DNSSEC – Going All-In on DNS Security Extensions

digdnsdnscryptresolv.confsystemd-resolved

I have been doing an effort to go full on DNSSEC on my system with the following setup:

dnscrypt-proxy installed, up and running on 127.0.0.1 with require_dnssec = true
systemd-resolved running, with DNSSEC=yes and DNS=127.0.0.1
only nameserver 127.0.0.1 in /etc/resolv.conf
connected through NetworkManager to a WiFi network about which I know DHCP configuration sets 8.8.8.8 and 8.8.8.4 as DNS servers

/run/systemd/resolve/resolv.conf lists 8.8.8.8 and 8.8.8.4 below 127.0.0.1.

resolvectl status shows

DNSSEC setting: yes
DNSSEC supported: yes
Current DNS Server: 127.0.0.1
DNS Servers: 127.0.0.1

in the Global section, but

 DNSSEC setting: yes
 DNSSEC supported: yes
 Current DNS Server: 8.8.8.8
 DNS Servers: 8.8.8.8
                           8.8.8.4

in my interface's section (why?).

tcpdump shows no activity at all on udp:53 when using a web browser, dig, or other normal usage. This I take to mean that my local dnscrypt-proxy is dealing with all DNS requests on my system. I also assume that because of the configuration settings mentioned above, I am going DNSSEC all the way.

However, from time to time the journal contains lines like:

Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN DS: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:41 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question bolt.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question v.dropbox.com IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d.v.dropbox.com IN A: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN SOA: failed-auxiliary
Nov 30 09:10:43 tuxifaif systemd-resolved[179937]: DNSSEC validation failed for question d2e801s7grwbqs.cloudfront.net IN A: failed-auxiliary

resolvectl query v.dropbox.com results in the same DNSSEC validation error
dig v.dropbox.com works just fine
dig v.dropbox.com @8.8.8.8 also works just fine (of course resulting in two lines of output for tcpdump)

I also checked https://dnsleaktest.com, which tells me that a lot of 172.253.x.x servers are receiving a request to resolve domain names I enter into my webbrowser. These IPs seem to be owned by Google.

So, what does this mean? Is there any (non DNSSEC) querying going on on this system?

Any insights are appreciated!

Best Answer

If both dnscrypt-proxy and systemd-resolved are using 127.0.0.1:53, this should not be the case. You need to disable systemd-resolved as recommended by dnscrypt-proxy wiki, and also lock /etc/resolv.conf for possible changes made by your Network Manager. So, here are the steps:

Disable systemd-resolved:

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

Check if there is anything else using the same address:port pair as dnscrypt-proxy: sudo ss -lp 'sport = :domain'. If there are, disable them.
If dnscrypt-proxy is listening on 127.0.0.1:53 and resolv.conf has nameserver 127.0.0.1, add options edns0(required to enable DNS Security Extensions) below the nameserver entry in resolv.conf so that it looks like:

nameserver 127.0.0.1
options edns0

Lock /etc/resolv.conf file for changes: sudo chattr +i /etc/resolv.conf.
You might want to restart dnscrypt-proxy.

Overall, the point is to make sure that:

Only dnscrypt-proxy is using 127.0.0.1:53
resolv.conf has the same address used by dnscrypt-proxy
resolv.conf is protected from changes made by other software such as your Network Manager.

Also, just because the dnsleak test shows Google IPs does not mean that the dns resolver service is operated by Google. It could be that the servers are owned by Google but operated by another entity. If you dont' want it, you can choose a different resolver from dnscrypt-proxy public resolvers list. Make sure that dnssec support is present for the selected resolver. I personally use dnscrypt.eu resolvers, which are no-log, no-filter, non-google and dnssec-enabled.

References:

Related Solutions

BIND9: DNS resolves sometimes (!) take very long or don’t work at all

After more research, the problem appears to be the following:

The initial setup contained both forwarders that were DNSSEC-capable (GoogleDNS 8.8.8.8, 8.8.4.4) and some that weren't (OpenDNS 208.67.222.222, 208.67.220.220). I had BIND9 running with DNSSEC fully enabled, as per the following configuration:

dnssec-enable      yes;
dnssec-validation  yes;
dnssec-lookaside   auto;

a) Whenever a request (A?) was forwarded to the GoogleDNS servers, my_server got a reply (A), sent a DNSSEC-query (DS?) and got a proper answer. Resolution done, signature confirmed, all working like a charm, case closed (see above, the normal case).

b) Whenever a request (A?) was forwarded to the OpenDNS servers, my_server got a reply (A), sent a DNSSEC-query (DS?) which OpenDNS failed to answer properly as it does not support DNSSEC. So BIND9 threw an error in syslog, stating that it got insecure response and tried to get it's DNSSEC-validation elsewhere (see above, the problematic case).

I still don't fully understand what happened then, but obviously that's when the hiccups started. Now I don't know if the GoogleDNS-servers didn't like giving out DS?-answers without having served the corresponding A?-query first. But in both of the problematic cases (sueddeutsche.net, dasoertliche.de) it seems that the entries were also not properly signed so DNSSEC didn't produce correct validation. So DNSSEC-lookaside validation (DLV) was started (Type32769?) and again it all went south. No idea why.

c) Solution: After all this, I have done the following and have not yet run into any problem (so it seems the question is solved):

First, I switched forwarders to only

forwarders         { 8.8.8.8; 8.8.4.4; };

so that there's no longer a mixup of DNSSEC support. Second, I commented out

//dnssec-lookaside   auto;

because after digging through lots of tcpdumps, it appears that whenever resolution is slow, the delays are either caused by GoogleDNS taking some time to give back an answer (very rarely happens) or - regularly - happen during DLV. Since DLV is currently being phased out anyway with entries no longer available in 2017

https://www.isc.org/blogs/dlv/

I believe that's acceptable from a security-standpoint.

Now an alternative solution would be to ditch the GoogleDNS servers and only use OpenDNS as forwarders. But then I'd have to comment out all dnssec-entries mentioned above completely disabling DNSSEC, because OpenDNS does not support it. That would leave my dns queries open to attacks which would require adding an alternative layer of security like dnscrypt (as mentioned by Rui F Ribeiro). While that looks like a worthwile project (as it completely encrypts dns traffic, therefore not only keeping it unaltered but also unreadable by attackers), it's a little over my current time budget.

Any DNS experts out there who want to chime in if the explanations above make sense?

Systemd-Resolved – Why Doesn’t It Use My Local DNS Server?

So, changing my wired eth0 interface to be managed solved this issue for me.

Changing ifupdown to managed=true in /etc/NetworkManager/NetworkManager.conf

[ifupdown]
managed=true

Then restart NetworkManager

sudo systemctl restart NetworkManager

After this it works flawlessly..

This was not 100%. I also applied theses changes to try and kill resolver

sudo service resolvconf disable-updates
sudo update-rc.d resolvconf disable
sudo service resolvconf stop

Big thanks to this blog post regarding the subject: https://ohthehugemanatee.org/blog/2018/01/25/my-war-on-systemd-resolved/

Lets pray this works.. This whole systemd-resolve business is just so ugly.

Best Answer

Related Solutions

BIND9: DNS resolves sometimes (!) take very long or don’t work at all

Systemd-Resolved – Why Doesn’t It Use My Local DNS Server?

Related Question