|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
directing DNS queries to local unbound?
I would like myself to use a localhost unbound on my laptop.
Using 127.0.0.1 as resolver is indeed not a problem. But telling unbound to use the resolvers provided by the local network (dhcp or rtsol) to make all classical queries (eg : dynamic conf of unbound) would be great. |
|
||||
Hello and welcome, 22decembre.
Yours is a separate question. We like to put branching questions into their own threads, to make them easier to find and read about when searching. I'm sure one of our admins will move your question and my answer to a separate thread. ---
Last edited by jggimi; 25th December 2014 at 11:05 AM. Reason: added unbound to rc.conf.local |
|
|||
I think my question fits perfectly into this subject, so I answer there. If not, then message me and I will create the right thread.
I would like that dhcp/rtsol gives its dns servers to unbound, so that unbound will query them for all dns requests, which will give lower network load. This is the behavior of dnssec-trigger. But dhcp only create /etc/resolv.conf according to openbsd's manuals. And unbound has no option to create dynamically the forwarders option (not that I read). I read that my desired behavior for dhcp/unbound has been setup in base freebsd. I don't see any way to setup this in openbsd. |
|
|||
This discussion has been separated from its parent thread:
http://daemonforums.org/showthread.p...2939#post52939 ...which focused on secure DNS lookups. We find that most members at this site use the archives extensively to search for specific information. To help simplify this process, we ask members to limit discussion in all threads to a single subject as set forward by the thread's original post. If a member has a question on something not pertinent to the original post, please start a new thread; it's easy. This is also covered in the forum rules. |
|
|||
Rocket357, when is the last time you ran something like
$ sudo tcpdump -ni re0 port 53 during a web surf session? You really should do it and then imagine you are in class with 30 other people and the wireless link is not so good And with the increasing usage of DNSSEC the packets will become larger, so it was needed to eliminate the limit of 512 bytes in the EDNS specification. IMHO plenty enough reasons to run a local caching forwarding (stub) resolver on workstation or laptop.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Each time I reboot the laptop, I lose all the dns cache.
Plus, it's better to use the (closest) network dns, as you share your dns results within your close network. In that case, your local unbound would only do dnssec queries and validate them. This is the aim. Do any of you see how to do that ? I think maybe I should just forward to a permanent dns that I setup, or use an open resolver like google or opendns (need other than them yet), but in that case, I increase the load. PS : to admin, sorry I should have started a thread from the begining |
|
||||
Last edited by jggimi; 26th December 2014 at 11:16 AM. Reason: clarity |
|
|||
@jggimi : yeah, but you're static, so no problem. Your setup is just a classical local-lan-dhcp-nameserver (I have dnsmasq on my static lan).
My laptop is by definition mobile. So I can't use the nameservers provided by dhcp (which are generally not dnssec-aware/able). |
|
||||
If, by "mobile" you mean you will be using your laptop on untrusted LANs, you can either use a VPN, or DNSSEC, or both together. DNSSEC only provides authentication, a VPN would be needed for privacy.
Is your problem that you are unable to switch from your home caching nameserver to a local-on-laptop unbound(8) configured for DNSSEC dynamically? If so, there are scriptable solutions, using either multiple dhclient.conf or unbound.conf files. If I've misunderstood, please clarify what it is you wish to accomplish. |
|
|||
I don't see what is hard to understand.
