[SOLVED] [unbound] - problem with DNSSEC

archjohn · 2022-01-03 01:28:37

Hi everyone. I'm having some problem to properly configure unbound to use DNSSEC.

unbound is currently configured as the DNS resolver for my desktop following the steps in https://wiki.archlinux.org/title/Unbound - 2 Configuration - 2.1 Local DNS server - 2.2 Root hints.

I managed to make 2.3 DNSSEC validation work on a wifi network at my parents but now that I'm at home I'm getting the following error message when running "systemctl status unbound":
"failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN"

I disabled DNSSEC via commenting the trust-anchor-file entry in /etc/unbound/unbound.conf and unbound seems to be working as I can resolve DNS queries.

I have checked that my clock is synchronized with "timedatectl status" and I have regenerated the trusted-key.key file using unbound-anchor without success.

My resolv.conf and unbound.conf are really simple:
/etc/resolv.conf
# Generated by resolvconf
nameserver ::1
nameserver 127.0.0.1
options trust-ad

/etc/unbound/unbound.conf
server:
verbosity: 1
root-hints: "/etc/unbound/root.hints"

No forwarding no nothing, this same setup with the trust-anchor-file was working perfectly on another wifi network and now it's not working. Any ideas?

Last edited by archjohn (2022-01-10 17:05:31)

Xyne · 2022-01-03 02:17:17

Please use code tags for file contents.

Do you have the optional dependency "expat" installed? (https://wiki.archlinux.org/title/Unboun … stallation)
Does /etc/unbound contain the file trusted-key.key?

Last edited by Xyne (2022-01-03 02:17:46)

archjohn · 2022-01-03 02:19:37

Yes to both. I'll try to learn how to use code tags in the future.

I've been trying to get it working by trying different trusted-key.key files, namely the one that comes with the unbound package and the one generated by unbound-anchor (they are substantially different btw), and also trying to enable the auto-trust-anchor-file entry in /etc/unbound/unbound.conf without success, I'm still getting the same error message from systemctl, and a ping gives me the "Temporary failure in name resolution" error message.

Last edited by archjohn (2022-01-03 02:42:18)

archjohn · 2022-01-03 09:38:05

Interesting finding:

I'm currently connected to an open wifi without any kind of security (I'm on a train) and DNSSEC validation with unbound works flawlessly with the original trusted-key.key file (I haven't tested the one generated with unbound-anchor). This is the same configuration I was using successfully at my parents' house.

I'm starting to think there might be a problem with my home connection: I'm using a low cost internet access provider who is renting the infrastucture of a bigger internet access provider. Could that in any way affect unbound's ability to successfully resolve DNSSEC query?

Additionnal considerations:
- At my parents, I was using a fixed IP configured within a netctl profile, managed with netctl-auto --> DNSSEC functional
- At home, I was using a fixed IP configured within a netctl profile, managed with netctl-auto --> DNSSEC failed
- on the train, I'm using a dhcp provided IP within a netctl profile, managed with netctl-auto --> DNSSEC functional

progandy · 2022-01-03 09:43:39

Have you checked that your low-cost provider does not hijack dns and always responds with their own resolver?

archjohn · 2022-01-03 09:52:11

progandy wrote:

Have you checked that your low-cost provider does not hijack dns and always responds with their own resolver?

Maybe I should have included that in my first post:

I ran https://www.dnsleaktest.com/ on my home connection (without DNSSEC enabled obviously) and I was getting results for 6 DNS servers belonging to the bigger internet access provider, not results corresponding to my IP (which would have indicated unbound with DNSSEC working correctly), and none belonging to my low cost internet access provider.

That's actually one of the first things that popped into my mind and I forgot to include it in my OP...

Is there any checks I could perform to see if my provider hijacks dns?

Would there be any way to circumvent said hijacking?

progandy · 2022-01-03 10:05:09

You can try to connect to the google dns and use its hijacking detection:
https://developers.google.com/speed/pub … ng#windows

There were some other special names to do something similar, but I don't remember them.

You can also check if you can get dnssec records: https://www.cyberciti.biz/faq/unix-linu … mand-line/

Edit: Here are the other resolver/ip check tools I meant.

dig ANY whoami.akamai.net +short
# vs
dig @ns1-1.akamaitech.net ANY whoami.akamai.net +short

dig +short myip.opendns.com @resolver1.opendns.com -4
# vs
dig +short myip.opendns.com -4

dig @ns1.google.com TXT o-o.myaddr.l.google.com +short
#vs 
dig TXT o-o.myaddr.l.google.com +short

# https://github.com/jedisct1/whatsmyresolver
dig TXT resolver.dnscrypt.info +short
# vs
dig +trace TXT resolver.dnscrypt.info +short

Last edited by progandy (2022-01-03 10:48:28)

archjohn · 2022-01-05 16:10:29

Update: I just got done tried it on a new wifi and it unbound DNSSEC works perfectly. I won't be back home until the 10th of january, so I won't post any update until then.

