DNSSEC on Cloudflare TLS

  • Howdy folks,
    I was exploring the new TLS DNS servers from Quad9 and Cloudflare. I did some testing with Gibson Reserchs DNS spoofability test.I found that DNSSEC was missing from Cloudflare but present with Quad 9 . I was unable to find another site to test DNSSEC with Cloudflare to confirm .
    Does anyone know how to confirm DNSSEC other than Gibson Research? I don’t even know if DNSSEC is even necessary if you are using TLS. The quick skimming that I have done reading about these protocols indicates that both complement each other.
    I do have DNSSEC enabled on resolver and all custom options in resolve came directly from Netgate.
    So is DNSSEC necessary with TLS?

  • Two different things to solve two different potential issues.

    DNS over TLS hides your DNS traffic from snoopers such as your ISP.

    DNSSEC validates that the reply to your DNS lookups have not been altered from the authoritative sever for the request.

    It is a common misconception that DNSSEC encrypts your DNS traffic, that is not true.

  • LAYER 8 Global Moderator

    Forwarding to anywhere really defeats the whole point to asking for dnssec.. Its pointless to enable dnssec if your going to forward.. Its just extra traffic gets you nothing. Unless your specially going to be looking at the dnssec RRSIG info returned in your queries..

    dnssec makes sense at the resolver, if your not resolving then there is little point to dnssec. At some point up your forwarding tree there will have to be a resolver. They should have dnssec enabled - and if you ask for www.domain.com and it fails dnssec validation then you should not get an answer.

    Your forwarder has nothing to do with the resolver dnssec feature. Query www.dnssec-failed.org does it fail or do you get back IP?

    If your forwarding and fails then upstream resolver is using dnssec, if you get back IPs then your upstream resolver is not using dnssec... Either way doesn't matter what you do at your forwarder..

    If your resolving and you don't have dnssec enabled then you would get an answer, if you have dnssec enabled that will fail.

  • Thank you, jwj and John,for your answers and time.
    John, your insight on the inner workings was incredibly useful.

Log in to reply