DNSSEC on pfSense

serangku

@wagonza …

here my pfsense date

2.0-BETA5 (i386)
built on Mon Jan 10 13:14:45 EST 2011

i use unbound for simple replace of dnsmasq without any feature, not yet …
i have reinstall unbound package
here my syslog :

Jan 13 08:56:28 login: login on ttyv0 as root
Jan 13 08:56:51 php: : The command '/usr/local/sbin/unbound-control start' returned exit code '1', the output was '[1294883811] unbound[29089:0] error: bind: address already in use [1294883811] unbound[29089:0] fatal error: could not open ports'
Jan 13 08:57:30 sshd[28148]: Accepted keyboard-interactive/pam for root from 192.168.110.188 port 39425 ssh2
Jan 13 08:57:30 sshd[28148]: subsystem request for sftp
Jan 13 09:03:21 check_reload_status: syncing firewall

then manually save on gui unbound

Jan 13 09:03:22 unbound: [26869:0] info: service stopped (unbound 1.4.7).
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 0: 53 queries, 4 answers from cache, 49 recursions, 1 prefetch
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 0: requestlist max 5 avg 1.34 exceeded 0
Jan 13 09:03:22 unbound: [26869:0] info: average recursion processing time 1.122806 sec
Jan 13 09:03:22 unbound: [26869:0] info: histogram of recursion processing times
Jan 13 09:03:22 unbound: [26869:0] info: [25%]=0.118928 median[50%]=0.104167 [75%]=0.614583
Jan 13 09:03:22 unbound: [26869:0] info: lower(secs) upper(secs) recursions
Jan 13 09:03:22 unbound: [26869:0] info: 0.131072 0.262144 4
Jan 13 09:03:22 unbound: [26869:0] info: 0.262144 0.524288 5
Jan 13 09:03:22 unbound: [26869:0] info: 0.524288 1.000000 13
Jan 13 09:03:22 unbound: [26869:0] info: 1.000000 2.000000 24
Jan 13 09:03:22 unbound: [26869:0] info: 2.000000 4.000000 2
Jan 13 09:03:22 unbound: [26869:0] info: 4.000000 8.000000 1
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 1: 4 queries, 0 answers from cache, 4 recursions, 0 prefetch
Jan 13 09:03:22 unbound: [26869:0] info: server stats for thread 1: requestlist max 4 avg 1 exceeded 0
Jan 13 09:03:22 unbound: [26869:0] info: average recursion processing time 1.503178 sec
Jan 13 09:03:22 unbound: [26869:0] info: histogram of recursion processing times
Jan 13 09:03:22 unbound: [26869:0] info: [25%]=0.475712 median[50%]=0.5 [75%]=1
Jan 13 09:03:22 unbound: [26869:0] info: lower(secs) upper(secs) recursions
Jan 13 09:03:22 unbound: [26869:0] info: 0.524288 1.000000 1
Jan 13 09:03:22 unbound: [26869:0] info: 1.000000 2.000000 2
Jan 13 09:03:22 unbound: [26869:0] info: 2.000000 4.000000 1
Jan 13 09:03:22 unbound: [4452:0] notice: init module 0: validator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 0: validator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 1: iterator
Jan 13 09:03:22 unbound: [4452:0] notice: init module 1: iterator
Jan 13 09:03:22 unbound: [4452:0] info: start of service (unbound 1.4.7).

and from dmesg

Syncing packages:
Unbound

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/unbound.inc on line 258

Syncing packages:
done.
Executing rc.d items…
Starting /usr/local/etc/rc.d/proxy_monitor.sh...
done.
Starting /usr/local/etc/rc.d/squid.sh...
done.
Starting /usr/local/etc/rc.d/unbound.sh...
done.
Bootup complete

i think that warning because on acl there's im not use any acl, am i right ?

so far running well with that syslog
and back gain to use unbound
really appreciate

ToxIcon

@wagonza I am having the strangest issue

with Unbound enable

dhcp clients can't browse any webpages

but clients with Static IP can

jlepthien

@ToxIcon:

@wagonza I am having the strangest issue

with Unbound enable

dhcp clients can't browse any webpages

but clients with Static IP can

Have you set the pfSense box as a DNS server on your dhcp tab? Otherwise you will get your DNS Servers from General Setup to your clients via dhcp and there might be a rule blocking DNS outgoing traffic. I can't see more in my crystal circle here, you need to give us more info on what your setup is like…

wagonza

@serangku:

Syncing packages:
Unbound

Warning: Invalid argument supplied for foreach() in /usr/local/pkg/unbound.inc on line 258

Syncing packages:
done.

i think that warning because on acl there's im not use any acl, am i right ?

