Unbound not using DNSSEC for ROOT
-
@Gertjan so how do i know, or how can i confirm that dnssec is being used?
this brings me back to my original problem. with unbound (not in forwarding mode) dns leak test shows my IP.
if i put in forwarding mode, my isp is not shown.How can i have in cache mode, without my ISP? can i block 53 over the WAN interface?
-
@Gertjan said in Unbound not using DNSSEC for ROOT:
DNSSEC
I think you're doing some confusion
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System to prevent MITM
it's only useful for Authoritative DNS
it has nothing to do with DOT that listen on port 853̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
Please do not use chat/PM to ask for help
we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
Don't forget to Upvote with the 👍 button for any post you find to be helpful. -
@kiokoman ok, so there are two issues as i see it.
- using unbound in cache mode is exposing me WAN ISP.
- dig com. SOA +dnssec does not return the AD flag as the unbound manual describes
i would like to solve both of these issues with the 1st one the priority
my rules operate correctly. i.e. everything goes over VPN excluding China GEO IPs and VPNBYPASS hosts.
They all go over the WAN directly. traceroute shows the correct path for each class as does icmp -
https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
https://forum.netgate.com/topic/139771/setup-dns-over-tls-on-pfsense-2-4-4-p2-guide
https://www.reddit.com/r/PFSENSE/comments/bywvxr/dns_over_tls_cloudflare/ -
@kiokoman said in Unbound not using DNSSEC for ROOT:
DNSSEC (short for DNS Security Extensions) adds security to the Domain Name System to prevent MITM
Yep.
I'm using it on all my domains since day 1.
All my domains are on my own authoritative name servers.@kiokoman said in Unbound not using DNSSEC for ROOT:
I think you're doing some confusion
it has nothing to do with DOT that listen on port 853@gwaitsi wanted to use / force "DNS over TLS" (or for short : DoT) - and related it to DNSSEC .... at least, I guess he was.
These two are distinct technologies - having only the word DNS in common.edit : again : https://serverfault.com/questions/912948/are-dns-queries-encrypted removes all the confusions ....
-
@Gertjan ok, so the problem
- i had WAN enabled as outgoing interface, to allow the OpenVPN client to lookup the client address. I have switched to hard coded IPs and disabled the WAN interface, so the DNS Leak issue is solved.
Leaves me with the remaining problem. DNSSEC appears not to be used for the Root Zone servers.
According to the docs below, if i go dig com. SOA +dnssec
https://nlnetlabs.nl/documentation/unbound/howto-anchor/I get the below from the pfsense box.
; <<>> DiG 9.12.2-P1 <<>> com. SOA +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7140 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;com. IN SOA ;; ANSWER SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1568973101 1800 900 604800 86400 com. 900 IN RRSIG SOA 8 1 900 20190927095141 20190920084141 17708 com. nmkAwVvNUofbMMHMSogTNY2G3sUPJFKR7z+tLNS+KksACn41n0/WLMOg ZDbry+2LXMtCw0dRel0gS5/X+isD2wgNjQtKbAQRLLbBYHHpqmJWC2Yj kTw4CIr1wQUKQh63a3NN19kDTDk8uFHyyw3AFWDZcnZ7y9sd7f+vUx7o AYs= ;; Query time: 27 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Sep 20 11:52:06 CEST 2019 ;; MSG SIZE rcvd: 268 -
And you see there ad set right
-
@johnpoz but if i run
unbound-host -C /var/unbound/unbound.conf www.nic.cz.i get the following error
[1568973734] libunbound[79092:0] notice: init module 0: validator [1568973734] libunbound[79092:0] error: unable to open /root.key for reading: No such file or directory [1568973734] libunbound[79092:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key [1568973734] libunbound[79092:0] error: validator: error in trustanchors config [1568973734] libunbound[79092:0] error: validator: could not apply configuration settings. [1568973734] libunbound[79092:0] error: module init for module validator failed resolve error: initialization failure -
If the dnssec failed you would not get a response..
Do a simple test..
$ dig sigfail.verteiltesysteme.net ; <<>> DiG 9.14.4 <<>> sigfail.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16658 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sigfail.verteiltesysteme.net. IN A ;; Query time: 4908 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Fri Sep 20 05:05:50 Central Daylight Time 2019 ;; MSG SIZE rcvd: 57Does it FAIL with servfail - then dnssec is being used and working.
Does this come back ok
; <<>> DiG 9.14.4 <<>> sigok.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17311 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A ;; ANSWER SECTION: sigok.verteiltesysteme.net. 3599 IN A 134.91.78.139 ;; Query time: 648 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Fri Sep 20 05:07:09 Central Daylight Time 2019 ;; MSG SIZE rcvd: 71 -
@johnpoz confirmed. both results, same as yours. thx m8
-
Also just go here with your browser pointing to pfsense for dns
https://dnssec.vs.uni-due.de/
Start the test - do you get the thumbs up?
-
i don't know if it's because unbound is chrooted anyway you are not supposed to launch unbound-host from the terminal,
as you can see it's unable to open /root.key for reading: No such file or directory .. i should look for why but i don't care as i'm not using unbound , in any case if you try with..unbound-anchor unbound-host www.nic.cz. www.nic.cz. has address 217.31.205.50 www.nic.cz. has IPv6 address 2001:1488:0:3::2or
[2.4.4-RELEASE][root@pfSense.localdomain]/var/unbound: cp root.key / [2.4.4-RELEASE][root@pfSense.localdomain]/var/unbound: unbound-host -C /var/unbound/unbound.conf www.nic.cz. [1568975549] libunbound[50915:0] notice: init module 0: validator [1568975549] libunbound[50915:0] notice: init module 1: iterator [1568975549] libunbound[50915:0] info: generate keytag query _ta-4f66. NULL IN www.nic.cz. has address 217.31.205.50 www.nic.cz. has IPv6 address 2001:1488:0:3::2 -
Good follow through @kiokoman thanks.. There are many ways to validate that dnssec is actually working - looking for the ad when doing dig +dnssec is prob the easiest.. Or just doing query to a test fqdn that is set to fail..
