DNSSEC

Since IPFire 2.15 core update 80 IPFire comes with DNSSEC enabled by default. That means that all DNS responses are verified so that DNS spoofing is not possible any more.

Before IPFire 2.19 core update 106, this required that the DNS servers the IPFire DNS proxy forwards queries to also must verify DNS responses. Because dnsmasq did not recursively resolve DNS queries, it needs to know if the domain supports DNSSEC and will then execute a verification for the requested DNS record. This limitation was removed after replacing dnsmasq with unbound.

How does DNSSEC work?

DNSSEC helps protect the DNS from attacks by adding digital signatures to DNS records, allowing resolvers to verify their authenticity and maintain the integrity of the system. What kind of attacks? A common example is DNS cache poisoning, where an attacker can redirect users to a malicious website by providing false IP address information.

Here a summary of how DNSSEC works (adapted from a chatGPT Text):

1. DNSSEC uses public key cryptography, where each domain has a private key to sign its DNS records and a public key to verify the signature.
2. When a DNS record is created, the domain's private key is used to sign the record, creating a digital signature. This signature is then included in the DNS response.
3. When a user requests a DNS record, the resolver (usually the user's ISP) receives the record along with the digital signature. The resolver uses the domain's public key to verify the signature. If it's valid, the DNS record is considered trustworthy and used by the user's browser.
4. DNSSEC uses a hierarchical trust model, where the trust starts from the root zone and extends to top-level domains (TLDs) and then to individual domains. Each level in the hierarchy signs the public key of the level below, creating a chain of trust that ensures the integrity of the entire system.

DNSSEC Verification

In order to find out if your system properly works with DNSSEC, check out the DNSSEC resolver test from
- Universität Duisburg-Essen.
- Internet Society

To find out more about a zone's DNSSEC status, check out
- DNSViz (Sandia National Laboratories, Verisign, DNS-OARC)

Further Reading

• Domain Whitelisting
• Hosted Blacklists
• IPFire Blog articles:
  • 18 Nov 2016 - Rolling out DNSSEC to the masses
  • 9 Sep 2018 - DNSSEC key rollover soon
  • 4 Aug 2020 - DNS configuration recommendations for IPFire users