DNSSEC and NextDNS
-
By NextDNS instructions should put in custom options of DNS resolver :
server:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: XXXXX
forward-addr: XXXXXBut in this case should be DNSSEC to OFF in DNS resolver or keep it default?
-
AFAIK, you don't need DNSSEC if you're forwarding queries to a service like NextDNS, Quad9, etc. Since the resolver you're choosing to use should already be doing DNSSEC tasks, you'd only be attempting to confirm DNSSEC between you and your chosen resolver which is unnecessary.
-
@juanzelli Ok, thanks'
-
@juanzelli One more question, what about Harden DNSSEC Data in advanced settings, should as well to OFF?
-
@antibiotic Yes, I would leave it off too. I believe you'd only concern yourself with that if you were not forwarding and, instead, were allowing Unbound to resolve on its own. If that were the case, it would be best to enable DNSSEC and (possibly) the hardening setting. But, best to leave them off if you're forwarding to NextDNS.
-
@juanzelli
Actually prefer default settings , but in my country some news sites are blocking if using ISP DNS. When do DNS forwarding to external DNS , its possible to enter blocking sites! -
@juanzelli said in DNSSEC and NextDNS:
don't need DNSSEC if you're forwarding queries
I'd go a step farther...per Quad9 forwarding with DNSSEC may cause failures. And in pfSense 23.01 it seems way more problematic than older versions where I saw no failures.
@Antibiotic If those instructions are generically how to enable forwarding, which it seems, pfSense has a checkbox for that:
ref: Quad9 doc saying to uncheck DNSSEC: https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
thread about Quad9 and several others, where DNSSEC and/or DNS over TLS is causing problems in 23.01: https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/