By mobile I mean that I go from one lan to another. So I believe it means untrusted if you're paranoïd. What it means for sure is that I don't control the network settings (local address of my laptop, local dns resolvers, local gateway to the rest of the world...). So if I use a local unbound on 127.0.0.1, but don't use the dns provided by dhcp, it will produce a massive network load as each browser request will produce a complete dns request, no matter that everybody around me has already ask for these data and are present in the local resolvers. Instead, I should tell unbound to use the local resolvers provided by dhcp to forward all request to them. That way, unbound will only do final validation with dnssec. So, I don't know about the scripts you just mentionned. I believe it's what I need. Can you tell me more. |
|
||||
Quote:
Your device is not required to use any local DNS nameservers. Whether or not the network allows outbound DNS queries to other nameservers is a separate administrative issue. Quote:
Quote:
Whether or not those local nameservers participate in DNSSEC is a separate issue, and if not your trust anchor traffic will be produced by your local DNSSEC resolver, unbound, anyway. Quote:
Last edited by jggimi; 26th December 2014 at 06:02 PM. Reason: typos and clarity |
|
|||
Quote:
Quote:
I was not aware of the amount of network load in such case. So instead, I believe I should forward my dns queries to my own static unbound server or another resolver. |
|
||||
Quote:
My home network has a resolver (unbound on OpenBSD-5.6-STABLE) serving numerous vlans both wired and wireless with a 100 Mbps core Cisco switch (needed the port density vs. the speed). The dns traffic distribution while my wife is watching streams + surfing the web and my daughter is goofing surfing the web while my 8 machines are all doing various daily tasks is amazingly miniscule. That's not including the cell phones, tablets, and tivos on wifi, or other odds and ends running locally. Yes, x + y is greater than x (given that y is positive, and I've never witnessed negative-sized dns traffic, so I must assume y is positive), but that's like saying if you shoot a freight train in the caboose with a bb gun the freight train will go faster. Sure, there might be some very minimal effect, but designing a system to reduce load on the freight train by shooting it repeatedly with bb guns is insane. Surely there is a bigger impact solution that should be resolved first before following this route to completion? As I said before, I can see running a resolver on a local machine for various other reasons (directing specific traffic to specific resolvers, etc...) but running a local caching resolver *when local programs typically cache dns lookups anyways* to cut down on network load seems silly. If the network can't handle normal dns traffic, there's no sense in doing anything else until you fix *that* issue first. Edit - and to answer your question directly, it was around two years ago when I was in RHCE classes, with around 75 students. I still maintain that if the network is "under load" from normal domain traffic, you have bigger problems than local resolvers.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 27th December 2014 at 02:39 AM. |
|
||||
J65nko,
I felt it would be prudent to actually gather bandwidth consumption on my network for DNS and non-DNS traffic (if I'm going to make a claim that the traffic is "amazingly miniscule", I should back it up, right?). I ran a single browsing session over the course of a few minutes and gathered bandwidth for just "dns + dnscrypt" and for everything else. During that time a total of 4.262 MB of data was transferred, and of that 212 Kb was dns/dnscrypt. Now, dnscrypt uses considerably more bandwidth than pure dns (with the TLS overhead and what not), so I think that lends credence to the idea that DNS traffic is a small fraction of overall traffic. Still, that's just under 5% of bandwidth consumed, which I will admit is higher than I expected and perhaps enough under the right conditions to exasperate other existing network issues. Given that, it does seem to me that if one is stuck behind a very high latency link, it might make sense to run a local resolver like unbound. In short, fair enough...I accept your argument.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. |
|
||||
Network usages vary. I just took a look at network flows through two firewalls over the same 24-hour period ... I selected December 23, the most recent normal traffic day. DNSSEC is not used, this is only queries and responses using UDP/TCP port 53. These numbers include local queries to unbound nameservers as well as remote queries, and represent overall network usage:
Percentage of bytes transmitted and received: 0.036% Percentage of packets transmitted and received: 0.315% When looking at domain traffic with external nameservers as a percentage of Internet traffic only, rather than total network traffic: Percentage of bytes transmitted and received: 1.251% Percentage of packets transmitted and received: 8.707% Domain traffic are relatively small packets, which is why there is an order of magnitude ratio difference between traffic in bytes and traffic in packets. They are a much higher consumer of packets than of bandwidth. In summary:
Authentication (DNSSEC) and encryption (VPN, DNSCurve, etc.) were not used for domain traffic and were not examined. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Unbound reverse-ptr stub-zone woes | cmacrae | OpenBSD General | 0 | 9th August 2014 05:57 PM |
unbound reverse lookup private zone | Oko | General software and network | 2 | 20th November 2013 03:15 PM |
mysql won't run via rc.local | benben159 | OpenBSD Packages and Ports | 3 | 8th August 2010 02:41 PM |
log from rc.conf.local and rc.local | sdesilet | OpenBSD General | 1 | 21st January 2010 02:37 AM |
local dns (dnsmasq) | bsdperson | FreeBSD Ports and Packages | 3 | 3rd September 2008 06:48 AM |