"Enable DNSSEC Support" and OpenDNS

rebytr · Sep 9, 2017, 2:14 PM

So I know OpenDNS doesn't support DNSSEC…

I currently am using OpenDNS with my pfSense setup and any guides I find say to always uncheck the "Enable DNSSEC Support" option within the DNS Resolver settings. I thought these two guides below were pretty straightforward and consistent and after reading through them I had two questions:

https://everyjuans.blogspot.com/2017/02/how-to-configure-pfsense-with-opendns.html
https://disloops.com/opendns-on-pfsense/

So my first question is this, I've been running with OpenDNS with the DNSSEC support option enabled, and other than some errors in the log (like below), everything seems to be working on the surface. So with it enabled, what breaks when using OpenDNS? Should I even be able to resolve addresses at all? The way I understood it, is that Opendns would just not work with that option enabled, which then got me thinking is something wrong with my setup??

info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN

All three OpenDNS test sites work fine with DNSSEC enabled:
http://welcome.opendns.com/
http://www.internetbadguys.com/
http://www.exampleadultsite.com/

Also, ipleak.net shows all Opendns servers and a "nslookup youporn.com 8.8.8.8" resolves to a OpenDNS block page, so appears pfSense is properly forcing all resolutions to use OpenDNS.

My second question is both guides say to check the "Disable DNS Forwarder" option under the General Setup. I've currently been running with it unchecked and everything seems ok. Any burning reason I need to check it? What are the implications by not checking it?

johnpoz · Sep 9, 2017, 2:22 PM

But your not actually getting dnssec support if where you forwarding to does not support dnssec.. That is the point.. Its completely pointless to have dnssec enabled in unbound if your just going to use it as a forwarder and where you forward does not support dnssec..

Derelict · Sep 10, 2017, 12:56 AM

I have seen it actually break things - this was forwarding to google DNS. In general if you are using unbound in forwarding mode, disable DNSSEC.

doktornotor · Sep 11, 2017, 5:34 PM

OpenDNS does NOT support DNSSEC.

LucaTo · Sep 14, 2017, 8:36 AM

Definitely, opendns doesn't support dnssec,
they strip out RRSIG records, so dnssec local validation is not possible.

Kryptos1 · Oct 20, 2017, 6:05 AM

Hello All,

I switched from OPENDNS to Google's DNS because Google is supposed to support DNSSEC. I had some issues with Google and then switched to verisign. Then I wanted to add an extra layer of security and pushed my DNS traffic through a VPN to avoid my ISP messing with it. This website shows all the DNS servers that are supposedly running DNSSEC (http://wiki.ipfire.org/en/dns/public-servers). I chose verisign's from this list.

After pushing my DNS through a VPN and pointing towards servers supporting DNSSEC is the only thing left to do is to enable it in Pfense? To pfsense automagically take it from there or are there other configs necessary to be able to benift from DNSSEC?

johnpoz · Oct 20, 2017, 6:52 AM

Why do you not just resolve? What do you think you gain by forwarding?

Kryptos1 · Oct 20, 2017, 6:57 AM

@johnpoz:

Why do you not just resolve? What do you think you gain by forwarding?

It is "resolving" (i.e. not forwarding) by asking verisign's DNS server and only verisign's DNS server. Forwarding is not checked in my config. My question was is there anything left to do after enabling DNSSEC support options in pfsense after pointing to a DNS server that uses DNSSEC.

johnpoz · Oct 20, 2017, 7:00 AM

If your only asking verisign dns servers then your FORWARDING to them.. Not resolving..

Resolving walks down the tree from roots to get to actual authoritative name server for the domain your looking for… It doesn't just forward to specific dns asking them hey whats www.domain.com... It looks up the NS for domain.com and goes and asks them directly.. Hey what is IP of www...

Out of the box pfsense resolves - you do not need to setup any dns... It resolves on its own..

Kryptos1 · Oct 21, 2017, 11:49 PM

@johnpoz:

If your only asking verisign dns servers then your FORWARDING to them.. Not resolving..

Resolving walks down the tree from roots to get to actual authoritative name server for the domain your looking for… It doesn't just forward to specific dns asking them hey whats www.domain.com... It looks up the NS for domain.com and goes and asks them directly.. Hey what is IP of www...

Out of the box pfsense resolves - you do not need to setup any dns... It resolves on its own..

Interesting, then my understanding of what pfense is doing has been wrong for awhile now with the options were are talking about. Not sure.. Under Settings - General Setup, pfsense cites: "Enter IP addresses to be used by the system for DNS resolution [Verisign]. These are also used for the DHCP service (manually overridden in my case), DNS Forwarder (not enabled) and DNS Resolver (enabled) when it has DNS Query Forwarding enabled (NOT enabled in my case).

