for Unbound.


After starting unbound manually (via console didn't work: unbound-control start, stop or status resulted in nothing. No output nor the program exited. Had to kill it via ctrl-c.
But starting via Webif worked:

Nov 22 20:00:04 unbound: [22972:0] info: start of service (unbound 1.4.7).
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 1: iterator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator
Nov 22 20:00:04 unbound: [22972:0] notice: init module 0: validator


But i still don't get Borat, only Picard on the dnssec-test-site. :(

wagonza

@jlepthien:

Take your time m8…

heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.

wagonza

@_igor_:


Nov 22 19:50:52	php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1290451852] unbound[33548:0] err[code]or: bind: address already in use [1290451852] unbound[33548:0] fatal error: could not open ports'
[/code]

Looks like DNSMasq wasnt shutdown - will have to add some additional safety belts.

[quote]
But i still don't get Borat, only Picard on the dnssec-test-site. :(
[/quote]

What does dig @ <ip>edu +dnssec return? Have a look at the flags section in the returned output it should contain a 'ad' flag.
Piccard could be cached.</ip>

jlepthien

@wagonza:

@jlepthien:

Take your time m8…

heh :) thx. I figured out the dhcp DNS problem. Its a directly related to DNSmasq been disabled in the xml config. Will think about how we can adjust this and let you know the status over the course of the week.

Cool! Waiting for an update then. Until then I'll just use dnsmasq as before…