Have Pihole/Unbound running well. Checking dns security here, shows 2 failures. If familiar with this, can you suggest configuration changes to correct? Or, not necessary to correct?
site is: https://dnscheck.tools/
Hmm... There was an issue checking your DNS security:
correct P-256 signature... fail*
invalid P-256 signature... pass
expired P-256 signature... pass
correct P-384 signature... pass
invalid P-384 signature... pass
expired P-384 signature... pass
correct Ed25519 signature... fail*
invalid Ed25519 signature... pass
expired Ed25519 signature... pass
unsigned domain... pass
jfb
May 9, 2023, 12:15am
2
There is an unbound option that controls how the various DS algorithms are handled:
harden-algo-downgrade: <yes or no>
Harden against algorithm downgrade when multiple algorithms are
advertised in the DS record. If no, allows the weakest algo-
rithm to validate the zone. Default is no. Zone signers must
produce zones that allow this feature to work, but sometimes
they do not, and turning this option off avoids that validation
failure.
Different versions of unbound may handle this differently. I know that for the version that ships with Bullseye or Stretch, this defaults to no.
The results of the same check you ran from your linked URL for these versions is:
Great! Your DNS responses are authenticated with DNSSEC:
correct P-256 signature... pass
invalid P-256 signature... pass
expired P-256 signature... pass
correct P-384 signature... pass
invalid P-384 signature... pass
expired P-384 signature... pass
correct Ed25519 signature... pass
invalid Ed25519 signature... pass
expired Ed25519 signature... pass
unsigned domain... pass
What are the outputs of the following commands from the Pi terminal:
unbound -V | grep Version
sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*
Thank you for reply. Here is output requested:
root@pi4d:/home/pi4d# unbound -V | grep Version
Version 1.13.1
root@pi4d:/home/pi4d# grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-large-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:rrset-roundrobin: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:cache-min-ttl: 300
/etc/unbound/unbound.conf.d/pi-hole.conf:cache-max-ttl: 86400
/etc/unbound/unbound.conf.d/pi-hole.conf:serve-expired: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-algo-downgrade: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-short-bufsize: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:hide-identity: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:identity: "Server"
/etc/unbound/unbound.conf.d/pi-hole.conf:hide-version: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-daemonize: no
/etc/unbound/unbound.conf.d/pi-hole.conf:neg-cache-size: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:qname-minimisation: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:deny-any: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:minimal-responses: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:prefetch-key: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:msg-cache-size: 50m
/etc/unbound/unbound.conf.d/pi-hole.conf:rrset-cache-size: 100m
/etc/unbound/unbound.conf.d/pi-hole.conf:so-reuseport: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:so-rcvbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:so-sndbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:unwanted-reply-threshold: 100000
/etc/unbound/unbound.conf.d/pi-hole.conf:log-queries: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-replies: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-servfail: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-local-actions: no
/etc/unbound/unbound.conf.d/pi-hole.conf:logfile: /dev/null
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: fe80::/10
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf: auto-trust-anchor-file: "/var/lib/unbound/root.key"
root@pi4d:/home/pi4d#
Hello! Changed that to 'no'.
That made all the tests a green pass. Thank you!
Hi again, When using Pihole-Unbound in this configuration, who is handling the upstream DNS, our ISP or ?
jfb
May 9, 2023, 6:34pm
6
Authoritative DNS servers. Starting at the top level with the root servers, then working downward to lower level nameservers.
system
Closed
May 16, 2023, 6:34pm
7
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.