archjohn · 2022-01-09 17:47:19

Alright update time:

I finally got home and here are the results of my investigation (I made sure to check there are no IP address conflict on my network):
1- I set unbound as my dns resolver WITH DNSSEC -> same as before, cannot resolve DNS queries, error message "failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN" when running "systemctl status unbound"

2- I set unbound as my dns resolver WITHOUT DNSSEC (trust-anchor-file entry in unbound.conf is commented out) -> DNS queries resolve ok but obviously without DNSSEC
a- dnsleaktest.com list five IPs belonging to my "bigger" internet access provider
b- I ran the following commands:

/usr/sbin/traceroute -n -w 2 -m 30 dns.google

traceroute to dns.google (8.8.4.4), 30 hops max, 60 byte packets
 1  192.168.0.1  7.957 ms  7.919 ms  8.016 ms
 2  * * *
 3  * * *
 4  212.166.147.46  13.422 ms  13.450 ms  13.808 ms
 5  * * *
 6  8.8.4.4  15.808 ms  9.177 ms  9.102 ms

dig ANY whoami.akamai.net +short
212.166.132.193 (one of the ip listed by dnsleaktest.com)

dig @ns1-1.akamaitech.net ANY whoami.akamai.net +short
my ip (not pasting it for privacy reasons)

dig @ns1.google.com TXT o-o.myaddr.l.google.com +short
"212.166.132.193"

dig TXT o-o.myaddr.l.google.com +short
"212.166.132.193"

All of this makes me think my ISP is indeed hijacking my DNS queries. Again, this same unbound configuration I'm using has worked on basically every other network I've tried it on.

Is there any way I could prevent or circumvent my ISP hijacking?

progandy · 2022-01-09 17:57:36

dig @ns1-1.akamaitech.net ANY whoami.akamai.net +short
my ip (not pasting it for privacy reasons)

dig @ns1.google.com TXT o-o.myaddr.l.google.com +short
"212.166.132.193"

That is a bit strange. One query seems to have been sent unmodified, the other was hijacked...

archjohn wrote:

Is there any way I could prevent or circumvent my ISP hijacking?

Use encrypted dns like dnscrypt, DoT, or DoH, but then you'll lose the ability to directly talk to authoritative servers. If that is important you could run your own encrypted dns server on a vhost/cloud vm and use that as the upstream.

Last edited by progandy (2022-01-09 17:58:45)

archjohn · 2022-01-09 21:35:05

Hey there.

I just got done configuring dnscrypt on my machine and it works fine I guess, but from a privacy point of view I really think the ability to directly query the authoritative servers is the best feature and I'm sorely missing it. The way I see it, with unbound and direct authoritative server query, none of my DNS history is maintained by a public DNS server, I have control of the resolver (nothing is filtered or blocked), it's very fast and it's secure. Even though it doesn't encrypt DNS, that's not a privacy problem because even with encrypted DNS, my ISP will immediately see your plain text query for the IP and know exactly where I am going anyway.

It is really bumming me out that I can't configure unbound to work properly on my network. Do you have any other idea of how I could prevent my ISP from hijacking my DNS queries? It really sucks because it was working perfectly on every other network I've tried and I can't figure out what's different with my home network.

archjohn · 2022-01-10 17:04:37

Update: I got it to work.

2 things:
- On my home router there is an option to activate "Secure DNS". I guess this conflicts with unbound and in some way blocks unbound DNSSEC queries. Deactivating the option made unbound work as it should.
- There were some redirection rules on my home router regarding ports for http (80), https (443) and dns (53). I deleted them all. Maybe there weren't the cause of the conflict but since I have no idea what they were doing there, I removed them.

Topic marked as solved, thanks for the help.

Arch Linux

#1 2022-01-03 01:28:37

[SOLVED] [unbound] - problem with DNSSEC

#2 2022-01-03 02:17:17

Re: [SOLVED] [unbound] - problem with DNSSEC

#3 2022-01-03 02:19:37

Re: [SOLVED] [unbound] - problem with DNSSEC

#4 2022-01-03 09:38:05

Re: [SOLVED] [unbound] - problem with DNSSEC

#5 2022-01-03 09:43:39

Re: [SOLVED] [unbound] - problem with DNSSEC

#6 2022-01-03 09:52:11

Re: [SOLVED] [unbound] - problem with DNSSEC

#7 2022-01-03 10:05:09

Re: [SOLVED] [unbound] - problem with DNSSEC

#8 2022-01-05 16:10:29

Re: [SOLVED] [unbound] - problem with DNSSEC

#9 2022-01-09 17:47:19

Re: [SOLVED] [unbound] - problem with DNSSEC

#10 2022-01-09 17:57:36

Re: [SOLVED] [unbound] - problem with DNSSEC

#11 2022-01-09 21:35:05

Re: [SOLVED] [unbound] - problem with DNSSEC

#12 2022-01-10 17:04:37

Re: [SOLVED] [unbound] - problem with DNSSEC

Board footer