Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabled DNSSec #10

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Enabled DNSSec #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0778b79
Switching to dnsmasq-dnssec
bassrock Jan 7, 2019
50321e8
Adding DNSSec conf
bassrock Jan 7, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ ENV WEBPROC_VERSION 0.2.2
ENV WEBPROC_URL https://github.com/jpillora/webproc/releases/download/$WEBPROC_VERSION/webproc_linux_amd64.gz
# fetch dnsmasq and webproc binary
RUN apk update \
&& apk --no-cache add dnsmasq \
&& apk --no-cache add dnsmasq-dnssec \
&& apk add --no-cache --virtual .build-deps curl \
&& curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc \
&& chmod +x /usr/local/bin/webproc \
Expand Down
5 changes: 5 additions & 0 deletions dnsmasq.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
log-queries
#dont use hosts nameservers
no-resolv
# DNSSEC setup
dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned
Comment on lines +7 to +11
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should provide context about such configuration values, they should not be trusted otherwise.

The trust-anchors seem legitimate(Gentoo wiki offers the exact same snippet), but rather than adding them inlined here, you should be doing it like this:

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

dnssec-check-unsigned also looks useful.

Now some replies are not DNSSEC signed but may still be may be legitimate, because the domain is unsigned, or may be forgeries. This setting will have dnsmasq do some various checks to see if it’s still looks valid. Now this will take a few more dns lookups, but it’s good for security. - Source

As a default, dnsmasq does not check that unsigned DNS replies are legitimate: they are assumed to be valid and passed on (without the “authentic data” bit set, of course). This does not protect against an attacker forging unsigned replies for signed DNS zones, but it is fast. If this flag is set, dnsmasq will check the zones of unsigned replies, to ensure that unsigned replies are allowed in those zones. The cost of this is more upstream queries and slower performance. - Source

#use cloudflare as default nameservers, prefer 1^4
server=1.0.0.1
server=1.1.1.1
Expand Down