Maintained by: NLnet Labs

[Unbound-users] DNSSEC and traffic encryption questions

Beeblebrox
Thu Mar 6 12:20:13 CET 2014


It seems I finally figured out using dnscrypt + unbound + DNSSEC:
* Stop Unbound and specify the dnscrypt-proxy IP:port as "forward-addr" in
unbound.conf
* Start dnscrypt-proxy with below, where provider-key / provider-name is
whatever you choose from http://dnscrypt.org. For example:
dnscrypt_proxy_flags="-d -a <listen-ip>:port --provider-key
67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66
--provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address=
176.56.237.171:443"
* Now re-run: # unbound-anchor -a "/var/unbound/root.key", which will
refresh/reset the root.key to signature of forward-addr, which in turn is
the dnscrypt-proxy signature given when we started dnscrypt.
* Start Unbound and try your DNSSEC validation: drill -k
var/unbound/root.key -TD com. SOA => comes back all "[T] trusted"
* One question: Should "unbound-anchor" be re-run periodically or on
unbound startup, or is the root.key self-refreshed by Unbound internals?
* Final bonus: I have all of this running in a FreBSD jail, and pf
redirects to the dns-jail all port 53 traffic from internal LAN(s) and
other jails. Awesome!

Bright Star: Very interesting information. Thank you.

For Tor, I did not realize what port 9053 setting was untill I got some IRC
help fro the #tor channel. Apparently, 9053 listener just passes a regular
DNS lookup to the Tor exit node and uses whatever that exit node has
defined as DNS forward server. This is exactly the DNS leak problem
(non-encrypted traffic) and should be completely avoided, not to mention
the possibility of "malicious exit node" employing its own poisoned DNS
server - Avoid Completely.

However I have since become hesitant to use Tor-encryption for DNS, since
as you stated there currently is no DNSSEC structure inside Tor. DNSSEC is
not mandatory of course, but for non-dnssec, we at least know who the
counter party is (google, opendns or whomever), whereas inside a Tor layer,
you have absolutely no idea regarding the trust level of the DNS on the
exit node. Considering that Tor was designed for relaying (not
authenticating), Tor-encrypted DNS opens the user to a wide possibility of
DNS compromise IMHO. The sanest article I have come accross re setup of
Tor-encrypted DNS lookups describes using dsocks (rather than socks):
https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor

Thanks to everyone for their help & Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140306/e9c390fe/attachment.html>