DNS Resolver, DNSSEC, and Harden DNSSEC Data
-
If I understand what DNS Resolver does correctly, if it's in its default, non-Forwarding mode, it queries the root DNS Servers:
https://www.iana.org/domains/root/servers
directly and works its way down to whatever lower-level DNS Server it needs until it finds the address it's looking for. Does that traversal use only DNSSEC-enabled DNS Servers? Since I don't know anything about the particular traversal route, if I turn on the "DNSSEC" and "Harden DNSSEC Data" options under Server / DNS Resolver will that break things? Are those options only supposed to be used in Forwarding mode when we know that the DNS Server we assign and all its parents are DNSSEC-enabled?
-
What it would break is if the dnssec for a domain is broken. Then it would not return an answer. For domain that are not using dnssec there is no concern.
Only if their dnssec is broken would unbound fail to return something to the client.. This is the whole point of dnssec ;)
You can use this site to test a domains dnssec.
http://dnsviz.net/
attached is test for a dnssec signed domain I run for testing, etc.
But pretty sure dnssec and harden is the default..
-
attached is test for a dnssec signed domain I run for testing, etc.
You ever Wireshark the DNS server for AREA (Amplification Reflection Exploit Attacks)?
My new site was being exploited (attempted that is) for a while. Think DNSEC makes for attractive exploit due to the records size.
-
No I have not.. But it is only authoritative for the 1 zone.. And for sure not open to recursive queries
If they are using it for any sort of amplification/reflection attack - they are doing a really shitty job of it ;)
It doesn't get much traffic at all..