DNSSEC, OpenDNS and www.cdc.gov

Greg Choules greg at isc.org
Wed Oct 16 14:09:41 UTC 2024 

Hi Bob.
See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail

Cheers, Greg

> On 16 Oct 2024, at 14:55, Robert Mankowski <robert.mankowski at hotmail.com> wrote:
> 
> I recently implemented a forward only BIND server for home. I was forwarding to OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see delv tests below), but I don’t believe it is my configuration because when I forward to Cloudflare’s Family service, or to Google DNS, I don’t have any problems with the same domains (e.g. www.cdc.gov <http://www.cdc.gov/>).
>  
> I contacted Cisco Umbrella support because I was thinking it’s an issue with their servers, but they didn’t really help, so I thought I would try this list for advice.
>  
> Would appreciate it if someone could review my configuration and/or reproduce my results to see if I’m doing something wrong.
>  
> Thanks,
>  
> Bob
>  
> Here are some tests I ran:
>  
> admin at router1:~$ apt-cache policy bind9
> bind9:
>   Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
>   Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
>   Version table:
> *** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500
>         500 https://packages.sury.org/bind-dev bookworm/main amd64 Packages
>         100 /var/lib/dpkg/status
>      1:9.18.28-1~deb12u2 500
>         500 http://deb.debian.org/debian bookworm/main amd64 Packages
>         500 http://security.debian.org/debian-security bookworm-security/main amd64 Packages
>  
>  
> admin at router1:~$ delv -v
> delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian
>  
> admin at router1:~$ delv -4 @208.67.220.123 www.cdc.gov <http://www.cdc.gov/>. A
> ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': <http://cdc.gov/DNSKEY/IN':> 208.67.220.123#53
> ;; broken trust chain resolving 'www.cdc.gov/A/IN': <http://www.cdc.gov/A/IN':> 208.67.220.123#53
> ;; resolution failed: broken trust chain
>  
> admin at router1:~$ delv -4 @208.67.222.123 www.cdc.gov <http://www.cdc.gov/>. A
> ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': <http://cdc.gov/DNSKEY/IN':> 208.67.222.123#53
> ;; broken trust chain resolving 'www.cdc.gov/A/IN': <http://www.cdc.gov/A/IN':> 208.67.222.123#53
> ;; resolution failed: broken trust chain
>  
> admin at router1:~$ delv -4 @1.1.1.3 www.cdc.gov <http://www.cdc.gov/>. A
> ; fully validated
> www.cdc.gov <http://www.cdc.gov/>.            248     IN      CNAME   www.akam.cdc.gov <http://www.akam.cdc.gov/>.
> www.cdc.gov <http://www.cdc.gov/>.            248     IN      RRSIG   CNAME 8 3 300 20241019153420 20241009150230 1503 cdc.gov <http://cdc.gov/>. b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6 yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1 /MG/CSCtE/Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/ g0u+99/g/jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ==
> www.akam.cdc.gov <http://www.akam.cdc.gov/>.       20      IN      A       23.51.224.222
> www.akam.cdc.gov <http://www.akam.cdc.gov/>.       20      IN      RRSIG   A 10 4 20 20241018102927 20241015092927 16701 akam.cdc.gov <http://akam.cdc.gov/>. Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc=
>  
> The relevant portion of my named configuration is:
>  
> tls opendns-tls {
>     remote-hostname "dns.opendns.com <http://dns.opendns.com/>";
> };
>  
> tls cloudflare_family-tls {
>     remote-hostname "one.one.one.one";
> };
>  
> tls google-tls {
> };
>  
> tls router1-tls {
>     key-file "/var/cache/bind/privkey.pem";
>     cert-file "/var/cache/bind/fullchain.pem";
>     dhparam-file "/var/cache/bind/dhparam.pem";
>     ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
>     prefer-server-ciphers yes;
>     session-tickets no;
> };
>  
> options {
>     directory "/var/cache/bind";
>     recursion yes;
>     allow-query { trusted_nets; };
>     version "none";
>  
>     forwarders {
> #        1.1.1.3 port 853 tls cloudflare_family-tls;
> #        1.0.0.3 port 853 tls cloudflare_family-tls;
>         208.67.222.123 port 853 tls opendns-tls;
>         208.67.220.123 port 853 tls opendns-tls;
> #       8.8.8.8 port 853 tls google-tls;
> #       8.8.4.4 port 853 tls google-tls;
>     };
>  
>     forward only;
>  
>     allow-transfer { none; };
>  
>     dnssec-validation auto;
>  
>     listen-on port 443 tls router1-tls http default { trusted_interfaces; };
>     listen-on port 853 tls router1-tls { trusted_interfaces; };
>     listen-on { trusted_interfaces; };
>     listen-on-v6 { none; };
>  
>     zone-statistics yes ;
> };
>  
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241016/d812c140/attachment-0001.htm>

More information about the bind-users mailing list