Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNSSEC on Cloudflare TLS

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 948 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      Uglybrian
      last edited by

      Howdy folks,
      I was exploring the new TLS DNS servers from Quad9 and Cloudflare. I did some testing with Gibson Reserchs DNS spoofability test.I found that DNSSEC was missing from Cloudflare but present with Quad 9 . I was unable to find another site to test DNSSEC with Cloudflare to confirm .
      Does anyone know how to confirm DNSSEC other than Gibson Research? I don’t even know if DNSSEC is even necessary if you are using TLS. The quick skimming that I have done reading about these protocols indicates that both complement each other.
      I do have DNSSEC enabled on resolver and all custom options in resolve came directly from Netgate.
      So is DNSSEC necessary with TLS?

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        Two different things to solve two different potential issues.

        DNS over TLS hides your DNS traffic from snoopers such as your ISP.

        DNSSEC validates that the reply to your DNS lookups have not been altered from the authoritative sever for the request.

        It is a common misconception that DNSSEC encrypts your DNS traffic, that is not true.

        1 Reply Last reply Reply Quote 1
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          Forwarding to anywhere really defeats the whole point to asking for dnssec.. Its pointless to enable dnssec if your going to forward.. Its just extra traffic gets you nothing. Unless your specially going to be looking at the dnssec RRSIG info returned in your queries..

          dnssec makes sense at the resolver, if your not resolving then there is little point to dnssec. At some point up your forwarding tree there will have to be a resolver. They should have dnssec enabled - and if you ask for www.domain.com and it fails dnssec validation then you should not get an answer.

          Your forwarder has nothing to do with the resolver dnssec feature. Query www.dnssec-failed.org does it fail or do you get back IP?

          If your forwarding and fails then upstream resolver is using dnssec, if you get back IPs then your upstream resolver is not using dnssec... Either way doesn't matter what you do at your forwarder..

          If your resolving and you don't have dnssec enabled then you would get an answer, if you have dnssec enabled that will fail.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 1
          • U
            Uglybrian
            last edited by

            Thank you, jwj and John,for your answers and time.
            John, your insight on the inner workings was incredibly useful.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.