Is dnssec working?

drewski · November 2, 2019, 12:02pm

sudo apt update
sudo apt upgrade -y

sudo apt install -y libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
sudo apt install -y build-essential libssl-dev libtool m4 autoconf libyaml-dev

git clone https://github.com/getdnsapi/getdns.git
cd getdns
git checkout master
sed -i 's#git://#https://#g' .gitmodules # fix for git checkout
git submodule update --init
libtoolize -ci
autoreconf -fi
mkdir -v build && cd build
../configure --prefix=/usr/local --without-libidn --without-libidn2 --enable-stub-only --with-ssl --with-stubby
make
sudo make install
sudo /sbin/ldconfig -v

cd ../stubby
sudo useradd stubby
sudo /usr/bin/install -Dm644 stubby.yml.example /etc/stubby.yml

sudo nano /lib/systemd/system/stubby.service

[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/bin/stubby -C /etc/stubby.yml
Restart=on-abort
User=stubby

[Install]
WantedBy=multi-user.target

sudo systemctl daemon-reload
sudo systemctl enable stubby
sudo systemctl start stubby

sudo /sbin/ldconfig -v

drewski · November 2, 2019, 12:29pm

^
This should get stubby installed.
The code after sudo nano goes inside the stubby.service you just created.
Follow this guide I just typed. The one I linked doesn't build stubby with SSL from some reason. That's a big problem. Just let me know if you get stuck. Once the above is completed. Run sudo nano /etc/stubby.yml I recommended turning off round robin in there. You may have to enable DNSSEC cannot remember the default. You can change the other configurations to your liking. The last thing you have to do is add the stubby IP and port to the DNS section in http://pi.hole/ this is configured in the above stubby.yml

Lastly I'm on mobile rn sorry if formatting is crap

Be careful with .yml files they do not like whitespace

drewski · November 2, 2019, 1:18pm

One more thing you might have trouble with the dependencies. You might have to search for the equivalent libs etc. sudo apt search

Example: I think libuv1 might actually be libuv10

Valiceemo · November 2, 2019, 2:16pm

Yes I have the hash in my config:

pi@pi-hole:~ $ cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.

include: "/etc/unbound/unbound.conf.d/*.conf"

#use ca-certificate
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes

pi@pi-hole:~ $ unbound-checkconf
/etc/unbound/unbound.conf:15: error: unknown keyword 'tls-cert-bundle'
/etc/unbound/unbound.conf:15: error: stray ':'
/etc/unbound/unbound.conf:15: error: stray '"'
/etc/unbound/unbound.conf:15: error: unknown keyword '/etc/ssl/certs/ca-certificates'
/etc/unbound/unbound.conf:15: error: stray '"'
read /etc/unbound/unbound.conf failed: 5 errors in configuration file

Get the same error with ssl-cert-bundle

Valiceemo · November 2, 2019, 2:20pm

Thanks @drewski for the detailed guide!
I'll give this a shot when I get a bit of spare time.

drewski · November 2, 2019, 2:21pm

You're welcome!
I'm just trying to piece it together it's been so long.

Valiceemo · November 2, 2019, 3:59pm

Yes you're right.
But even with

#use ca-certificate
ssl-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

In /etc/unbound/unbound.conf.d/pi-hole.conf I still get the same error

Valiceemo · November 2, 2019, 4:16pm

I am giving the answers.
My unbound pihole.conf contains server: at the top with the SSL cert entry underneath.
I removed ssl-cert-bundle from the main unbound config
The certificate file is located at /etc/ssl/certs/ca-certificate.crt
Hence me declaring it there.

drewski · November 2, 2019, 4:33pm

Can confirm the above works if you are interested. I just rebuilt stubby.

Valiceemo · November 2, 2019, 4:41pm

Definitely interested.
Just not able to try just yet. Will report back when I've got it going

Valiceemo · November 2, 2019, 7:02pm

I can make these changes, worth a try.
But the guys at the unbound git said the forward zones should be in the main unbound config

drewski · November 3, 2019, 10:37am

If i forward my request in TLS and my upstream is using dnssec how could tampering occur? No one can pretend to be my upstream and my upstream cannot spoof the test. So where is the danger?

drewski · November 3, 2019, 11:44am

I'm just making sure i have my head on straight.

Valiceemo · November 3, 2019, 7:24pm

Thought I'd give this a bash....failed at the first step.

pi@pi-hole:~ $ sudo apt install libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libevent-core-2.0-5' for regex 'libevent-core-2.0.5'
E: Unable to locate package libyaml

Searching for libyaml brings a few results, but I'm not sure on how to determine the best one to install

drewski · November 3, 2019, 7:32pm

I won't be able to ssh in for a bit but I can search for what I have installed. Sometime tonight
In the meantime if you're willing you can post the options it might spark a memory

drewski · November 3, 2019, 7:36pm

Is libyaml-dev or something similar an option?

Valiceemo · November 3, 2019, 7:51pm

Bingo.
Tried this one and it installed.
Just finishing of stubby install....
Expect more questions

drewski · November 3, 2019, 7:53pm

I can send you my stubby.yml if you want. The DNS server i use is in Germany and does DNSSEC

Valiceemo · November 3, 2019, 7:54pm

Thanks, might help me learn.

drewski · November 3, 2019, 7:55pm

I will do that when I sit down with putty in a bit