DNSSEC on pfSense
-
yup … give it try for now ...
resolve more faster than before@igor ...
can isee your syslog when firs time boot ?thanks
-
Yeah, nothing changed in my config. How should I actually use these static dns mappings? Before it was done by dnsmasq and now with Unbound it says that I shouldn't activate the forwarder when using DNSSEC. So how should I configure this?
You can use the static dns mappings, its just the upstream DNS servers (forwarders) that it says you should ideally not use unless you are certain that they handle DNSSEC correctly. These static DNS mappings will be created as as local-zone in unbound and the relevant A and PTR record will be configured included a TXT record if you supplied a description.
So a simple dig zone @pfsense_ip will return the A record and a dig -x IP @pfsense_ip will return the PTR record. Likewise can be done for a TXT record.
Hope that answers your question.
-
Are you using forwarders or letting Unbound do all the name resolution? Also, is it slow just the 1st time or all the time?
If someone is interested in measuring DNS performance: http://code.google.com/p/namebench/
Just uncheck the other servers that are included by defalt, then do the test on your pfSense IP :)
It should give some numbers to compare the overall performance…
-
Dec 11 00:56:43 unbound: [32918:0] info: start of service (unbound 1.4.7). Dec 11 00:56:43 unbound: [32918:0] notice: init module 1: iterator Dec 11 00:56:43 unbound: [32918:0] notice: init module 0: validator Dec 11 00:56:43 unbound: [37916:0] info: 2.000000 4.000000 1 Dec 11 00:56:43 unbound: [37916:0] info: 1.000000 2.000000 1 Dec 11 00:56:43 unbound: [37916:0] info: 0.524288 1.000000 2 Dec 11 00:56:43 unbound: [37916:0] info: 0.262144 0.524288 2 Dec 11 00:56:43 unbound: [37916:0] info: 0.131072 0.262144 3 Dec 11 00:56:43 unbound: [37916:0] info: 0.065536 0.131072 4 Dec 11 00:56:43 unbound: [37916:0] info: 0.016384 0.032768 1 Dec 11 00:56:43 unbound: [37916:0] info: lower(secs) upper(secs) recursions Dec 11 00:56:43 unbound: [37916:0] info: [25%]=0.04096 median[50%]=0.0873813 [75%]=0.118928 Dec 11 00:56:43 unbound: [37916:0] info: histogram of recursion processing times Dec 11 00:56:43 unbound: [37916:0] info: average recursion processing time 0.507960 sec Dec 11 00:56:43 unbound: [37916:0] info: server stats for thread 0: requestlist max 1 avg 0.142857 exceeded 0 Dec 11 00:56:43 unbound: [37916:0] info: server stats for thread 0: 14 queries, 0 answers from cache, 14 recursions, 0 prefetch -
Who else here has multiple interfaces and has Unbound listening on them all?
Also anyone here with domain overrides (Services->DNS Forwarder) specified? If so are they working? -
Ok domain overrides are working. I still need to add an option for DNS Rebinding (enabling/disabling) as that was affecting domain overrides.
Currently it is enabled by default.Besides @jlepthien's problem of multiple interfaces been selected and for some unknown reason not been saved - any other requests/problems?
-
hi wagonza, on my side its running fine and stressless. Really a good thing of Software you created! Thanks a lot!!!
I don't have multiple gateways here to test that special funktions. -
Now it is working for me. I found the problem why he wasn't saving all my interfaces to the conf…
When I looked at the logfile I saw the following:
Dec 15 11:59:58 voldemort unbound: [9464:0] error: Could not open autotrust file for writing, /usr/local/etc/unbound/root-trust-anchor: Read-only file systemI am on embedded so I just mounted / rw and then clicked save. I guess you just have to implement the mounting rw on embedded with the Unbound package and everything should be fine then…
-
Oh, but wait. My OpenDNS is not working anymore… I have configured 208.67.222.222 and 208.67.220.220 as my global DNS servers but when Unbound is running, no urls get blocked anymore. Which DNS servers does Unbound contact for resolving?
-
Oh, but wait. My OpenDNS is not working anymore… I have configured 208.67.222.222 and 208.67.220.220 as my global DNS servers but when Unbound is running, no urls get blocked anymore. Which DNS servers does Unbound contact for resolving?
Did you check "Enable forwarding mode" in the unbound configuration screen?
-
No. If you enable DNSSEC one should disable this I read…
-
No. If you enable DNSSEC one should disable this I read…
In that case I think it's one or another. Not really sure to be honest with you. Try enabling the option and test it using the test dnssec page and let us know if it works.
On the other side of the coin, I am not sure if OpenDNS supports DNSSEC? I thought they adopted DNSCurve.
-
Even with the option enabled, I still can access all forbidden websites. Also the DNSSEC test gives me Borat so that is working as well…
-
Unbound up and running here. When I get a chance, I'm going to set up a secondary on another server and have that pull from the pfsense…
-
Yes, this would work fine if you define the servers under services -> dns forwarder.
Hi, Scott. I am now trying to figure out how to do the zone transfer juju. I am a little confused, since I found an info page about Unbound that states specifically that it does NOT support zone transfers. I have seen this elsewhere too… Can someone shed light on this?
-
Even with the option enabled, I still can access all forbidden websites. Also the DNSSEC test gives me Borat so that is working as well…
Go to the Unbound Status page and check the forwards option. It should display the current OpenDNS servers that you are using. From the cmd line you simply issue unbound-control forward - which will display the same info.
-
Hi, Scott. I am now trying to figure out how to do the zone transfer juju. I am a little confused, since I found an info page about Unbound that states specifically that it does NOT support zone transfers. I have seen this elsewhere too… Can someone shed light on this?
Correct - it is essentially a caching name server. There are ways to get it to return certain records for zones but it is not a BIND,DJBDNS,NSD or any of the others. Are you looking for an alternative to the DNS Package?
-
Go to the Unbound Status page and check the forwards option. It should display the current OpenDNS servers that you are using. From the cmd line you simply issue unbound-control forward - which will display the same info.
With both ways I see nothing. On console output it says off (using root hints).
I also tried mounting rw before but that doesn't change anything. -
I would like an authoritative primary server which can do the 'accept registrations for dhcp clients' juju and serve up zone updates to a secondary elsewhere on my LAN.
-
With both ways I see nothing. On console output it says off (using root hints).
I also tried mounting rw before but that doesn't change anything.Hmm try this from the cmd line unbound-control forward 208.67.222.222 208.67.220.220
Let me know what that returns. unbound-control forward should then list these 2 IP addresses as forwarders as your access control should work.
If that all works then I think I know what the problem is.