Unbound and Experimental Bit 0x20 Support
-
Hi all,
I have been reading up a little bit on the "Experimental Bit 0x20 Support" option in Unbound as a means to improve security.
https://developers.google.com/speed/public-dns/docs/security#randomizing_choice_of_name_servers
https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00Would you guys generally recommend that this be enabled? Or is there a possibility that things might break? Thanks in advance for your insight, I really appreciate it.
-
Hi,
@tman222:…
Would you guys generally recommend that this be enabled?I guess the pfSense isn't actually "recommending" it, as in that case it would be activated by default.
@tman222:…
Or is there a possibility that things might break?As the Google page said : some name servers do not react well and send back NXDOMAIN responses when queried with dOmain.tld instead of domain.tld. They have the possibility to build huge lists with name servers that handle the situation correctly, and others that don't (See what Google said : 70 % does, so 30 % doesn't).
pfSense couldn't maintain such a list.My point of view : if this "bit 6" (0xc20) trick was that great, it would have been enabled by the unbound authors by default.
From what I made of this : https://serverfault.com/questions/759934/can-dns-response-answers-be-in-a-different-case-than-the-query
When you are asking for google.com and you (your resolver) got back a reply like
google.coM (and the IP of course)
the reply would be rejected.
Or, google.coM and google.com should be considered as the same thing.What would you do ?
Btw, I guess you would find a discussion here https://www.unbound.net/ and here https://www.isc.org/downloads/bind/ - these two cover the vast majority off all name resolving on the net. -
I have it set and have not run into anything that doesn't resolve..
But doesn't mean that half of the domains you visit will won't be broken if you turn it on, etc. There was a thread awhile back about enabling another option where you only send the portion looking for when resolving… ie setting qname-minimisation
That broke a ton of shit right out of the gate..
If your curious turn it on - does stuff not resolve? If you are unclear on how to troubleshoot dns is vs another sort of issue causing you a problem then you prob should not enable such a feature. But if your familiar enough with troubleshooting why something doesn't work and how to test if your problem is related to that feature or not then sure turn it on and give it a go..
-
I know I'm replying to a 5-year-old post :)
I just read an article on The Register about 0x20. It makes a lot of sense. I never really paid much attention to the option in the DNS Resolver settings. Now, I've just enabled it (on 23.01-BETA) and am curious if it will have any impact or not. Time will tell.
Netgate 4100 and HPE InstantOn network at home
-
@juanzelli What was your take away?
-
@hwinthe6 While troubleshooting an issue not too long after enabling it, I had disabled it and haven't thought to try it again. It seemed to work as expected. I don't believe it was the cause of the issue I was investigating though.
-
For what it's worth, I've activated 0x20 support since the day it became available :
Btw : I'm resolving, and doing DNSSEC when available, I'm not using any commercial DNS solutions.
Never had any DNS issues.
