The officially official Devuan Forum!

You are not logged in.

#1 2019-12-23 21:51:44

Micronaut
Member
Registered: 2019-07-04
Posts: 76  

Implementing DNSSEC and DNS-over-TLS with Unbound

Is anyone using unbound just for their personal system? I don't need to setup a DNS server for anyone, I'm just thinking of getting better security on my own DNS usage. Is the version in the repositories relatively up to date? Is it difficult to setup? Or is there some obvious, simpler solution for getting DNSSEC and DNS-over-TLS on a  personal system?

Offline

#2 2019-12-23 22:00:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 550  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

I think the dnssec-trigger package will get things setup for you, just adjust the forward nameservers (I use Quad9, they should support DoT).


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#3 2019-12-24 13:16:34

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 550  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Additionally the stubby package in beowulf/ceres is designed for DoT and getdns-utils allows access to the API directly via getdns_query().


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#4 2020-01-19 21:35:44

Micronaut
Member
Registered: 2019-07-04
Posts: 76  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

After fiddling with dnssec-trigger in Linux and the unbound installer for Windows, all I can say is both seem to install OK and do whatever their default setting tells them to. But I can't tell if they are doing DNS-over-TLS and don't see any information about how to configure either to use it.

Offline

#5 2020-01-19 22:08:32

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 550  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Micronaut wrote:

I can't tell if they are doing DNS-over-TLS

Use wireshark & dig to test: https://www.linuxbabe.com/ubuntu/ubuntu … s-over-tls ← see the section "How to Check if Your DNS Traffic is Encrypted" at the end of the article.


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#6 2020-01-19 23:57:38

Micronaut
Member
Registered: 2019-07-04
Posts: 76  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Where are the config files when you use dnssec-trigger to install unbound? I can find descriptions of how to get unbound to use dns-over-tls but the config files are not where these instructions say they should be. Some sort of strange redirection with symbolic links is used.

Offline

#7 2020-01-20 11:58:00

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 550  
Website

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Micronaut wrote:

Where are the config files when you use dnssec-trigger to install unbound?

The dnssec-trigger package is just a configuration wrapper used to ensure that unbound is the local nameserver and that it ensures DNSSEC validation. DoT is not part of dnssec-trigger's remit but I am presuming that if requests are forwarded to a DoT-capable resolver then it will be used, this may not in fact be the case. Use wireshark & dig to confirm.

OTOH the stubby package is expressly designed to offer DoT validation so using that should ensure it. But you should probably still check.

Micronaut wrote:

I can find descriptions of how to get unbound to use dns-over-tls but the config files are not where these instructions say they should be. Some sort of strange redirection with symbolic links is used.

When requesting help it is always better to provide actual command output rather than vague descriptions.


"Il semble que la perfection soit atteinte non quand il n'y a plus rien à ajouter, mais quand il n'y a plus rien à retrancher." — Antoine de Saint-Exupéry

Offline

#8 2020-01-20 17:51:42

Micronaut
Member
Registered: 2019-07-04
Posts: 76  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

Well, this is annoying. Stubby is apparently only in Ceres/Beowulf, not the current Ascii release. And of course not in Windows at all.  I was hoping to learn something useful on both Linux and Windows by using unbound in both systems. Looks like I might need to find independent solutions. At least the unbound package from nlnet labs does implement DNSSEC validation in Windows, which is better than the default of accepting the packet but not really checking it.

What I really need, though, is DNS-over-TLS for Linux laptops that does not use DHCP supplied servers. The dnssec-trigger package uses DHCP to get the servers, which is OK for desktops at home but not laptops in public places. I think it can be done with unbound, but I'm going to have to read a lot of documentation. Or maybe I'll just have to wait until Beowulf is officially released and stable.

Offline

#9 2020-02-07 23:45:14

Micronaut
Member
Registered: 2019-07-04
Posts: 76  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

The adventure continues. Unbelievably, I've got DNS-over-TLS working on Windows before Linux. But, there are nice example configs posted to the Unbound support mailing list... And *ix stuff is always more difficult to figure out.

But I got a surprise when I installed dnssec-trigger on one of my Linux test systems and then tried to test it. It seems that nslookup and dig are not installed by default anymore? If they are associated with bind (as part of bind-tools) could installing unbound have removed them? Would it possibly interfere with unbound to (re)install these bind-utils? Or will they work the same with unbound as they do with bind?

Offline

#10 2020-02-08 21:00:54

xinomilo
Member
Registered: 2017-07-02
Posts: 96  

Re: Implementing DNSSEC and DNS-over-TLS with Unbound

using unbound and DoT with libredns.gr for some time now :

   forward-zone:
      name: "."
        forward-tls-upstream: yes
        forward-addr: 116.203.115.192@853   # libredns.gr

dnscrypt-proxy / tor-resolve also work with unbound..

Last edited by xinomilo (2020-02-08 21:01:06)

Offline

Board footer