DNS name resolution queries can be secured by DNSSEC to avoid various spoofing attacks. When a local validating DNS resolver is in use, all software can potentially benefit from local DNSSEC validation if the system is configured properly. The root zone provides a global trust anchor that in turn allows for validation of DNS records in signed zones. Other trust anchors can be configured to explicitly protect known DNS subtrees.
Applications that don't understand DNSSEC are transparently protected by the local validating resolver which reports name resolution failure whenever validation of a DNS record fails. On the other hand, applications that know about DNSSEC can distinguish validated DNS records from DNS records in unsigned zones. Such applications can use DNSSEC validated data for example to initiate TLS sessions. A TLS library can do that for the application.
Using dnssec-trigger and unbound to support split DNS and DNSSEC
For using or testing dnssec-trigger, we recommend using a fully updated Fedora 21, Fedora 22 or Rawhide. Note that we are assuming that you are using NetworkManager for your network configuration.
yum install dnssec-trigger
This will get you all necessary packages as dependencies.
Start using it
Since at least Fedora 22, dnssec-trigger service is enabled by default and thus you can simply reboot. If that is inconvenient, start dnssec-trigger service manually.
systemctl start dnssec-triggerd
dnssec-trigger-panel gets started in your session. It's an important piece of the ecosystem as it notifies you when DNSSEC trigger cannot be used and allows you to perform hotspot signon or disable DNSSEC temporarily. Having user interface at hand is a critical feature when moving between networks. On a headless system with an SSH session, the same actions can be performed using
Get rid of it
The best way to disable the split DNS and DNSSEC functions temporarily is to choose Hotspot signon in the context menu of dnssec-trigger applet to which dnssec-trigger daemon currently responds by doing its best to reset
/etc/resolv.conf to a state without dnssec-trigger. Stopping the daemon results in similar behavior. You can perform the same action from the command line as well.
To get back the above functions, you can use the same context menu, just choose Reprobe. Command line variant is also available.
To abandon the features permanently, the best way is to uninstall dnssec-trigger and if you don't need unbound for other purposes, you can uninstall it as well.
yum remove unbound
How it works
Configuring unbound manually for split DNS and DNSSEC
Manual configuration via Unbound
Using dnssec-trigger-control (for testing only)
/etc/resolv.conf to use a local unbound instance on
127.0.0.1 and Unbound to use a secure global zone with nameservers submitted through
dnssec-trigger-control or, if those aren't suitable, using public nameservers run by Fedora or the upstream project.
It also performs captive portal (hotspot) detection and temporarily changes
/etc/resolv.conf to include the nameservers of the local network directly. That unfortunately breaks the local zones used with any network interfaces including those that have nothing to do with the captive portal connection.
Show global configuration and connection zones configuration in unbound:
$ unbound-control forward $ unbound-control list_forwards
To check NetworkManager's view of the configuration, use:
$ nmcli connection show active $ nmcli connection show active <id/uuid>
- Adding search domains.
- Common changes that people may wish to make such as the add_wifi_provided_zones
- When caches are flushed and what triggers that.
- How issues such as VPN provided name servers are handled.
- How to restart the services correctly.