Unbound and encryption

Denkai · June 10, 2018, 11:22am

Expected Behaviour:

better security when visiting https://rootcanary.org/test.html

Actual Behaviour:

lots of unlocks on page, other posts I have seen have lots of locks, unsure what to do.

running FTLDNS with unbound on a pi2 raspbian stretch. router is a DD-WRT installed Linksys EA8500.

passes dnssec test http://dnssec.vs.uni-due.de/

I think I found the Fix:

however this talks to me as if I'm at the level of someone that's competent. can someone help me with this? maybe make one of those awesome pi-hole guides for dummies like me?

mibere · June 10, 2018, 2:52pm

Do you know this guide?

Pi-hole as All-Around DNS Solution

It contains

Configure unbound

Highlights: - Listen only for queries from the local Pi-hole installation (on port 5353) - Listen for both UDP and TCP requests - Verify DNSSEC signatures, discarding BOGUS domains - Apply a few security and privacy tricks

Denkai · June 10, 2018, 3:18pm

Yes, followed that guide, it's how i got unbound installed. DNSSEC passes.however, from what I gather, unbound isn't verifying certification, so theoretically you can spoof the certificate and dnssec will be useless

mibere · June 10, 2018, 4:21pm

https://rootcanary.org/test.html is a bit strange, sometimes I have to run the test a second time. But I guess the button "Re-run test" doesn't solve your issue?

You also can try to switch the setting "Use DNSSEC" in the Pi-hole web interface (tab "DNS").

Denkai · June 10, 2018, 4:42pm

unfortunately no, and neither did a DNS flush. DNSSEC is enabled and working.

mibere · June 10, 2018, 4:45pm

The DNSSEC result on the following sites is ok too?

https://internet.nl/connection/
http://www.dnssec-or-not.com/
https://cmdns.dev.dns-oarc.net/

Denkai · June 10, 2018, 4:46pm

yes, it works on those sites. DNSSEC is working.

system · July 1, 2018, 4:46pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.