The officially official Devuan Forum!

You are not logged in.

#1 2019-12-23 21:51:44

Micronaut
Member
Registered: 2019-07-04
Posts: 55  

Implementing DNSSEC and DNS-over-TLS with Unbound

Is anyone using unbound just for their personal system? I don't need to setup a DNS server for anyone, I'm just thinking of getting better security on my own DNS usage. Is the version in the repositories relatively up to date? Is it difficult to setup? Or is there some obvious, simpler solution for getting DNSSEC and DNS-over-TLS on a  personal system?

Offline

#2 2019-12-23 22:00:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 425  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

I think the dnssec-trigger package will get things setup for you, just adjust the forward nameservers (I use Quad9, they should support DoT).


SJW for hire, usual rates apply

Offline

#3 2019-12-24 13:16:34

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 425  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Additionally the stubby package in beowulf/ceres is designed for DoT and getdns-utils allows access to the API directly via getdns_query().


SJW for hire, usual rates apply

Offline

#4 2020-01-19 21:35:44

Micronaut
Member
Registered: 2019-07-04
Posts: 55  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

After fiddling with dnssec-trigger in Linux and the unbound installer for Windows, all I can say is both seem to install OK and do whatever their default setting tells them to. But I can't tell if they are doing DNS-over-TLS and don't see any information about how to configure either to use it.

Offline

#5 2020-01-19 22:08:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 425  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Micronaut wrote:

I can't tell if they are doing DNS-over-TLS

Use wireshark & dig to test: https://www.linuxbabe.com/ubuntu/ubuntu … s-over-tls ← see the section "How to Check if Your DNS Traffic is Encrypted" at the end of the article.


SJW for hire, usual rates apply

Offline

#6 2020-01-19 23:57:38

Micronaut
Member
Registered: 2019-07-04
Posts: 55  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Where are the config files when you use dnssec-trigger to install unbound? I can find descriptions of how to get unbound to use dns-over-tls but the config files are not where these instructions say they should be. Some sort of strange redirection with symbolic links is used.

Offline

#7 2020-01-20 11:58:00

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 425  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Micronaut wrote:

Where are the config files when you use dnssec-trigger to install unbound?

The dnssec-trigger package is just a configuration wrapper used to ensure that unbound is the local nameserver and that it ensures DNSSEC validation. DoT is not part of dnssec-trigger's remit but I am presuming that if requests are forwarded to a DoT-capable resolver then it will be used, this may not in fact be the case. Use wireshark & dig to confirm.

OTOH the stubby package is expressly designed to offer DoT validation so using that should ensure it. But you should probably still check.

Micronaut wrote:

I can find descriptions of how to get unbound to use dns-over-tls but the config files are not where these instructions say they should be. Some sort of strange redirection with symbolic links is used.

When requesting help it is always better to provide actual command output rather than vague descriptions.


SJW for hire, usual rates apply

Offline

#8 2020-01-20 17:51:42

Micronaut
Member
Registered: 2019-07-04
Posts: 55  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Well, this is annoying. Stubby is apparently only in Ceres/Beowulf, not the current Ascii release. And of course not in Windows at all.  I was hoping to learn something useful on both Linux and Windows by using unbound in both systems. Looks like I might need to find independent solutions. At least the unbound package from nlnet labs does implement DNSSEC validation in Windows, which is better than the default of accepting the packet but not really checking it.

What I really need, though, is DNS-over-TLS for Linux laptops that does not use DHCP supplied servers. The dnssec-trigger package uses DHCP to get the servers, which is OK for desktops at home but not laptops in public places. I think it can be done with unbound, but I'm going to have to read a lot of documentation. Or maybe I'll just have to wait until Beowulf is officially released and stable.

Offline

Board footer