DNSSEC resolver using BIND or Unbound

In fact I am an ISC-Fanboy and so I’ve been using BIND since I can remember. Never taken a look at different Nameservers up until a few weeks ago. A few weeks ago I did setup Unbound as resolver to take a look on how it performs and how easy it is to set it up. However, this post is just about how to setup that stuff and make sure it does DNSSEC.

BIND

/etc/bind/named.conf.acl

I do use this file to define a few hosts and networks which are allowed to use my DNS as resolver.

acl mynetworks {
    network1/26;
    network2/27;
    ip1/32;
    ip6/128;
    localhost;
    localnets;
};

/etc/bind/named.conf.keys

This file is used for the root DNSSEC key.

managed-keys {
   "." initial-key 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
     FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
     bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
     X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
     W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
     Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
     QxA+Uk1ihz0=";
};

Hint: only with Bind 9.7 and newer, see: Using the root DNSSEC key in BIND 9 resolvers

/etc/bind/named.conf.options

In this file I do set the working directory, enable dnssec and dnssec-validation. I do disable recursion because I’ll enable that for a specific view later.

options {
        directory "/var/cache/bind";
        dnssec-enable yes;
        dnssec-validation yes;
        recursion no;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

/etc/bind/named.conf.views

So this file shows you how I do use views to split the resolver into internal clients (those in mynetworks which are allowed to use this resolver) and external ones (which are not). I believe there was a reason why I did set additional-from-auth and additional-from-cache to yes, but actually I don’t remember, so you might want to remove those two.

view "internal" in {
  match-clients { mynetworks; };
  recursion yes;
  additional-from-auth yes;
  additional-from-cache yes;
  allow-query-cache { any; };
  allow-query { any; };
  include "/etc/bind/named.conf.default-zones";
};
 
view "external" in {
  match-clients { any; };
  recursion no;
  allow-recursion { none; };
};

/etc/bind/named.conf

The named.conf just puts everything together by loading the above configuration files

include "/etc/bind/named.conf.keys";
include "/etc/bind/named.conf.acl";
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.views";

Unbound

/etc/unbound/unbound.conf

The configuration for unbound is pretty simple. You might remove all the stuff below ‚#use all cpus‘ and take a proper look at optimizing unbound. The documentation is pretty nice in that regard.

server:
    interface: 0.0.0.0
    interface: ::0
    access-control: network1/27 allow
    access-control: network2/26 allow
    access-control: ip1/32 allow
    access-control: ip6/128 allow
    verbosity: 1
    # use all cpus
    num-threads: 2
    # faster udp with multithreading
    so-reuseport: yes
    # libevent
    outgoing-range: 8192
    num-queries-per-thread: 4096
    # statistics
    statistics-interval: 3600
    extended-statistics: yes

/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

The important part to make it DNSSEC-aware is to use the root-anchor file. In Debian Unbound already contains that

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Verification

I’ve just added DNSSEC to my blog domain so let’s check

Unbound

root@dns-de2:~# dig @127.0.0.1 jeanbruenn.info. A +dnssec +multiline
 
; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> @127.0.0.1 jeanbruenn.info. A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36082
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jeanbruenn.info.	IN A
 
;; ANSWER SECTION:
jeanbruenn.info.	1200 IN	A 84.201.38.2
jeanbruenn.info.	1200 IN	RRSIG A 13 2 1200 (
				20170516223345 20170416220032 21415 jeanbruenn.info.
				vYKRPbv82/OS3Z4BGRuS73Pmt4/ZYFw5/u1hby5l1bPL
				nJhOQ0qguelqV+QfSliCdMeuup/yfT5WqJ3Xy37Cjg== )
 
;; Query time: 1174 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 17 12:21:08 CEST 2017
;; MSG SIZE  rcvd: 331

Just removed the Authoritative Data from the above output. The important bits are:

  • Authenticated Data Flag in the Headers: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
  • The DNSSEC OK (do) flag: ; EDNS: version: 0, flags: do; udp: 4096
  • There should be a RRSIG record with the same name as the A Record

BIND

Let’s check if the BIND-resolver gets the same results

root@resolver1:~# dig @127.0.0.1 jeanbruenn.info. A +dnssec +multiline
 
; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> @127.0.0.1 jeanbruenn.info. A +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59494
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;jeanbruenn.info.	IN A
 
;; ANSWER SECTION:
jeanbruenn.info.	227 IN A 84.201.38.2
jeanbruenn.info.	227 IN RRSIG A 13 2 1200 (
				20170516223345 20170416220032 21415 jeanbruenn.info.
				vYKRPbv82/OS3Z4BGRuS73Pmt4/ZYFw5/u1hby5l1bPL
				nJhOQ0qguelqV+QfSliCdMeuup/yfT5WqJ3Xy37Cjg== )
 
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 17 06:28:04 EDT 2017
;; MSG SIZE  rcvd: 171
  • AD-flag: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
  • DO-flag: ; EDNS: version: 0, flags: do; udp: 4096
  • RRSIG: jeanbruenn.info. 227 IN RRSIG A 13 2 1200 (

So it pretty much works. You should make sure that there are _only_ DNSSEC-enabled resolvers in your /etc/resolv.conf.

No Comments

Post a Comment