未加星标

DNSSEC Validation with Unbound on a Raspberry

字体大小 | |
[系统(linux) 所属分类 系统(linux) | 发布者 店小二03 | 时间 2016 | 作者 红领巾 ] 0人收藏点击收藏

To overcome the chicken-or-egg problem for DNSSEC (“I don’t need a DNSSEC validating resolver if there are no signed zones”), let’s install the DNS server Unbound on a Raspberry Pi for home usage . Up then, domain names are DNSSEC validated. I am listing the commands to install Unbound on a Raspberry Pi as well as some further commands to test and troubleshoot it. Finally I am showing a few Wireshark screenshots from a sample iterative DNS capture. Here we go:

It is really simple to operate an Unbound DNS resolver locally on a Raspberry Pi. Merely an installation and some config changes. That’s it. The Unbound package on a Raspbian linux of Unbound validates DNSSEC by default. Great!

Installation

I am using an “old” Raspberry Pi 1 Model B with Raspbian GNU/Linux 7 (wheezy) and kernel 4.1.13+. The version of Unbound which comes with this OS is not the newest one (1.4.17-3+deb7u2), but it fits. The installation is really simple:

sudoapt-get update sudoapt-get installunbound

The Unbound server starts automatically. Have look at the listening ports with:

[email protected] ~ $ sudonetstat -tulpen | grep unbound tcp00 127.0.0.1:530.0.0.0:*LISTEN0731268027897/unbound tcp00 127.0.0.1:89530.0.0.0:*LISTEN0731268427897/unbound tcp600 ::1:53:::*LISTEN0731267627897/unbound tcp600 ::1:8953:::*LISTEN0731268227897/unbound udp00 127.0.0.1:530.0.0.0:*0731267827897/unbound udp600 ::1:53:::*0731267427897/unbound

Unbound works out of the box for queries from the localhost. In order to allow queries from any host, the configuration file must be edited. It is stored at / etc / unbound / unbound .conf . Note that the config has already DNSSEC validation enabled!

[email protected] /etc/unbound $ cat unbound.conf # Unbound configuration file for Debian. # # See the unbound.conf(5) man page. # # See /usr/share/doc/unbound/examples/unbound.conf for a commented # reference config file. server: # The following line will configure unbound to perform cryptographic # DNSSEC validation using the root trust anchor. auto-trust-anchor-file: "/var/lib/unbound/root.key"

Now, to allow queries add the following lines within the “server:” paragraph:

interface: 0.0.0.0 interface: ::0 access-control: 0.0.0.0/0 allow access-control: ::0/0 allow

checkthe config:

[email protected] ~ $ unbound-checkconf unbound-checkconf: noerrorsin /etc/unbound/unbound.conf

and restart the server:

[email protected] ~ $ sudoserviceunboundrestart [ ok ] RestartingrecursiveDNSserver: unbound.

That’s it! To see a list of all configuration options click here . If you only wanted to install Unbound you’re already done!

-> The following information are only for further analysis etc. Root Hints & Root Key

Unbound uses a list of the root servers as well as the root dnskey for its DNSSEC validation . Both should be updated regularly to avoid DNS problems in case of real root server changes. To update and use the root-hints file (for the list of root-servers), download the official list:

sudocurl -o /etc/unbound/root.hints https://www.internic.net/domain/named.root

and use it within the unbound.conf configuration file:

root-hints: "/etc/unbound/root.hints"

To update the root.key , use the simple “unbound-anchor” program which downloads the root.key file into /etc/unbound/:

sudounbound-anchor

And change the auto-trust-anchor-file within the unbound.conf from the default to:

auto-trust-anchor-file: "/etc/unbound/root.key"

Restart Unbound: sudo service unbound restart .

Done. (Click here for more information about the root.hints etc.)

Tests & Status

Here’s a basic test from another Linux machine that queries the Unbound server. Note the ad flag in line 8 which indicates the DNSSEC validation:

[email protected]:~ $ dig @192.168.7.5 weberdns.de +noadditional +noauthority ; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @192.168.7.5 weberdns.de +noadditional +noauthority ; (1 serverfound) ;; globaloptions: +cmd ;; Gotanswer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43402 ;; flags: qrrdraad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 ;; OPTPSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTIONSECTION: ;weberdns.de.INA ;; ANSWERSECTION: weberdns.de.3600INA80.154.108.230 ;; Querytime: 19 msec ;; SERVER: 192.168.7.5#53(192.168.7.5) ;; WHEN: ThuJun 09 17:23:21 CEST 2016 ;; MSGSIZErcvd: 186

Of course, a failure in DNSSEC leads to a SERVFAIL (line 7) without any answer:

[email protected]:~ $ dig @192.168.7.5 fail03.dnssec.works ; <<>> DiG 9.9.5-9+deb8u6-Raspbian <<>> @192.168.7.5 fail03.dnssec.works ; (1 serverfound) ;; globaloptions: +cmd ;; Gotanswer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42531 ;; flags: qrrdra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPTPSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTIONSECTION: ;fail03.dnssec.works.INA ;; Querytime: 111 msec ;; SERVER: 192.168.7.5#53(192.168.7.5) ;; WHEN: ThuJun 09 17:24:25 CEST 2016 ;; MSGSIZErcvd: 48

Good.

In order to view the status of Unbound , use the following commands: unbound - control status and unbound - control stats_noreset :

[email protected] ~ $ sudounbound-controlstatus version: 1.4.17 verbosity: 1 threads: 1 modules: 2 [ validatoriterator ] uptime: 11744 seconds unbound (pid 28021) is running... [email protected] ~ $ sudounbound-controlstats_noreset thread0.num.queries=120 thread0.num.cachehits=18 thread0.num.cachemiss=102 thread0.num.prefetch=0 thread0.num.recursivereplies=102 thread0.requestlist.avg=0.54902 thread0.requestlist.max=18 thread0.requestlist.overwritten=0 thread0.requestlist.exceeded=0 thread0.requestlist.current.all=0 thread0.requestlist.current.user=0 thread0.recursion.time.avg=0.201798 thread0.recursion.time.median=0.17367 total.num.queries=120 total.num.cachehits=18 total.num.cachemiss=102 total.num.prefetch=0 total.num.recursivereplies=102 total.requestlist.avg=0.54902 total.requestlist.max=18 total.requestlist.overwritten=0

本文系统(linux)相关术语:linux系统 鸟哥的linux私房菜 linux命令大全 linux操作系统

主题: Raspberry PiLinuxSSETI360DebianRYCTIAUUT
分页:12
转载请注明
本文标题:DNSSEC Validation with Unbound on a Raspberry
本站链接:http://www.codesec.net/view/484468.html
分享请点击:


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(linux) | 评论(0) | 阅读(30)