Ahhh long standing bug fixed. Thx for that!

Still investigating that darn unbound start error of yours…

_igor_

Today after updating pfsense i got the same error stating "Adress already in use". Ticking "save" at the unbound-page solved the problem. I didn't have this now long time. Only at the beginning of deployment of the unbound-package, say last year.

clarknova

Looks like Borat is no longer with us :(
http://www.downforeveryoneorjustme.com/dnssec-or-not.org

Here's another site, although a lot less satisfying to use, and not just because there's no Borat. A lookup failure is really a lame way to confirm that DNSSEC is working, considering many other factors could cause this, leading to an illusion of security. Bravo, Comcast. Anybody know of a better test site? Google results look sparse.

http://www.dnssec-failed.org

ToxIcon

Have you set the pfSense box as a DNS server on your dhcp tab? Otherwise you will get your DNS Servers from General Setup to your clients via dhcp and there might be a rule blocking DNS outgoing traffic. I can't see more in my crystal circle here, you need to give us more info on what your setup is like…

Thanks jlepthien :)

jlepthien

@ToxIcon:

Thanks jlepthien :)

So that was the problem? You could have easily found out by looking at the logs ;-)

clarknova

@wagonza:

Ahhh long standing bug fixed. Thx for that!

Interesting. I updated to 1.2.9 from 1.2.8 and my config was preserved except for listening interfaces. Where I had selected 4 interfaces previously, only LAN was selected after the upgrade.

jlepthien

Also did that update now. Config stays the same, except the interface problem I also have. Just one of my normally three selected interfaces (LAN) was active for the usage of Unbound…

ToxIcon

@jlepthien:

@ToxIcon:

Thanks jlepthien :)

So that was the problem? You could have easily found out by looking at the logs ;-)

yes that was the problem

I know I know that is what I get for rushing and the bad part is that I have a sticky posted on the box
to always check the logs when trying to fix connection error.

Unbound taste great less filling  works great :=)

mromero

http://tjeb.nl/Projects/DNSSEC/index.html

http://bogussig.dnssec.tjeb.nl/Projects/DNSSEC/index.html

First One Yes

Second One No.

Is there a script to do this? I could set up a page but maybe it is beyond me….

@clarknova:

Looks like Borat is no longer with us :(
http://www.downforeveryoneorjustme.com/dnssec-or-not.org

Here's another site, although a lot less satisfying to use, and not just because there's no Borat. A lookup failure is really a lame way to confirm that DNSSEC is working, considering many other factors could cause this, leading to an illusion of security. Bravo, Comcast. Anybody know of a better test site? Google results look sparse.

http://www.dnssec-failed.org

ToxIcon

Unbound 1.2.9 updated broke

php: : The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954557]
unbound[37313:0] fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954577] unbound[60423:0]
fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954608] unbound[37078:0]
fatal error: user 'unbound' does not exist.'

jlepthien

@ToxIcon:

Unbound 1.2.9 updated broke

php: : The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954557]
unbound[37313:0] fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954577] unbound[60423:0]
fatal error: user 'unbound' does not exist.'

php: /pkg_edit.php: The command '/usr/local/sbin/unbound-control start'
returned exit code '1', the output was '[1294954608] unbound[37078:0]
fatal error: user 'unbound' does not exist.'

Try removing and reinstalling the package. Also watch the system.log while installing - you should see that the unbound user is added…

ToxIcon

Beginning package installation for Unbound…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading Unbound and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/unbound-1.4.7.tbz.
of unbound-1.4.7 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file unbound.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

mromero

Oh boy. Looks like the PFSENSE 2.0 Beta package installation is broken again.

We had this a few weeks ago with the Squid package - holding off on updating until someone confirms it is fixed.

I keep two boxes so when the snapshot is broken I go to the other box until a fix issued.  :(

@ToxIcon:

Beginning package installation for Unbound…
Downloading package configuration file... done.
Saving updated package information... done.
Downloading Unbound and its dependencies...
Checking for package installation...
Downloading http://files.pfsense.org/packages/8/All/unbound-1.4.7.tbz ...  could not download from there or http://ftp2.FreeBSD.org/pub/FreeBSD/ports/i386/packages-8.1-release/All/unbound-1.4.7.tbz.
of unbound-1.4.7 failed!

