[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Trusting a dnsmasq stub
From: Markus Gutschke (顧孟勤) via Unbound-users <unbound-user
Date: 2017-04-12 19:10:26
Message-ID: CALGCz1py-v8wtBqoiHoYt5YgkP1MbUbet=wKfamY6CqPJpgvUQ () mail ! gmail ! com
[Download RAW message or body]
I have configured "unbound" with a stub resolver pointing to my "dnsmasq"
DHCP server and a forward resolver pointing to Google's DNS servers. A
simplified version of my configuration file looks something like this:
server:
do-not-query-localhost: no
local-zone: "168.192.in-addr.arpa." nodefault
private-address: 10.0.0.0/8
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
private-domain: "dnsmasq.example.com"
domain-insecure: "dnsmasq.example.com"
domain-insecure: "168.192.in-addr.arpa"
stub-zone:
name: "dnsmasq.example.com."
stub-addr: 192.168.x.y
stub-zone:
name: "168.192.in-addr.arpa."
stub-addr: 192.168.x.y
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4
In general, this works beautifully and does exactly what it should do.
"Unbound" returns validated results for the internet at large, and it also
provides dynamically updated results as hosts appear and disappear from the
DHCP-managed local area network.
The only wrinkle in this picture is that while "dnsmasq" happily sets the
AD flag, "unbound" immediately strips it again. At the root of it, this is
of course a limitation in "dnsmasq", which doesn't know how to sign results
with DNSSEC. To make matters worse, I have a similarly configured stub
resolver that returns the hosts in my "LXD" cluster, and thanks to some
additional unfortunate limitations in "dnsmasq", for that particular
instance, I can't even configure "dnsmasq" to set the AD flag on results
that it is authoritative for.
I have looked for proxies that can take the results from "dnsmasq" and sign
them with DNSSEC. But as far as I can tell, no such thing exists. So, that
brings me to my question for "unbound". As all the servers run on the same
physical machine and use trusted internal communication, I know I can trust
the results received from "dnsmasq". Is there a way that I can teach
"unbound" to set the AD flag (and possibly even the AA flag) for any of the
stub resolvers?
Would that be something I could do in a module? Or could I patch my
instance of "unbound" to have this additional feature. I realize that it
probably goes a little bit against the philosophy of "unbound". So, if
there is another solution that would be considered kosher and that provides
the same ultimate result, then please do enlighten me.
I searched the mailing list archives, and while I occasionally see people
asking about similar features, I have not been able to find an answer to my
question.
Markus
[Attachment #3 (text/html)]
<div dir="ltr">I have configured "unbound" with a stub resolver pointing to \
my "dnsmasq" DHCP server and a forward resolver pointing to Google's \
DNS servers. A simplified version of my configuration file looks something like \
this:<div><br></div><blockquote style="margin:0 0 0 \
40px;border:none;padding:0px"><div><font face="monospace, \
monospace">server:</font></div><div><font face="monospace, monospace"> \
do-not-query-localhost: no</font></div><div><font face="monospace, monospace"> \
local-zone: "168.192.in-addr.arpa." \
nodefault</font></div><div><font face="monospace, \
monospace"><br></font></div><div><div><font face="monospace, monospace"> \
private-address: <a href="http://10.0.0.0/8" \
target="_blank">10.0.0.0/8</a></font></div></div><div><div><font face="monospace, \
monospace"> private-address: <a href="http://169.254.0.0/16" \
target="_blank">169.254.0.0/16</a></font></div></div><div><div><font face="monospace, \
monospace"> private-address: <a href="http://172.16.0.0/12" \
target="_blank">172.16.0.0/12</a></font></div></div><div><div><font face="monospace, \
monospace"> private-address: <a href="http://192.168.0.0/16" \
target="_blank">192.168.0.0/16</a></font></div></div><div><div><font face="monospace, \
monospace"> private-address: fd00::/8</font></div></div><div><div><font \
face="monospace, monospace"> private-address: \
fe80::/10</font></div></div><div><div><font face="monospace, monospace"> \
private-address: ::ffff:0:0/96</font></div></div><div><font \
face="monospace, monospace"><br></font></div><div><div><font face="monospace, \
monospace"> private-domain: "<a href="http://dnsmasq.example.com" \
target="_blank">dnsmasq.example.com</a>"</font></div></div><div><font \
face="monospace, monospace"> domain-insecure: "<a \
href="http://dnsmasq.example.com" \
target="_blank">dnsmasq.example.com</a>"</font></div><div><font face="monospace, \
monospace"> domain-insecure: \
"168.192.in-addr.arpa"</font></div><div><font face="monospace, \
monospace"><br></font></div><div><font face="monospace, \
monospace">stub-zone:</font></div><div><font face="monospace, monospace"> name: \
"<a href="http://dnsmasq.example.com" \
target="_blank">dnsmasq.example.com</a>."</font></div><div><font \
face="monospace, monospace"> stub-addr: \
192.168.x.y</font></div><div><font face="monospace, \
monospace"><br></font></div><div><font face="monospace, \
monospace">stub-zone:</font></div><div><font face="monospace, monospace"> name: \
"168.192.in-addr.arpa."</font></div><div><font face="monospace, monospace"> \
stub-addr: 192.168.x.y</font></div><div><font face="monospace, \
monospace"><br></font></div><div><font face="monospace, \
monospace">forward-zone:</font></div><div><font face="monospace, monospace"> name: \
"."</font></div><div><font face="monospace, monospace"> forward-addr: \
8.8.8.8</font></div><div><font face="monospace, monospace"> forward-addr: \
8.8.4.4</font></div></blockquote><div><br></div><div>In general, this works \
beautifully and does exactly what it should do. "Unbound" returns validated \
results for the internet at large, and it also provides dynamically updated results \
as hosts appear and disappear from the DHCP-managed local area \
network.</div><div><br></div><div>The only wrinkle in this picture is that while \
"dnsmasq" happily sets the AD flag, "unbound" immediately strips \
it again. At the root of it, this is of course a limitation in "dnsmasq", \
which doesn't know how to sign results with DNSSEC. To make matters worse, I have \
a similarly configured stub resolver that returns the hosts in my "LXD" \
cluster, and thanks to some additional unfortunate limitations in \
"dnsmasq", for that particular instance, I can't even configure \
"dnsmasq" to set the AD flag on results that it is authoritative \
for.</div><div><br></div><div>I have looked for proxies that can take the results \
from "dnsmasq" and sign them with DNSSEC. But as far as I can tell, no such \
thing exists. So, that brings me to my question for "unbound". As all the \
servers run on the same physical machine and use trusted internal communication, I \
know I can trust the results received from "dnsmasq". Is there a way that I \
can teach "unbound" to set the AD flag (and possibly even the AA flag) for \
any of the stub resolvers?</div><div><br></div><div>Would that be something I could \
do in a module? Or could I patch my instance of "unbound" to have this \
additional feature. I realize that it probably goes a little bit against the \
philosophy of "unbound". So, if there is another solution that would be \
considered kosher and that provides the same ultimate result, then please do \
enlighten me.</div><div><br></div><div>I searched the mailing list archives, and \
while I occasionally see people asking about similar features, I have not been able \
to find an answer to my \
question.</div><div><br></div><div><br></div><div>Markus</div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic