[opensuse-support] Questions on dnsmasq
In order to learn more about DNS, DNSSEC, ... i'm playing around with DNSMASQ (openSUSE Leap 15.0, KDE, NetworkManager) as a local DNS-Server (no DHCP). It works fine so far. However, although dnssec is enabled in dnsmasq.conf the log shows that only 12% of all queries return an IP validated as SECURE. Queries for opensuse.pool.ntp.org, de.pool.ntp.org, opensuse.org or my NetBankingSite return IPs validated as INSECURE. Currently i have enabled dnsmasq (systemctl enable dnsmasq) and use dns=none in a NetworkManager config file in /etc/NetworkManager/conf.d/. Would it be better to give the dnsmasq-handling to NetworkManager (dns=dnsmasq) ? Is there a(nother) way to improve security (like using DNS-over-TLS, DNS-over-HTTPS, ...) and if so how can i implement it? Thank you for any advice! Regards Hagen -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
22.03.2019 18:57, Hagen Buliwyf пишет:
In order to learn more about DNS, DNSSEC, ... i'm playing around with DNSMASQ (openSUSE Leap 15.0, KDE, NetworkManager) as a local DNS-Server (no DHCP).
It works fine so far. However, although dnssec is enabled in dnsmasq.conf the log shows that only 12% of all queries return an IP validated as SECURE.
Why do you think it has anything to do with dnsmasq?
Queries for opensuse.pool.ntp.org, de.pool.ntp.org, opensuse.org or my NetBankingSite return IPs validated as INSECURE.
So they do not sign their records. https://dnssec-analyzer.verisignlabs.com/
Currently i have enabled dnsmasq (systemctl enable dnsmasq) and use dns=none in a NetworkManager config file in /etc/NetworkManager/conf.d/. Would it be better to give the dnsmasq-handling to NetworkManager (dns=dnsmasq) ?
Is there a(nother) way to improve security (like using DNS-over-TLS, DNS-over-HTTPS, ...) and if so how can i implement it?
Thank you for any advice!
Regards
Hagen
-- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
22.03.19 18:08 - Andrei Borzenkov:
22.03.2019 18:57, Hagen Buliwyf пишет:
In order to learn more about DNS, DNSSEC, ... i'm playing around with DNSMASQ (openSUSE Leap 15.0, KDE, NetworkManager) as a local DNS-Server (no DHCP).
It works fine so far. However, although dnssec is enabled in dnsmasq.conf the log shows that only 12% of all queries return an IP validated as SECURE.
Why do you think it has anything to do with dnsmasq?
Sorry, i just start to learn on this and was wondering if my configuration might need more tweaking or even some corrections.
Queries for opensuse.pool.ntp.org, de.pool.ntp.org, opensuse.org or my NetBankingSite return IPs validated as INSECURE.
So they do not sign their records.
Isn't DNSSEC a plus in security ?
Thank you very much for the link! Regards Hagen -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
On Fri, 22 Mar 2019 18:22:25 +0100 Hagen Buliwyf <hagen.buliwyf@t-online.de> wrote:
22.03.19 18:08 - Andrei Borzenkov:
22.03.2019 18:57, Hagen Buliwyf пишет:
In order to learn more about DNS, DNSSEC, ... i'm playing around with DNSMASQ (openSUSE Leap 15.0, KDE, NetworkManager) as a local DNS-Server (no DHCP).
It works fine so far. However, although dnssec is enabled in dnsmasq.conf the log shows that only 12% of all queries return an IP validated as SECURE.
Why do you think it has anything to do with dnsmasq?
Sorry, i just start to learn on this and was wondering if my configuration might need more tweaking or even some corrections.
Queries for opensuse.pool.ntp.org, de.pool.ntp.org, opensuse.org or my NetBankingSite return IPs validated as INSECURE.
So they do not sign their records.
Isn't DNSSEC a plus in security ?
Thank you very much for the link!
Indeed so. I don't know anything about this subject but am somewhat troubled that my bank produces a report showing many failures at its level, but none at the level above (.co.uk). I don't know whether I should worry, so a link to an explanation and/or interpretation of the results would be useful. Cheers, Dave -- To unsubscribe, e-mail: opensuse-support+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-support+owner@opensuse.org
participants (3)
-
Andrei Borzenkov -
Dave Howorth -
Hagen Buliwyf