Back to Blog
Unbound dns6/8/2023 ![]() The DNS-requests and -responses will be encrypted and are authenticated with DNSSEC. The only thing left is to set the local unbound-instance as upstream resolver:Įncrypting DNS-Traffic with DNS-over-TLS can NOT completely protect your privacy. # performance optimizations (costs more traffic and/or CPU) Tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" some minor tweaks for speed/privacy: server: The final config with 4 upstream resolvers incl. Status is SERVFAIL and no address was resolved. flags: qr rd ra QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24444 Testing with a valid DNSSEC enabled domain: dig -p 5300 +dnssec Update the keys sudo -u unbound unbound-anchor and restart unbound sudo systemctl restart unbound. # DNSSEC validation using the root trust anchor.Īuto-trust-anchor-file: "/var/lib/unbound/root.key" # The following line will configure unbound to perform cryptographic Make sure that the key-file ist part of your cat /etc/unbound//nf The initial update must be done manually, whereas unbound updates them regularly while running. These keys MUST be updated initially and kept up to date regularly. Unbound checks DNS responses against known public keys. To protect the DNS-responses against modification, we will use DNSSEC. Make a DNS request dig -p 5300 while capturing the traffic with sudo tcpdump host 2a05:fc84::42 -w tls.pcapĪll DNS traffic is now wrapped in a TLS connection. flags: qr rd ra ad QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >HEADER<<- opcode: QUERY, status: NOERROR, id: 31328 The final step is to (re)configure your clients to use the newly set up recursive DNS servers. This will forward queries at random to DNS servers ipa1,ipa2 and. Next up: Forward this queries to our internal DNS server infrastructure (i.e IPA or MS-DNS or simply bind) forward-zone: In this example, we need to change the behavior to allow queries for our internal networks 192.168.1.0 and 192.168.2.0. Unbound has a nice default setting: It ignores any queries to RFC 1918 PTR queries to avoid sending queries to the blackhole servers. ![]() access-control: 0.0.0.0/0 refuseįorward PTR queries to your RFC 1918 zones In this example you will allow access from two of your RFC 1918 subnets and the RFC 3849 IPv6 range. The next default that needs to be changed is the access control. Installation on RHEL7, Fedora and probably other Linux and BSD distributions is easy: recursor1:~# yum -y install unboundįor this example, all configuration is made in /etc/unbound/nfįirst you must define on which IPs Unbound should listen. Its astonishing how easy it is to configure Unbound. Unbound is very secure, lightweight and high performance DNS server for validating, recursion, and caching of queries. WARNING: recursion requested but not available flags: qr rd QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58272 After a restart, check if it is working as ~]$ dig > DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 > global options: +cmd If you are using a different DNS server software, check the vendor manual. In the option section of the bind DNS configuration make sure you have the following line in /etc/nf: allow-recursion Turning off recursion in authoritative DNS servers ![]() This article is about how to set up recursive DNS servers, DNSSEC will be covered in a follow-up article.
0 Comments
Read More
Leave a Reply. |