Since my config does NOT have DNS Query Forwarding Enabled under Services - DNS Resolver - General Settings, it seemed logical that my DNS is "resolving" through Verisign DNS server. If my setup is considered to be "forwarding" DNS still, because it doesn't walk DNS like you described, then it seems misleading in to even have an option to enable "DNS Query Forwarding", and/or "DNS Server Override" under System - General Setup, because one would still be "forwarding" even with all "forwarding" options disabled; including the DNS Forwarder itself.

So I stand corrected, maybe: That specifying Verisign IP addresses in Settings - General Setup, while having both "DNS Query Forwarding" disabled as well as "DNS Server Override" under System - General Setup disabled, my DNS is still "forwarding".

Whatever the case, it still didnt answer my question which was is there anything else one has to do to make sure signed DNSSEC records are being returned after pointing my DNS to Verisign and enabling the DNSSEC options in the "DNS Resolver" settings? Or, are you saying that I have screwed up my config all together because in order to get DNSSEC to work, the "resolver" must "resolve" by walking name servers the way you described which cant be accomplished by "forwarding" to Verisign?

johnpoz · Oct 22, 2017, 11:06 AM

"my DNS is "resolving" through Verisign DNS server."

Again NO… you do not resolve through forwarders..

You can put dns servers all day long, or let you isp override them if you like... This has ZERO to do with what happens when a client asks pfsense running unbound for a record.. Your NOT forwarding to anything if unbound is not in forwarding mode... Ie that check box checked... If so then it would forward to what you have in general or what your isp hands you.. But if it is not in forwarding mode then it RESOLVES... versign, open, google, isp - does not matter what you put in there.

To be honest using dnssec in forwarder mode kind of pointless anyway.. If the resolver they are using is using dnssec then why do you want/need to double check it. You clearly already trust this dns your forwarding too.. And they are using dnssec to validate what they resolve is signed by the owner of the records, etc. You as the client getting or checking this dnssec info again is kind of pointless.

A forwarder has really zero to do with resolving records... It just forwards the question.. At some point it has to hit a resolver to find that record. Sure a forwarder can hand info back to you it has in its cache. But it had zero to do with looking those up or checking the dnssec.. Only time would be if you have a specific entry in the forwarder to a authoritative NS.. called a domain override in pfsense.. If you point that to the actual authoritative NS of the domain your overriding.. But you could also just be overriding to either a resolver or a forwarder..

If the resolver at the end of the chain is is using dnssec, and you trust the forwarder between you and the resolver than there is little point for your resolver in forwarding mode to do anything with dnssec..

Roots and Authoritative NS for domains (internet) --- resolver –- forwarder? (isp) –- pfsense (forwarder) --- client.

Maybe your isp is a resolver.. Or maybe it forwards to 1? Maybe there are multiple forwarders in the path between you and the resolver? Problem is when you forward you have no idea where they get their info from, and or if its been tampered with or bad.. If they say they support dnssec - you would assume they are actually using it and should be validating what they resolve is good, etc.. So if you trust them enough to forward to them, then why would you need to worry about the dnssec stuff on your forwarder?

If you have had dnssec enabled - which it is out of the box.. You have been using dnssec since you turned on pfsense.. There is nothing more to do other than understand that you don't need to put anything in general.. The only one that will use them is pfsense itself... Your clients wont be..

Velcro · Oct 22, 2017, 8:45 PM

I think I trust OpenDNS more then my cable company, I think OpenDNS has better security then my cable company…but I don't trust OpenDNS with my email which uses DNSSEC for added verification.

My questions:

How would I go about setting up rules so that I use DNSSEC and not OpenDNS for my email, BUT use OpenDNS for any general web surfing and general phishing/malware protection? from the same client on 1 network?
How could I make all these DNS queries travel thru a VPN?

johnpoz · Oct 23, 2017, 2:42 AM

"my email which uses DNSSEC for added verification"

You don't seem to even understand what dnssec is.. How exactly do you think dnssec is used with email for added verification.. I am curious to how you think that works.. Really!!!

dnssec is validation that the a record in a domain has been signed by the owner of the domain.
https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

Who said anything about your cable company? When using the resolver? You don't seem to get what a resolver is vs a forwarder.. Out of the box pfsense doesn't do anything with your cable companies dns.. Unless it was looking up a record in a domain owned by your cable company.. Then yeah it would go talk to its authoritative NS it has listed for the domain.

To let the resolver use your vpn - change its outbound interface to your vpn interface.

Velcro · Oct 23, 2017, 1:10 PM

Thanks for the response Johnpoz…

The concern with my email is that I log onto my emails website securely...I want to make sure the website is in fact my email providers and not a fake site trying to steal my login info. My email provider touts DNSSEC and DANE as ways to verify their site...I feel this is important for security.

