security settings

Hello

Using the setup below, how to configure unbound for strict security or not.

Config 1: strict security, do not allow “unsecure and unsigned” resolves to the downstream client ?

Config 2: less secure, allow resolves that are not signed to the downstream client ?

The resolv.conf will contain the “nameserver IP address” for the local host. This is the IP address that unbound daemon uses to monitor DNS client quires.

(attachments)

image002.emz (1.63 KB)
image003.emz (1.47 KB)

image005.png231×114 1.18 KB

image006.png314×116 1.83 KB

Subject: security settings

Using the setup below, how to configure unbound for strict security or not.

I'm a little confused about the "setup below". You list some software
and API's

Config 1: strict security, do not allow “unsecure and unsigned” resolves to the downstream client ?

In general, there is no such setting for DNS because it is normal for
DNS zones to be unsigned and not use DNSSEC. Those to do use DNSSEC
are automatically protected against "DNSSEC stripping" so receiving
unsigned answers will never compromise signed domains.

Config 2: less secure, allow resolves that are not signed to the downstream client ?

As I said, this is the normal mode of operation.

The resolv.conf will contain the “nameserver IP address” for the local host. This is the IP address that
unbound daemon uses to monitor DNS client quires.

strongswan curl plugin gethostbyname()

I don't know what you mean here. strongswan is an IKE daemon, and I do
believe it has some DNSSEC support but I'm not aware that resolving
hosts with it required DNSSEC.

I am more familiar with libreswan, another IKE daemon, which does use
libunbound and DNSSEC and will always validate the DNSSEC answers even
if the local server listed in resolv.conf supports DNSSEC. It does
provide for a enable-dnssec=no override.

I don't know if curl/libcurl supports dnssec. a quick check with ldd
does not show a known dnssec capable resolver is linked.

gethostbyname() simply does not support DNSSEC. It's API predates DNSSEC
by 20+ years.

Paul

Hello Paul

I thought unbound supports downstream clients.

If that is the case any DNS capable app can point to "unbound daemon" and have it resolve or forward DNSSEC requests.

The "unbound daemon" would monitor for client DNS quires on 127.0.0.1 "what the typical resolv.conf nameserver is set for".

Is this true ?

Yes. unbound a recursive DNS server.

Paul

Hello Paul

Experimenting using "unbound daemon" as a recursive DNS server.

I created a test-gethostbyname app that resolves www.msn.com.
The resolve was successful and looking at the log file (wqar-unbound.log) DNSSEC was used.

Am I missing something ?

Method 3c, unbound daemon lesioning for local DNS quires
Note:
  same setup as: Method 3a, Authentication Servers (how unbound try's to contact)
  except resolv.conf is set to "nameserver 127.0.0.1"
  use test app to send local DNS to "unbound daemon" using gethostbyname()
  /etc/hosts
    empty file
  /var/run/resolv.conf
    cat /var/run/resolv.conf
    nameserver 127.0.0.1
    this file is linked to /etc/resolv.conf (this is already done at boot)
  /var/lib/unbound/root.key
    cp /usr/local/etc/unbound/root.key /var/lib/unbound/
  /usr/local/etc/unbound/unbound.conf
    ip addr show ppp0
    outgoing-interface: x.x.x.x

update unbound.conf for outgoing-interface: x.x.x.x to point to ppp0
/usr/sbin/unbound -d -vvvvv -c /usr/local/etc/unbound/unbound.conf &
test-gethostbyname
Results
  note: takes a few attempts before returning data (may want to increase timeouts)
  test-gethostbyname
  main start.
  main h_name a-0003.a-msedge.net
  main h_aliases[0] www.msn.com
  main h_aliases[1] www-msn-com.a-0003.a-msedge.net
  main h_addrtype 2
  main h_length 4
  main h_addr_list[0] 204.79.197.203
  main finished.