Installation aborted.Backing up libraries...
Removing package...
Starting package deletion for unbound-1.4.7...done.
Starting package deletion for expat-2.0.1_1...done.
Starting package deletion for libevent-1.4.14b_1...done.
Removing Unbound components...
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Include file unbound.inc could not be found for inclusion.
Deinstall commands...
Not executing custom deinstall hook because an include is missing.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Cleaning up... Failed to install package.

Installation halted.

johnpoz

I did not have any issues updating to 1.2.9

Where you could run into issues with download is if your pfsense box is using itself as dns.. Have run into this with even just updates of snaps all the packages fail to reinstall.

I just changed mine in general to use 4.2.2.2 and then clicked update from 1.2.8 to 1.2.9 and went smooth as silk..

Now looking at the new acl tab, I could create an allow acl – but allow snoop get this error

"allow_snoop is not a valid ACL Action. Please select one of the four actions defined in the list."

I picked it from the list ;) hehehe

edit: btw borat is back with us http://test.dnssec-or-not.org/ is working from here.

iFloris

Hey guys,

Just saw a pretty interesting piece on the actual safety of DNSSEC as opposed to it's actual safety.
Since this thread resolves around the usage and implementation of DNSSEC, this might be relevant to your interests.

From 10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them

The greatest DOS attack of all time, and how to stop it forever
Among hackers, University of Chicago computer scientist and crypto expert Dan Bernstein (often known by his handle DJB) is a legend. He's written some of the most secure code known to humanity (just try to fuck with qmail - you can't), and has lobbied ceaselessly - and snarkily - for the eradication of broken security systems online. He gave a mad genius presentation where he revealed that the oft-touted network security system DNSSEC is actually so badly-designed that it would make the perfect denial-of-service attack tool. And then he proposed a mindblowing, futuristic system of sending data over the Web that would make it nearly impossible to launch a DOS attack - and would prevent bad guys from sending your secure data to mobsters instead of your bank. The cool part about DJB's new system, based on encryption tools he calls DNSCurve and CurveCP, is that it could be implemented now, on top of the Web as we know it. And the best part? It's lightning fast. Listening to DJB's talk gave me hope for the future of the Web - and his devastating takedown of DNSSEC was the best example of smartypants trolling you'll hear this year.

Note - to watch the video, just skip past the first several minutes, where the organizers were setting up the talk and getting everybody seated.

And the video.

wagonza

@johnpoz:

"allow_snoop is not a valid ACL Action. Please select one of the four actions defined in the list."

I picked it from the list ;) hehehe

tut tut - I must have missed that one. Thanks johnpoz, will sort that out.

wagonza

@iFloris:

Hey guys,

Just saw a pretty interesting piece on the actual safety of DNSSEC as opposed to it's actual safety.
Since this thread resolves around the usage and implementation of DNSSEC, this might be relevant to your interests.

From 10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them

The greatest DOS attack of all time, and how to stop it forever
Among hackers, University of Chicago computer scientist and crypto expert Dan Bernstein (often known by his handle DJB) is a legend. He's written some of the most secure code known to humanity (just try to fuck with qmail - you can't), and has lobbied ceaselessly - and snarkily - for the eradication of broken security systems online. He gave a mad genius presentation where he revealed that the oft-touted network security system DNSSEC is actually so badly-designed that it would make the perfect denial-of-service attack tool. And then he proposed a mindblowing, futuristic system of sending data over the Web that would make it nearly impossible to launch a DOS attack - and would prevent bad guys from sending your secure data to mobsters instead of your bank. The cool part about DJB's new system, based on encryption tools he calls DNSCurve and CurveCP, is that it could be implemented now, on top of the Web as we know it. And the best part? It's lightning fast. Listening to DJB's talk gave me hope for the future of the Web - and his devastating takedown of DNSSEC was the best example of smartypants trolling you'll hear this year.

Note - to watch the video, just skip past the first several minutes, where the organizers were setting up the talk and getting everybody seated.

And the video.

There are so many different conflicting views scattered around the web. Have a look at http://www.isc.org/community/blog/201002/whither-dnscurve for Paul Vixie's take and then various other opinions here http://www.dnssec.net/why-deploy-dnssec