DNS Resolver, DNSSEC, and Harden DNSSEC Data
-
If I understand what DNS Resolver does correctly, if it's in its default, non-Forwarding mode, it queries the root DNS Servers:
https://www.iana.org/domains/root/servers
directly and works its way down to whatever lower-level DNS Server it needs until it finds the address it's looking for. Does that traversal use only DNSSEC-enabled DNS Servers? Since I don't know anything about the particular traversal route, if I turn on the "DNSSEC" and "Harden DNSSEC Data" options under Server / DNS Resolver will that break things? Are those options only supposed to be used in Forwarding mode when we know that the DNS Server we assign and all its parents are DNSSEC-enabled?
-
What it would break is if the dnssec for a domain is broken. Then it would not return an answer. For domain that are not using dnssec there is no concern.
Only if their dnssec is broken would unbound fail to return something to the client.. This is the whole point of dnssec ;)
You can use this site to test a domains dnssec.
http://dnsviz.net/
attached is test for a dnssec signed domain I run for testing, etc.
But pretty sure dnssec and harden is the default..
-
attached is test for a dnssec signed domain I run for testing, etc.
You ever Wireshark the DNS server for AREA (Amplification Reflection Exploit Attacks)?
My new site was being exploited (attempted that is) for a while. Think DNSEC makes for attractive exploit due to the records size.
-
No I have not.. But it is only authoritative for the 1 zone.. And for sure not open to recursive queries
If they are using it for any sort of amplification/reflection attack - they are doing a really shitty job of it ;)
It doesn't get much traffic at all..
-
Hello, if upstream DNS provider support DNSSEC. Can be set
DNSSEC, and Harden DNSSEC Data in Unbound resolver in forward mode than? -
@Antibiotic This comes up all the time - if you forward, dnssec should not be enabled.. There is zero point to it, where you forward either does dnssec or they don't... Any settings about dnssec on your forwarder isn't going to accomplish anything.. But it more than likely will at some point cause you a problem..
quad9 even has in their faq if you forward not to set dnssec..
https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/
Disable DNSSEC Validation
Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.
here is there info on setting up dot with pfsense
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/
There are lots and lots of thread with this question.. Most of them I have gone over what you can query to see if your server is doing dnssec validate.. So once again here is a simple test..
Here this open to the public dns doesn't do dnssec - see how you get back an IP..
But asking someone that does do dnssec like googledns - you get a failure and no IPs returned
-
@johnpoz The reason of asking, because use pfBlockerNG unbound python mode. If follow netgate docs, there explain that if dnssec unticked python modul will not working. So, actually DNSSEC support not important for me , but in doubt will Python Module Script for pfBlockerNG in DNS unbound resolver work in this case?
-
@johnpoz The link you provided for Quad9 have this:
Caching
It is imperative that your DNS forwarders are configured to cache response data in order to avoid excessive recursive queries to Quad9 and to provide significantly faster DNS resolution for devices on the network.Ensure that your DNS forwarders have enough memory or disk space allocated to the cache to avoid the cache filling up.
The amount of memory that should be dedicated to DNS caching varies greatly from megabytes to gigabytes based on the amount of DNS requests originating from your network endpoints.
How can be checked in pfSense the amount of memory dedicated to DNS caching?
-
@Antibiotic way to hone in what is a non-sequitur for sure...
But did you click the unbound tab in that section?
Unless your running pfsense in some enterprise with 1000s and 1000s of clients I doubt you would have to touch from the defaults.
Default in unbound is 10k hosts.. Are you anywhere close to that? This is how many host records it will cache... If you hit that limit it will start purging older records from the cache, maybe before their ttl has expired.. But I would find it surprising if you were anywhere close to that.. You can bump it up in the advanced section
-
@johnpoz Ok, thanks but what about than pfBlockerNg python script?
-
@Antibiotic what about it? Are not the stuff unbound loads local records? Those would not be cached items, ie something unbound looked up from say quad9 servers and then cached for the life of the ttl, etc.
-
@johnpoz I mean from docs;
Python Module Order
:
Controls the position of the Python module in the DNS resolution process. If DNSSEC is disabled, this option has no effect.If DNSSEC disabled will python SCRIPT module than work?
Do not asking about Pre Validator or Post Validator.
: -
@Antibiotic What part do you not understand if you forward to something that does dnssec, there is ZERO to do on your end.. Trying to do anything with dnssec if you forward is wheel spinning for zero benefit..
Yeah there is zero point to your local anything trying to do validation of dnssec, if where you forward is doing it already!!!
What part is unclear with " If DNSSEC is disabled, this option has no effect."
Well yeah what would any sort of local validation have do do anything... That is for when your actually resolving and doing your own validation of the dnssec info..
-
@johnpoz
Im trying to understand not regarding DNSSEC , will in this case to work pfBlockerNg unbound python script. If DNSSEC disabled, than pfBlockerng SHOULD set than in old Unboud mode ? -
@Antibiotic that has zero to do with dnssec, zero.. You do not need dnssec at all for that to function. Be it your doing it local via your actually resolving in unbound, or where you forward does dnssec for you, or it doesn't
But yeah you need to be using unbound, either in resolver mode, forwarder mode, forwarder TLS mode, etc.
-
@johnpoz So, finally to be clear. At this case better to use pfBlockerNG DNSBL mode in Unbound mode not Unbound python mode ?
Python Module Order and Python Module Script , two different functions? They are not depend from each other?
-
@Antibiotic did you not click the little info i ?
Not sure what your not grasping??
No the module order has to do if using dnssec, the script you use would have nothing to do with that.. If you want to use the pfblocker script, then yes you would need to have python modules enabled.
-
@johnpoz Ok, thanks. Are you using Unbound mode not Unbound python mode. Can me asking why? Why do you prefer first and not Unbound python mode?
-
@Antibiotic I am not using pfblocker for dnsbl - I only use it to create aliases that I use in my firewall rules myself. So I have no use for it.