I think you describe the resolver vs forwarder function very well below...as I see it, the choice I have is to either forward the resolving to another provider(e.g. OpenDNS) or have pfsense do the job(unbound). What I am struggling with is who can do the job better(more secure and private). I know having my own pfsense do the job is more private but surely OpenDNS can do this more securely?

Could I ask you how exactly to "change its outbound interface to your vpn interface."?

Thank you Johnpoz...I am humbly grateful!

johnpoz · Oct 23, 2017, 3:50 PM

"surely OpenDNS can do this more securely?"

How is that? If you ask opendns for something. Your just trusting them that what they hand you is correct.

When you run a resolver your going to talk direct the authoritative name server for the domain your looking up the record in. And if signed then using dnssec verify that info. You can ask openvpn for dnssec all you want. But in "theory" all they would have to do is not hand back the dnssec info and your client would would just take it that dnssec is not enabled for this domain.. Even if it was and just trust what got sent to it as valid. This is a bit far fetched to be sure - but if your tinfoil hat is tight its tight ;)

Normally when a dns service states they support dnssec, its them saying that their resolver is using it.. You loose the end to end validation, since you do not independently talk to each NS server in the chain down from roots to get to the authoritative server. You have put a man in the middle - it is possible for this man in the middle to manipulate the data they send back.. I am no way suggesting that openvpn is doing this.. I am just saying that such a thing would be possible.

On the unbound gui just change the outbound interface to the interface you assigned to your openvpn client vpn connection in pfsense. You would of created this interface if you want to be able todo policy based routing with your vpn interface vs just grabbing default route from them. Normally this how you would do it since there are times when vpn is blocked for specific stuff and you may need to just use your internet connection to access some resources, etc. Allowing for policy routing even if you just route everything to the vpn allows for more control.

Velcro · Oct 23, 2017, 8:41 PM

Awsome!!!

Score:
Johnpoz: "1"
Privacy thieves: "0"

That is good stuff!! Nice tweak….

I went to Services -> DNS Resolver -> General Settings tab -> Outgoing Network Interfaces -> Selected only my VPN interface (vs WAN and VPN Interface). Nothing broke yet but will give it time…I have some devices that use WAN only. If anything breaks I'll update.

Thanks for your thoughts on DNSSEC...their is a add-on for firefox add-on that is supposed to validate DNSSEC but it is marked as "experimental" : https://addons.mozilla.org/en-US/firefox/user/cznic-labs/

You rock...Thanks again!

V

ThatGuy · Jan 19, 2018, 1:48 PM

johnpoz. Thank you! Thank you! Thank you!

I have been searching for a couple of days on why OpenDNS wasn't working with the DNS resolver. I've been using the Forwarder for years. Your explanation was perfect.

Every time I'm wanting to know something about pfSense and hit this forum I immediately look for your posts. I know you're a pfSense Jedi Master.

Thanks so much!

Gertjan · Jan 19, 2018, 5:46 PM

@V3lcr0:

their is a add-on for firefox add-on that is supposed to validate DNSSEC but it is marked as "experimental" : https://addons.mozilla.org/en-US/firefox/user/cznic-labs/

That's the one that that worked ….. before Firefox launched version 57 (Quantum).
Right now, just use : http://dnssec-debugger.verisignlabs.com/ and the huge http://dnsviz.net/ (example : http://dnsviz.net/d/test-domaine.fr/dnssec/ ) I love the diagram. Took me several years before I could finally say : "I guess I understand some how DNS works" and now ... well ... back to university again ...

Btw: I'm using this one https://addons.mozilla.org/fr/firefox/addon/dnssec/?src=api - it does the job.

Before you start implementing DNSSEC, be sure that your coffee machine is locked and loaded - and that you have a pharmacy nearby with flexible opening hours.
After DNSSEC is done, and you became a real "key roller guy" **, you'll be having access to DANE.

** Mix DNSSEC and Certifcates from letsencrypt and enter the DANE world. You'll get the picture very fast.

johnpoz · Jan 20, 2018, 2:49 PM

"Before you start implementing DNSSEC"

You mean on your own domain? Yeah there is a bit of learning curve there - there is a easy to follow write up on digital ocean.. to get you started
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server–2

The hardest part said to say is actually finding a registrar for your domains that supports it.. I had fired this up on a test domain of mine years ago - and hopefully now more registrars support it.. But I found dynadot supported it.. https://www.dynadot.com

If I recall there was a bit of snafu back in early 2015 but they corrected it with a couple emails to their support. Ah looked up the email thread... Yeah back in 2015 they had some issues to work through..

" It seems to be an issue/bug at the central registry. We have asked them to create the records for your domain in their system"
"This should be an isolated issue. Not many of our customers have actually used DNSSEC yet, but this was the only issue thus far."

And yes the links for testing dns for dnssec are great - but looks like dnsviz is currently offine
"Sorry, we are currently working on some improvements, and DNSViz is currently unavailable. Please check back soon. Thanks! "