Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound and Experimental Bit 0x20 Support

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tman222
      last edited by

      Hi all,

      I have been reading up a little bit on the "Experimental Bit 0x20 Support" option in Unbound as a means to improve security.

      https://developers.google.com/speed/public-dns/docs/security#randomizing_choice_of_name_servers
      https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

      Would you guys generally recommend that this be enabled?  Or is there a possibility that things might break?  Thanks in advance for your insight, I really appreciate it.

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,
        @tman222:

        …
        Would you guys generally recommend that this be enabled?

        I guess the pfSense isn't actually  "recommending" it, as in that case it would be activated by default.
        @tman222:

        …
        Or is there a possibility that things might break?

        As the Google page said : some name servers do not react well and send back NXDOMAIN responses when queried with dOmain.tld instead of domain.tld. They have the possibility to build huge lists with name servers that handle the situation correctly, and others that don't (See what Google said : 70 % does, so 30 % doesn't).
        pfSense couldn't maintain such a list.

        My point of view : if this "bit 6" (0xc20) trick was that great, it would have been enabled by the unbound authors by default.

        From what I made of this : https://serverfault.com/questions/759934/can-dns-response-answers-be-in-a-different-case-than-the-query
        When you are asking for google.com and you (your resolver) got back a reply like
        google.coM (and the IP of course)
        the reply would be rejected.
        Or, google.coM and google.com should be considered as the same thing.

        What would you do ?
        Btw, I guess you would find a discussion here https://www.unbound.net/ and here https://www.isc.org/downloads/bind/ - these two cover the vast majority off all name resolving on the net.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          I have it set and have not run into anything that doesn't resolve..

          But doesn't mean that half of the domains you visit will won't be broken if you turn it on, etc. There was a thread awhile back about enabling another option where you only send the portion looking for when resolving… ie setting qname-minimisation

          That broke a ton of shit right out of the gate..

          If your curious turn it on - does stuff not resolve?  If you are unclear on how to troubleshoot dns is vs another sort of issue causing you a problem then you prob should not enable such a feature.  But if your familiar enough with troubleshooting why something doesn't work and how to test if your problem is related to that feature or not then sure turn it on and give it a go..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • juanzelliJ
            juanzelli
            last edited by juanzelli

            I know I'm replying to a 5-year-old post :)

            I just read an article on The Register about 0x20. It makes a lot of sense. I never really paid much attention to the option in the DNS Resolver settings. Now, I've just enabled it (on 23.01-BETA) and am curious if it will have any impact or not. Time will tell.

            Netgate 4100 and HPE InstantOn network at home

            H GertjanG 2 Replies Last reply Reply Quote 0
            • H
              hwinthe6 @juanzelli
              last edited by

              @juanzelli What was your take away?

              juanzelliJ 1 Reply Last reply Reply Quote 0
              • juanzelliJ
                juanzelli @hwinthe6
                last edited by

                @hwinthe6 While troubleshooting an issue not too long after enabling it, I had disabled it and haven't thought to try it again. It seemed to work as expected. I don't believe it was the cause of the issue I was investigating though.

                Netgate 4100 and HPE InstantOn network at home

                1 Reply Last reply Reply Quote 1
                • GertjanG
                  Gertjan @juanzelli
                  last edited by

                  @juanzelli

                  For what it's worth, I've activated 0x20 support since the day it became available :

                  29582690-ecdf-4948-b623-99b1b3300c64-image.png

                  Btw : I'm resolving, and doing DNSSEC when available, I'm not using any commercial DNS solutions.

                  Never had any DNS issues.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 2
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.