DNS security question re: Pihole/Unbound

mikeinanaheim1 · May 8, 2023, 9:42pm

Have Pihole/Unbound running well. Checking dns security here, shows 2 failures. If familiar with this, can you suggest configuration changes to correct? Or, not necessary to correct?

site is: https://dnscheck.tools/
Hmm... There was an issue checking your DNS security:

correct P-256 signature... fail*
invalid P-256 signature... pass
expired P-256 signature... pass
correct P-384 signature... pass
invalid P-384 signature... pass
expired P-384 signature... pass
correct Ed25519 signature... fail*
invalid Ed25519 signature... pass
expired Ed25519 signature... pass
unsigned domain... pass

jfb · May 9, 2023, 12:15am

There is an unbound option that controls how the various DS algorithms are handled:

harden-algo-downgrade: <yes or no>
              Harden against algorithm downgrade when multiple algorithms  are
              advertised  in  the  DS record.  If no, allows the weakest algo-
              rithm to validate the zone.  Default is no.  Zone  signers  must
              produce  zones  that  allow  this feature to work, but sometimes
              they do not, and turning this option off avoids that  validation
              failure.

Different versions of unbound may handle this differently. I know that for the version that ships with Bullseye or Stretch, this defaults to no.

The results of the same check you ran from your linked URL for these versions is:

Great! Your DNS responses are authenticated with DNSSEC:
correct P-256 signature... pass
invalid P-256 signature... pass
expired P-256 signature... pass
correct P-384 signature... pass
invalid P-384 signature... pass
expired P-384 signature... pass
correct Ed25519 signature... pass
invalid Ed25519 signature... pass
expired Ed25519 signature... pass
unsigned domain... pass

What are the outputs of the following commands from the Pi terminal:

unbound -V | grep Version

sudo grep -v '#\|^$' -R /etc/unbound/unbound.conf*

mikeinanaheim1 · May 9, 2023, 12:46am

Thank you for reply. Here is output requested:

root@pi4d:/home/pi4d# unbound -V | grep Version
Version 1.13.1
root@pi4d:/home/pi4d# grep -v '#\|^$' -R /etc/unbound/unbound.conf*
/etc/unbound/unbound.conf:include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
/etc/unbound/unbound.conf.d/pi-hole.conf:server:
/etc/unbound/unbound.conf.d/pi-hole.conf:verbosity: 0
/etc/unbound/unbound.conf.d/pi-hole.conf:interface: 127.0.0.1
/etc/unbound/unbound.conf.d/pi-hole.conf:port: 5335
/etc/unbound/unbound.conf.d/pi-hole.conf:do-ip4: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-udp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-tcp: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:prefer-ip6: no
/etc/unbound/unbound.conf.d/pi-hole.conf:root-hints: "/var/lib/unbound/root.hints"
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-glue: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-large-queries: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-dnssec-stripped: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:edns-buffer-size: 1232
/etc/unbound/unbound.conf.d/pi-hole.conf:rrset-roundrobin: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:cache-min-ttl: 300
/etc/unbound/unbound.conf.d/pi-hole.conf:cache-max-ttl: 86400
/etc/unbound/unbound.conf.d/pi-hole.conf:serve-expired: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-algo-downgrade: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:harden-short-bufsize: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:hide-identity: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:identity: "Server"
/etc/unbound/unbound.conf.d/pi-hole.conf:hide-version: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:do-daemonize: no
/etc/unbound/unbound.conf.d/pi-hole.conf:neg-cache-size: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:qname-minimisation: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:deny-any: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:minimal-responses: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:prefetch: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:prefetch-key: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:num-threads: 1
/etc/unbound/unbound.conf.d/pi-hole.conf:msg-cache-size: 50m
/etc/unbound/unbound.conf.d/pi-hole.conf:rrset-cache-size: 100m
/etc/unbound/unbound.conf.d/pi-hole.conf:so-reuseport: yes
/etc/unbound/unbound.conf.d/pi-hole.conf:so-rcvbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:so-sndbuf: 4m
/etc/unbound/unbound.conf.d/pi-hole.conf:unwanted-reply-threshold: 100000
/etc/unbound/unbound.conf.d/pi-hole.conf:log-queries: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-replies: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-servfail: no
/etc/unbound/unbound.conf.d/pi-hole.conf:log-local-actions: no
/etc/unbound/unbound.conf.d/pi-hole.conf:logfile: /dev/null
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 192.168.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 169.254.0.0/16
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 172.16.0.0/12
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: 10.0.0.0/8
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: fd00::/8
/etc/unbound/unbound.conf.d/pi-hole.conf:private-address: fe80::/10
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf:server:
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf: auto-trust-anchor-file: "/var/lib/unbound/root.key"
root@pi4d:/home/pi4d#

mikeinanaheim1 · May 9, 2023, 12:54am

Hello! Changed that to 'no'.
That made all the tests a green pass. Thank you!

mikeinanaheim1 · May 9, 2023, 5:56pm

Hi again, When using Pihole-Unbound in this configuration, who is handling the upstream DNS, our ISP or ?

jfb · May 9, 2023, 6:34pm

Authoritative DNS servers. Starting at the top level with the root servers, then working downward to lower level nameservers.

https://docs.pi-hole.net/guides/dns/unbound/#what-is-a-recursive-dns-server

system · May 16, 2023, 6:34pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.