Linux: Domain Name System Security Extensions (DNSSEC)

From Luky-Wiki
Jump to: navigation, search

DNSSEC is extension to DNS protocol to securely retrieve information from the domain name system. This extension validate response from DNS server and provide higher level of security. I'll focus here only on configuration (resolver) and testing. If you are interested and would like to get more details then try this Debian article DNSSEC.

Resolver

I am using BIND v9 as resolver because most of the time DNS provided by ISP is not configured well or it is injecting additional records (custom error pages with advertisements).

Installation

Use your package manager provided with Linux distribution and install "bind" package.

  • Gentoo:
emerge net-dns/bind net-dns/bind-tools
  • Ubuntu:
apt-get install bind9 bind9utils

Configuration

Configuration is simple. In /etc/bind/named.conf set following in options section:

dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;

If you would like to use custom location for keys then set also managed-keys-directory. By default BIND listen on loop-back only. If necessary then modify also listen-on or listen-on-v6 directive.

Set system resolver to use BIND

Edit /etc/resolv.conf and set nameserver to loop-back IP or IP of server hosting BIND:

nameserver 127.0.0.1

Note: of course if you are using more that one DNS server then each one should support DNSSEC.

Testing

Now is time to try if configuration work well:

Test in console

Issue host or dig to get "test.dnssec-or-not.net" DNS record of type "TXT":

  • host:
host -t TXT test.dnssec-or-not.net
  • dig:
dig test.dnssec-or-not.net TXT

Note: There are two types of response Yes, you are using DNSSEC or No, you are not using DNSSEC.

Test via web page