Linux: Domain Name System Security Extensions (DNSSEC)
DNSSEC is extension to DNS protocol to securely retrieve information from the domain name system. This extension validate response from DNS server and provide higher level of security. I'll focus here only on configuration (resolver) and testing. If you are interested and would like to get more details then try this Debian article DNSSEC.
I am using BIND v9 as resolver because most of the time DNS provided by ISP is not configured well or it is injecting additional records (custom error pages with advertisements).
Use your package manager provided with Linux distribution and install "bind" package.
emerge net-dns/bind net-dns/bind-tools
apt-get install bind9 bind9utils
Configuration is simple. In
/etc/bind/named.conf set following in
dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto;
If you would like to use custom location for keys then set also
managed-keys-directory. By default BIND listen on loop-back only. If necessary then modify also
Set system resolver to use BIND
/etc/resolv.conf and set
nameserver to loop-back IP or IP of server hosting BIND:
Note: of course if you are using more that one DNS server then each one should support DNSSEC.
Now is time to try if configuration work well:
Test in console
dig to get "
test.dnssec-or-not.net" DNS record of type "TXT":
host -t TXT test.dnssec-or-not.net
dig test.dnssec-or-not.net TXT
Note: There are two types of response
Yes, you are using DNSSEC or
No, you are not using DNSSEC.