I have been doing an effort to go full on DNSSEC on my system with the following setup:
dnscrypt-proxy
installed, up and running on 127.0.0.1 withrequire_dnssec = true
- systemd-resolved running, with
DNSSEC=yes
andDNS=127.0.0.1
- only
nameserver 127.0.0.1
in/etc/resolv.conf
- connected through NetworkManager to a WiFi network about which I know DHCP configuration sets 8.8.8.8 and 8.8.8.4 as DNS servers
/run/systemd/resolve/resolv.conf
lists 8.8.8.8 and 8.8.8.4 below 127.0.0.1.
resolvectl status
shows
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 127.0.0.1
DNS Servers: 127.0.0.1
in the Global section, but
DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 8.8.8.8
DNS Servers: 8.8.8.8
8.8.8.4
in my interface's section (why?).
tcpdump
shows no activity at all on udp:53 when using a web browser, dig, or other normal usage. This I take to mean that my local dnscrypt-proxy is dealing with all DNS requests on my system. I also assume that because of the configuration settings mentioned above, I am going DNSSEC all the way.
However, from time to time the journal contains lines like:
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN DS: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN A: failed-auxiliary
resolvectl query v.dropbox.com
results in the same DNSSEC validation errordig v.dropbox.com
works just finedig v.dropbox.com @8.8.8.8
also works just fine (of course resulting in two lines of output fortcpdump
)
I also checked https://dnsleaktest.com, which tells me that a lot of 172.253.x.x servers are receiving a request to resolve domain names I enter into my webbrowser. These IPs seem to be owned by Google.
So, what does this mean? Is there any (non DNSSEC) querying going on on this system?
Any insights are appreciated!
Best Answer
If both
dnscrypt-proxy
andsystemd-resolved
are using127.0.0.1:53
, this should not be the case. You need to disablesystemd-resolved
as recommended by dnscrypt-proxy wiki, and also lock/etc/resolv.conf
for possible changes made by your Network Manager. So, here are the steps:systemd-resolved
:Check if there is anything else using the same
address:port
pair asdnscrypt-proxy
:sudo ss -lp 'sport = :domain'
. If there are, disable them.If
dnscrypt-proxy
is listening on127.0.0.1:53
andresolv.conf
hasnameserver 127.0.0.1
, addoptions edns0
(required to enable DNS Security Extensions) below thenameserver
entry inresolv.conf
so that it looks like:/etc/resolv.conf
file for changes:sudo chattr +i /etc/resolv.conf
.dnscrypt-proxy
.Overall, the point is to make sure that:
dnscrypt-proxy
is using127.0.0.1:53
resolv.conf
has the same address used bydnscrypt-proxy
resolv.conf
is protected from changes made by other software such as your Network Manager.Also, just because the dnsleak test shows Google IPs does not mean that the dns resolver service is operated by Google. It could be that the servers are owned by Google but operated by another entity. If you dont' want it, you can choose a different resolver from dnscrypt-proxy public resolvers list. Make sure that
dnssec
support is present for the selected resolver. I personally use dnscrypt.eu resolvers, which are no-log, no-filter, non-google and dnssec-enabled.References: