Unbound and encryption

Denkai · 2018-06-10 11:22:49 UTC

Expected Behaviour:

better security when visiting https://rootcanary.org/test.html

Actual Behaviour:

lots of unlocks on page, other posts I have seen have lots of locks, unsure what to do.

running FTLDNS with unbound on a pi2 raspbian stretch. router is a DD-WRT installed Linksys EA8500.

passes dnssec test http://dnssec.vs.uni-due.de/

I think I found the Fix:

however this talks to me as if I’m at the level of someone that’s competent. can someone help me with this? maybe make one of those awesome pi-hole guides for dummies like me?

mibere · 2018-06-10 14:52:49 UTC

Do you know this guide?

Pi-hole as All-Around DNS Solution

It contains

Configure unbound

Highlights: - Listen only for queries from the local Pi-hole installation (on port 5353) - Listen for both UDP and TCP requests - Verify DNSSEC signatures, discarding BOGUS domains - Apply a few security and privacy tricks

Denkai · 2018-06-10 15:18:14 UTC

Yes, followed that guide, it’s how i got unbound installed. DNSSEC passes.however, from what I gather, unbound isn’t verifying certification, so theoretically you can spoof the certificate and dnssec will be useless

mibere · 2018-06-10 16:21:23 UTC

https://rootcanary.org/test.html is a bit strange, sometimes I have to run the test a second time. But I guess the button “Re-run test” doesn’t solve your issue?

You also can try to switch the setting “Use DNSSEC” in the Pi-hole web interface (tab “DNS”).

Denkai · 2018-06-10 16:42:00 UTC

unfortunately no, and neither did a DNS flush. DNSSEC is enabled and working.

mibere · 2018-06-10 16:45:37 UTC

The DNSSEC result on the following sites is ok too?

https://internet.nl/connection/
http://www.dnssec-or-not.com/
https://cmdns.dev.dns-oarc.net/

Denkai · 2018-06-10 16:46:38 UTC

yes, it works on those sites. DNSSEC is working.