ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- Today I want to explore DNS over TLS using the unbound package for linux to see if I can get 1) DNSSEC working and 2) DNS over TLS working. I will be using Ubuntu 20.10 Server for this. I go over some of the problems DNS (Bind9) left in its wake and some of the solutions we tried to get DNS queriers to work encrypted. There are a couple of choices today for this DNS over TLS, DNS over HTTPS and DNSCurve. I am trying to avoid some of the discussion around which of these is the best, because quite frankly none of them are. Its a question of privacy and a question of trust is what it boils down to. So for me today I want to see if I can begin moving my DNS service from Bind9 to something like unbound (if that is even possible). So lets get started dive in and see if we can get this working.
I don't mean to beat up on VLANs they are absolutely great tools for network management, but they are not useful to protect two different network segments which are at different security levels.
Root Hints file:
sudo wget www.internic.n... -O /etc/unbound/root.hints
Support me on Patreon: / djware
Follow me:
Twitter @djware55
Facebook: / don.ware.7758
Discord: / discord
Werq by Kevin MacLeod
Link: incompetech.fi...
License: filmmusic.io/s...
Industrial Cinematic by Kevin MacLeod
Link: incompetech.fi...
License: filmmusic.io/s...
Music Used in this video
"NonStop" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
Great video as always, please keep making these and well done!
Thanks abobader, I am slowly moving servers over to using it so far so good
Great Channel, nice video. Your background knowledgement is amazing, I realy liked to know that the fact wich DNS is not encrypted was a worry in the past.
Hello
Would you like to make a docker pihole with unbound with one or two containers for a full newbies?
Thanks
2021: CNS
Great vid. Was thinking of making a pinhole. But you are pushing me to do diy.
Awesome Yuri, let us know how it turns out please
Ooo, that's what I needed, especially for LFCS exam, Thank Dj ware you are the best, but I don't like your new intro music
Thanks Titi glad it was timely, might work on a different music track for the intro soon
Could you elaborate about VLAN security?
Nice video, The tips about handing SSL hand shank error in the end enlighten me a lot. Thank you, DJ!
Welcome glad you enjoyed it!
Damn good video. Keep producing contents, I was looking for someone to explain in simple terms how to customize my unbound and what all these options are...this helped a lot with ground level knowledge.
are there any other public dns servers other the known ones like cloudflare and others taking in to consideration privacy
Hi Wolter, yes, here is a site with listings and information whether they reportedly log or not dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
Your presentation skills are fantastic. The contents were top notch. It is a pleasure to view your video. thank you,
Thank you gans glad you enjoy the videos
good vid DJ, I always learn something new from you :) - keep up the good work
Thanks Sam H appreciate that
lol. I like the intro shows you're a hip cat! Unbound is great I use it at home with pfsense. The way pfsense has it integrated is just so dead simple and makes everything so easy, I love it. Also running Unbound you don't have to to hammer your ISP till they black hole you.
With pfsense you can automatically register dhcp leases into dns, and automatically set nameservers over dhcp. Also you can do host based as well as domain based overrides, for instance for devices with static ips, or to avoid needing to proxy or loop back somehow to access locally services run on the WAN, or to segment entire domains over to another nameserver.
I am trying it out not on hardware running a limited number of systems through it for now, if it goes ok will switch them all over, an thanks for the kind words
Great video DJ! One thing I'd disagree with, you don't just have to trust the DNS forwarder. Some are legally bound to hold to their privacy agreement. Quad9 having a strict policy + Swiss law gives them no ability to collect user data without serious lawsuits.
May want to read their privacy and policy, and all the hyper links related to the privacy article on their website
How do I setup size of cache?
Hi DJ, greetings from PL. This really helped me a lot. I know this was not the purpose of this movie, however, would it be possible that you guide us through unbound dnssec setting? I tried it several times, on my machine, but every time auto-trust-anchor-file: "path to root.key" line is enabled in .conf, unbound fails at the start. I don't know whether this is a permission issue or maybe the certificate updating process, I drilled down the YT and did not find the guide on unbound+ddnsec (only built-in pfsense).
I know this is 2 years old, but in case you're still looking for an answer or someone else is interested, my guess is that the problem is that the `unbound` user cannot access the root.key. You could try `sudo chown unbound:unbound /path/to/root.key` to make unbound the owner of the file, so it can access it. Also make sure that the directory containing root.key is accessible by user unbound.
@@mouduge Thanks for advise. I already solved that issue, and you’re right, it’s been permission issue, as well as other tweaks in conf file.
Since your Unbound server already has the root hints information, couldn't you have it do its own recursive lookups instead of using forwarders?
Hi fairalbion, sure, I do not do that, because I have unpublished private hosts on my LAN that I want DNS services for.
@@CyberGizmo Understood, watched it back & got it. I've been running Unbound for a few months & love it. Good video & nice channel BTW.
whuzza Doman???
A Domain in the world of the internet is a group of computers or even network equipment, so for instance www.google.com has a host name "www" the a period starts one of Google's domain names "google" then another period then comes the top level domain "com". Just a way to keep from having to memorize ip addresses
@@CyberGizmo yeah but your vid title says DOMAN. Doman is a value:
Chaldean Numerology
The numerical value of Doman in Chaldean Numerology is: 3
Pythagorean Numerology
The numerical value of Doman in Pythagorean Numerology is: 2
Or are you doman-down DNS theory for us plain-folk?
@@willypeters5937 ahh fixed and thanks
@@CyberGizmo lol just yankin yer chain dude. call it...digital privilege...
34:20
$ sudo systemctl stop systemd-resolved
..."I wouldn't disable it because if unbound doesn't come up, you have no DNS."
later...
'...you need to disable it'
Why can't I disable/enable systemd-resolved just as easily as start/stop?
I dunno but there have been several times if I had a bazooka it would have stopped. :)
true that's how i did it, the right way would have been to edit the resolv.conf file and changed the DNS name to the ubound host, but I was in a hurry