pihole to show secure
phiole showing insecure for sites that have dnssec setup.
What does it mean "insecure" when a user has ticked on Use DNSSEC?
I'm noticing log entries that state "insecure" when I'm going to sites that I would figure would have DNSSEC setup like google, microsoft, etc.
[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]
mibere
April 4, 2018, 2:54pm
2
There is an entry in the FAQ
As of Pi-hole 3.3, you can see the DNSSEC status in the query log.
[40]
SECURE are records that have been signed and verified to be unchanged from the authoritative DNS server
INSECURE are records that either have no signature or DNSSEC is not implemented for the domain; either the domain is unsigned and not implementing DNSSEC or there are other issues
BOGUS are records that have been signed but have changed or been altered from the authoritative DNS server
You will see INSECURE, but th…
That's a good question and I'm also interested in feedback.
1 Like
DL6ER
April 4, 2018, 4:41pm
3
@jeffschips There are multiple possibilities, but to answer accurately, I need to get some more info:
which version of dnsmasq do you use (or do you use FTL DNS?)?
which upstream resolvers do you use?
does the DNSSEC test on the settings page give a positive result for you (I guess yes)?
Having said that, I just put pop.gmail.com into the DNSSEC validator and found out that they don't have it set up properly! If you have more specific domains, I'd be happy to analyze them with you as well.
mibere
April 4, 2018, 4:59pm
4
Visit https://posteo.de and have a look at the Query Log, they have DNSSEC enabled . Or https://mailbox.org .
DL6ER
April 4, 2018, 5:02pm
5
I was just about to suggest trying verisignlabs.com , but posteo.de is fine as well.
@mibere Excellent choice for the mail provider, they host my private mail as well
Yes it replies as secure. Now what? I guess that means dnssec is working on my end and the reason places like google and microsft show insecure is because they haven't tweaked their settings?
when I visit dns.watch pi shows insecure.
mibere
April 4, 2018, 9:30pm
8
Most companies, even the big ones, don't use DNSSEC.
Thank you for your quick response.
How do I find out which version of dnsmasq I'm using (even if I'm using) and if I'm using ftldns instead?
The dnssec resolver test show secure for the http://dnssec.vs.uni-due.de/ check.
The systems settings page in the admin console says I'm using FTL Version 3.0
DL6ER
April 5, 2018, 8:38am
10
You should be able to query the version of your current DNS resolver using
dig chaos txt version.bind +short
system
April 26, 2018, 8:38am
11
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
