Add DNSSEC support #66
Comments
|
It makes sense, thank you for the feature request! |
|
I came here to make this same request. To test if DNSSEC is enabled opening sigfail.verteiltesysteme.net you should get an error. If you test sigok.verteilesysteme.net you should see a blank page. |
|
Unfortunately, another DNSSEC resolver test fails so far. |
|
Not yet, guys. I am sorry for the delays, we're a bit limited in resources, and I'd like not to switch to DNS tasks until we can really focus on them. |
|
No worries! Just figuring, since DNSCrypt got done, perhaps this got some love as well. Keep on 🚚ing! 📣 |
|
Any update on this? |
|
@evilvibes we don't want to touch the current installation until the updated version is ready. That's why this issue is still open. |
|
So, does that mean there's ß version someplace? Will it be accessible to |
I'd say it's more of a "demo" at the moment. The old code was tossed out, and the new version is basically a patched Unbound DNS server. Not yet available publicly. |
|
Yes. Will wait for DNSSEC support. Most important thing in modern Russia. |
|
Hi there, any news about dnssec? and do you think hheres a opinion do start a server in central europe example frankfurt or zurich? greets |
|
Central Europe Server would be great, yes 👍 |
|
jupp, would be great, so my route don't have to go over the half of the world as i wrote months ago ^^ |
|
Any updates on this issue? DNSSEC is very important and has been receiving increased attention lately, including as a part of Cloudflare's Crypto Week 2018 (https://blog.cloudflare.com/automatically-provision-and-maintain-dnssec/). |
* commit 'e689c7d940e9a20bc13f024e18b86f3c1e5ba759': Do not lose filter name when saving to yaml coredns querylog -- since we read entire querylog json once at startup, fill querylog cache from it and then rotate it on each incoming DNS query Cache DNS lookups when resolving safebrowsing or parental servers, also cache replacement hostnames as well.
|
I was planning to open also a DNSSEC Request but since there is already one, one more who wishes this option |
|
We'll prioritize this issue, guys, thank you! |
|
news? i looks as the way i'm running AGH dnssec looks like running |
|
Do you have any news ? it's a big feature now for a DNS server. Thanks ! |
|
No news on this yet, sorry |
|
Just to keep in mind: it should be possible to mark some domains and zones as "unsecure", not to try verification at all. |
|
ьолшо сьасибо 👍 |
|
Recently, I enabled the dnsmasq's DNSSEC on my openwrt router and it works as a dns proxy just working the same as the normal router, AGH on my laptop. I set to use AGH as local dns and CF (DoT) as upstream. However, when dnsmasq's DNSSEC enabled, the AGH failed to dispatch any valid DNS response. According to the verbose log of AGH, it seems that AGH just got connection error from upstream and then returned error(But I'm not so sure about that, my internet connectivity is working properly). I tried to switch off the dnsmasq's DNSSEC, AGH works properly. Any suggestion? |
|
@kmahyyg have you tried checking what exactly dnsmasq returns for these queries? |
|
Yes, I tried. works perfectly.
Send from Evangeline's Android
…________________________________
From: Andrey Meshkov <notifications@github.com>
Sent: Monday, April 13, 2020 9:16:41 PM
To: AdguardTeam/AdGuardHome <AdGuardHome@noreply.github.com>
Cc: Patrick Young <kmahyygyyg@gmail.com>; Mention <mention@noreply.github.com>
Subject: Re: [AdguardTeam/AdGuardHome] Add DNSSEC support (#66)
@kmahyyg<https://github.com/kmahyyg> have you tried checking what exactly dnsmasq returns for these queries?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#66 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AD6V3Y43LGAXCKHXZFSUD3LRMMGDTANCNFSM4CTGHHYA>.
|
|
Weird, what kind of connection error does AGH receives? |
I don't know. I turned on verbose , all logging seems perfect, just get response from upstream as NORESPONSE FROM UPSTREAM. Then dns request timed out. but those domains really exists. I tried to use After I turned off DNSSEC on my router, all things get working. BTW, I'm in china mainland, which has serious network censorship. |
|
Could you please post a part of the log with these requests and responses? Maybe I'll notice something there |
Here's the full log after I enabled DNSSEC on my router. Since I've configured the upstream as log shown, it shouldn't be failed to response. #1579 might be related to this issue. At the same time when AGH failed, |
|
@kmahyyg Can you disable SafeBrowsing ? |
I will try later... But I think dnssec shouldn't have affiliate with SB? |
|
Here's why it happens: @kmahyyg |
pretty weird......
|
|
Okay, I see the problem. The last photo is DNSSEC disabled.
This is enabled. Problem is |
We use it just one time - when we resolve |
maybe thats the problem... theres a circle look (example): routerdns (dnsmasq) 127.0.0.1:53 forwards to AGH on 127.0.0.1:55 AGH ask router onfirst time „hey whats dns-family.adguard...“. router ask back... we‘ve got a circle possible solution is, if AGH do allways the first request to quad9 or $upstreamresolvers |
Are you sure? Can you show the packets AGH sends to your router? |
|
@szolin I suppose that the router may be intercepting plain DNS queries. |
In this case there's nothing wrong with AGH - it's this particular router's configuration problem. |
Sure, but we shouldn't be stuck in the case when we cannot resolve that address, the safe browsing check should simply quickly fail |
I think adding full DNSSEC validation will making all queries more reliable unless clients explicitly opt out.
The text was updated successfully, but these errors were encountered: