• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Why does Unbound stop working if I enable DNSSEC?

Scheduled Pinned Locked Moved DHCP and DNS
6 Posts 3 Posters 1.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    sensei-two
    last edited by sensei-two Jan 6, 2023, 4:13 PM Jan 6, 2023, 3:41 PM

    Hi everyone,
    I started using pfSense again after quite a long time, and I installed it as a VM in my VMware workstation. I setup a WAN port (in bridge mode) and a LAN port in Custom mode so that I can connect a client to it and practice with pfSense.
    I noticed that the client can ping IP addresses but can't browse internet if DNSSEC Support is enabled.
    For the record, in DNS Resolver->General Settings I set LAN and Localhost for the Network Interfaces, and ALL for Outgoing Network Interfaces
    Could anyone please help me figure out why it doesn't work if DNSSEC is enabled?
    Thanks

    1 Reply Last reply Reply Quote 0
    • B
      bmeeks
      last edited by Jan 7, 2023, 12:15 AM

      Is the system time correct in your pfSense virtual machine? DNSSEC requires accurate time between the source and destination in order for the key exchange to work.

      Many times in a virtual environment folks forget to configure a proper time.

      S 1 Reply Last reply Jan 7, 2023, 7:56 AM Reply Quote 0
      • S
        sensei-two @bmeeks
        last edited by Jan 7, 2023, 7:56 AM

        @bmeeks

        Yes, the system time is correct.
        I also enabled Enable Forwarding Mode and DOT. It works now. Anyway, it already started working when I made a couple of changes in Network Interfaces[Only LAN and localhost are checked now].
        I have another problem with the Host Overrides but I am going to open another thread for it.
        Thank you for your answer

        1 Reply Last reply Reply Quote 0
        • B
          bmeeks
          last edited by bmeeks Jan 7, 2023, 3:14 PM Jan 7, 2023, 3:04 PM

          Note that when you enable Forwarding Mode in the DNS Resolver, there is no need to check the DNSSEC box as it is meaningless in that mode. When forwarding, either the DNS server you are forwarding your queries to does DNSSEC on its own, automatically, or it does not. It does not take any cue from the querying client about DNSSEC. So enabling DNSSEC when forwarding just adds some needless overhead in your pfSense box to DNS query processing, but it does not "make" the forwarding server use DNSSEC. That forwarding server either already is doing it anyway, or not. And if not, nothing from your client end can make it do DNSSEC.

          And just be clear unless there is a misconception: DNSSEC is a way of authenticating an authoritative name server. It is not for encrypting queries so they are hidden. Here is a description of DNSSEC, how it works, and what it is for: https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en. You may already be aware of this, but I posted it in case others with questions read through this thread in the future.

          J 1 Reply Last reply Jan 7, 2023, 3:32 PM Reply Quote 2
          • J
            johnpoz LAYER 8 Global Moderator @bmeeks
            last edited by johnpoz Jan 7, 2023, 3:45 PM Jan 7, 2023, 3:32 PM

            @bmeeks completely agree, but I have been doing some testing of this of late.. With 9.9.9.10 that does not do dnssec, but enabling dnssec does seem to do some checks.

            The problem is, you are at the mecy of where you forward. You have no idea what they are doing with their caching - did you get an old record something related to dnssec, they could if they wanted send you anything they wanted in return to your queries. Or not send late or not at all something asking about dnssec, etc.

            You could have something that should really fail a dnssec check pass, or you could have something fail because something didn't get returned correctly or in time, etc.

            Pretty much every major dns service on the planet is doing dnssec, unless you use a special IP of theirs that says it doesn't do it.

            So you trust this dns enough to forward all you queries to them - they are already doing dnssec. So what is the point of setting unbound to do dnssec if where your forwarding is already doing it? Its just extra queries your going to perform for no real reason to do so.

            If your using some dns service that doesn't do dnssec, asking for it could be problematic and you could have issues getting proper answers to your queries. So now your doing extra queries that may or may not function as you think they should function. And could cause slower response.

            If your going to forward and you want dnssec - just use a dns service that does it. They really all do from what I have seen - can someone name a major dns provider that doesn't do dnssec? If your using something that doesn't do it - you may or may not asking for dnssec get some sort of validation, is it good, is it bad - does it cause you problems with some sites? I think you just asking for problems with such a setup.

            dnssec is meant to be done from a resolver (unbound default) where your actually talking to the authoritative ns for whatever it is your asking about. Using a forwarder and asking for dnssec is not a good setup.

            Side note - I am like 99.9% sure that when you set unbound to forward and do dnssec, the DS query is done only after A query has gotten a response.. Simple sniff while doing this could validate this.. This is going to cause slower resolution time for everything you ask for - be it the domain your asking about is using dnssec or not.. So lets say it always works when and there is never any issues getting answers to what you query for - you just added extra latency to your dns for what reason, if where your forwarding to is already doing dnssec? And you trust them explicitly - or why would you be forwarding your dns to them in the first place ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              sensei-two
              last edited by sensei-two Jan 7, 2023, 5:02 PM Jan 7, 2023, 5:00 PM

              @bmeeks
              @johnpoz
              Yes, I know that DNSSEC is not for encrypting queries. Thank you for the link. I'll read it anyway.
              I disabled it, and I also unchecked Prefetch DNS Key Support and Harden DNSSEC Data in the Advanced Settings; I guess they are not of any use since DNSSEC is disabled now, aren't they?

              I enabled Unbound because I want to use DoT and pfblocker as well.
              As I already said above, I started using pfSense again after quite a long time. For the record, I had a bad experience with OPNsense and I switched back to pfSense as my main alternative to my Mikrotik device as a firewall/router
              Anyway, I remember that I had some issues with pfSense's Unbound long time ago. It just didn't work with one ISP as upstream gateway, while it worked flawlessy if I switched to another ISP (via LTE). It seemed the the first ISP blocked access to the root dns servers..maybe. Never figured it out for sure.
              Thanks again

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received