I recently implemented a forward only BIND server for home. I was forwarding to
OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a
noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC (see
delv tests below), but I don't believe it is my configuration because when I
forward to Cloudflare's Family service, or to Google DNS, I don't have any
problems with the same domains (e.g. www.cdc.gov).
I contacted Cisco Umbrella support because I was thinking it's an issue with
their servers, but they didn't really help, so I thought I would try this list
for advice.
Would appreciate it if someone could review my configuration and/or reproduce
my results to see if I'm doing something wrong.
Thanks,
Bob
Here are some tests I ran:
admin@router1:~$ apt-cache policy bind9
bind9:
Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7
Version table:
*** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500
500 https://packages.sury.org/bind-dev bookworm/main amd64 Packages
100 /var/lib/dpkg/status
1:9.18.28-1~deb12u2 500
500 http://deb.debian.org/debian bookworm/main amd64 Packages
500 http://security.debian.org/debian-security bookworm-security/main
amd64 Packages
admin@router1:~$ delv -v
delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian
admin@router1:~$ delv -4 @208.67.220.123 www.cdc.gov<http://www.cdc.gov>. A
;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': 208.67.220.123#53
;; broken trust chain resolving 'www.cdc.gov/A/IN': 208.67.220.123#53
;; resolution failed: broken trust chain
admin@router1:~$ delv -4 @208.67.222.123 www.cdc.gov<http://www.cdc.gov>. A
;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': 208.67.222.123#53
;; broken trust chain resolving 'www.cdc.gov/A/IN': 208.67.222.123#53
;; resolution failed: broken trust chain
admin@router1:~$ delv -4 @1.1.1.3 www.cdc.gov<http://www.cdc.gov>. A
; fully validated
www.cdc.gov<http://www.cdc.gov>. 248 IN CNAME
www.akam.cdc.gov<http://www.akam.cdc.gov>.
www.cdc.gov<http://www.cdc.gov>. 248 IN RRSIG CNAME 8 3
300 20241019153420 20241009150230 1503 cdc.gov.
b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6
yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj
TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1
/MG/CSCtE/Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M
YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/
g0u+99/g/jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ==
www.akam.cdc.gov<http://www.akam.cdc.gov>. 20 IN A
23.51.224.222
www.akam.cdc.gov<http://www.akam.cdc.gov>. 20 IN RRSIG A 10 4
20 20241018102927 20241015092927 16701 akam.cdc.gov.
Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl
eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u
cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc=
The relevant portion of my named configuration is:
tls opendns-tls {
remote-hostname "dns.opendns.com";
};
tls cloudflare_family-tls {
remote-hostname "one.one.one.one";
};
tls google-tls {
};
tls router1-tls {
key-file "/var/cache/bind/privkey.pem";
cert-file "/var/cache/bind/fullchain.pem";
dhparam-file "/var/cache/bind/dhparam.pem";
ciphers
"HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers yes;
session-tickets no;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { trusted_nets; };
version "none";
forwarders {
# 1.1.1.3 port 853 tls cloudflare_family-tls;
# 1.0.0.3 port 853 tls cloudflare_family-tls;
208.67.222.123 port 853 tls opendns-tls;
208.67.220.123 port 853 tls opendns-tls;
# 8.8.8.8 port 853 tls google-tls;
# 8.8.4.4 port 853 tls google-tls;
};
forward only;
allow-transfer { none; };
dnssec-validation auto;
listen-on port 443 tls router1-tls http default { trusted_interfaces; };
listen-on port 853 tls router1-tls { trusted_interfaces; };
listen-on { trusted_interfaces; };
listen-on-v6 { none; };
zone-statistics yes ;
};
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
