Maintained by: NLnet Labs

Trusting a dnsmasq stub

Markus Gutschke (顧孟勤)
Wed Apr 12 21:10:26 CEST 2017


I have configured "unbound" with a stub resolver pointing to my "dnsmasq"
DHCP server and a forward resolver pointing to Google's DNS servers. A
simplified version of my configuration file looks something like this:

server:
  do-not-query-localhost: no
  local-zone:             "168.192.in-addr.arpa." nodefault

  private-address:        10.0.0.0/8
  private-address:        169.254.0.0/16
  private-address:        172.16.0.0/12
  private-address:        192.168.0.0/16
  private-address:        fd00::/8
  private-address:        fe80::/10
  private-address:        ::ffff:0:0/96

  private-domain:         "dnsmasq.example.com"
  domain-insecure:        "dnsmasq.example.com"
  domain-insecure:        "168.192.in-addr.arpa"

stub-zone:
  name:                   "dnsmasq.example.com."
  stub-addr:              192.168.x.y

stub-zone:
  name:                   "168.192.in-addr.arpa."
  stub-addr:              192.168.x.y

forward-zone:
  name:                   "."
  forward-addr:           8.8.8.8
  forward-addr:           8.8.4.4


In general, this works beautifully and does exactly what it should do.
"Unbound" returns validated results for the internet at large, and it also
provides dynamically updated results as hosts appear and disappear from the
DHCP-managed local area network.

The only wrinkle in this picture is that while "dnsmasq" happily sets the
AD flag, "unbound" immediately strips it again. At the root of it, this is
of course a limitation in "dnsmasq", which doesn't know how to sign results
with DNSSEC. To make matters worse, I have a similarly configured stub
resolver that returns the hosts in my "LXD" cluster, and thanks to some
additional unfortunate limitations in "dnsmasq", for that particular
instance, I can't even configure "dnsmasq" to set the AD flag on results
that it is authoritative for.

I have looked for proxies that can take the results from "dnsmasq" and sign
them with DNSSEC. But as far as I can tell, no such thing exists. So, that
brings me to my question for "unbound". As all the servers run on the same
physical machine and use trusted internal communication, I know I can trust
the results received from "dnsmasq". Is there a way that I can teach
"unbound" to set the AD flag (and possibly even the AA flag) for any of the
stub resolvers?

Would that be something I could do in a module? Or could I patch my
instance of "unbound" to have this additional feature. I realize that it
probably goes a little bit against the philosophy of "unbound". So, if
there is another solution that would be considered kosher and that provides
the same ultimate result, then please do enlighten me.

I searched the mailing list archives, and while I occasionally see people
asking about similar features, I have not been able to find an answer to my
question.


Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170412/5aa19ce8/attachment.html>