Reply
New Member
Posts: 5
Registered: ‎01-19-2016
Kudos: 10

DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

This part of the latest 1.8.5 release caught my eye:

 

"[DNS forwarding] Update the underlying dnsmasq software to the current version 2.75, now building/packaging it ourselves. The new version includes quite a few new features, which are not yet explicitly supported in the router configuration but can be used with the free-form "options" config setting for DNS forwarding for example. These have been requested by and discussed with community members including zx2c4 rolfl brianredbeard 6keazik7 mgorbach kikimora csch rkj for example in these threads: 1 2 3 4 5." - http://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-8-5/ba-p/15...

 

I ran sudo dnsmasq -v to see what version this came with and the mention of DNSSEC caught my eye:

 

sudo dnsmasq -v
Dnsmasq version 2.75-1-ubnt2  Copyright (c) 2000-2015 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
[edit]

 

So I wondered if I could enable DNSSEC support in dnsmasq on this...and it appears I can! These are the steps I followed from https://wiki.gentoo.org/wiki/Dnsmasq (which is the only documented source for these options I could find) after connecting via SSH to my EdgeRouter Lite and going into configure mode.

 

set service dns forwarding options dnssec
set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options dnssec-check-unsigned

I copied the trust anchor from https://data.iana.org/root-anchors/root-anchors.xml. Please make sure you copy the latest trust anchor from IANA just to be safe.

 

I then ran a commit and a save. At that point, I checked the contents of /etc/dnsmasq.conf and saw among its contents:

 

dnssec
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
dnssec-check-unsigned

 

And running a quick test of DNS resolution against the EdgeRouter does show the ad bit returned for a DNSSEC-signed zone (comcast.net in this case):

 

$ dig comcast.net @192.168.1.1 +dnssec

; <<>> DiG 9.10.4-P1 <<>> comcast.net @192.168.1.1 +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43138
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;comcast.net. IN A

;; ANSWER SECTION:
comcast.net. 30 IN A 69.252.80.75
comcast.net. 30 IN RRSIG A 5 2 30 20160619165128 20160612134628 62016 comcast.net. Me+5um1uFFrRjTjpLEb/qa6rPmDh0Sv9/J/Mw1OjTk6+oEwKy+JlyeG6 iPsqAyddxuOJtK//MBhLpDhqI3wkP6DQgji2OBayyTUemejdeUVi39D2 Zc3DteTA3mNT7xKSfhg27pbFZHiQ1IIsqhj47mJjLnEcTFUYwXD70HcL 6Qw=

;; Query time: 28 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Jun 13 21:42:35 EDT 2016
;; MSG SIZE rcvd: 227

Best I can tell, my home router is now using DNSSEC when performing DNS resolution.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5429
Solutions: 1656
Contributions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Thanks for testing and sharing the experience!

New Member
Posts: 9
Registered: ‎12-06-2014
Kudos: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Any chance we can get dnsmasq version 2.76 with the next release.
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5429
Solutions: 1656
Contributions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Yeah that is the plan (2.76 came out a bit late for the 1.8.5 release cycle). Thanks for the reminder.

Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Just getting into this and have enabled DNSSEC as op. When testing via http://www.dnssec-failed.org/ I am able to visit the page as if there were no problems with the DNS record. However, many of the links here http://www.dnssec-tools.org/testzone/ are detected as bad and correctly (imo) result in 404 to the browser.  Are there any other flags/switches that need to be set?

New Member
Posts: 5
Registered: ‎01-19-2016
Kudos: 10

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

botkiller, make sure all the DNS resolvers you are using use DNSSEC validation. If you have a mixture of resolvers where some don't validate and some do, that could cause the behavior.

Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

When you visit http://www.dnssec-failed.org/ do you get the page as if dnssec was not enabled or a 404/other demonstrating that it is working correctly?

New Member
Posts: 5
Registered: ‎01-19-2016
Kudos: 10

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

I get a "Safari cannot find the server" page every time in Safari and this in Chrome:

 

This site can’t be reached
www.dnssec-failed.org’s server DNS address could not be found.
 
Search Google for dnssec failed org
ERR_NAME_NOT_RESOLVED

 

 
The only resolvers I use is Comcast's default ones:
 
 dns {
        forwarding {
            cache-size 1000
            listen-on eth0
            listen-on eth2
            name-server 75.75.75.75
            name-server 75.75.76.76
            name-server 2001:558:feed::1
            name-server 2001:558:feed::2
            options dnssec
            options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
            options dnssec-check-unsigned
        }
    }
Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

Thank you. It's working for ipv4. I forgot I am using he.net and a tunnel for ipv6 and these queries are not being handled by dnsmasq.

edit: boom, couple of changes to have dnsmasq handle the ipv6 queries and now it works as expected 

New Member
Posts: 4
Registered: ‎05-15-2016
Kudos: 2
Solutions: 1

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

Also to note, if you are using VLANs or anything else that requires a firewall rule to allow access to the local DNS server, you need to allow both UDP and TCP traffic on port 53.

Established Member
Posts: 912
Registered: ‎02-04-2015
Kudos: 529
Solutions: 36

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

On the Edgerouter if you are going to use this you should probably also use something like:

 

set service dns forwarding options dnssec-timestamp=/config/dnssect

DNSSEC depends on the system clock being accurate.  If the clock is not accurate, you won't be able to resolve any DNS queries, and in turn you won't be able to update your clock since you have no DNS.  I just went through this with an ER-X 2500km away with a dynamic IP that changed when I did a firmware upgrade...

 

The above flag tells dnsmasq to write to a file (/config/dnssect in my example) where it keeps track of the time, then on reboot / FW upgrade, it looks at the file, and if the system clock is set in the past (compared to the file) then dnsmasq doesn't do any time validation for DNSSEC so you can update your clock with NTP.  Then once the system clock is ahead of the time on the file it starts operating normally.

 

It isn't as big of a deal on reboots, where the Edgerouter seems to start off with the time set to 12:25 AM GMT the day of the reboot, but when I upgraded to 1.9.1 it set the clock back to Jan 1 2015 12:00 AM GMT and DNS was broken until I turned off DNSSEC.

 

edit: so I just tried this and it causes dnsmasq to silently not work for me.  Nothing in the log but it stops resolving names.  I think the issue is it doesn't have write permission for /config/ so I created /config/dnsmasq and set chmod 777 on it, then changed the above path to /config/dnsmasq/dnssec-timestamp and it worked.

 

edit 2: I also thought I would try the new trust anchor released on Feb 2 (https://data.iana.org/root-anchors/root-anchors.xml) but it doesn't work, I'm using verisign (64.6.64.6 / 64.6.65.6).  The old one works fine though.

Emerging Member
Posts: 63
Registered: ‎05-02-2013
Kudos: 30
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

This is a great point and something I experienced too.
Emerging Member
Posts: 55
Registered: ‎07-03-2013
Kudos: 20
Solutions: 3

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

This also happened to me. It's sort of the chicken or egg type of problem. I ended up putting static IP's on ER's NTP servers since after 1.9 update the system time servers wouldn't resolve into IP's and so the time would be out of sync and not be able to update because of DNSSEC not validating any domain queries.


After reading dnsmasq documentation (http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) there is a warning about DNSSEC:

  • "The nameservers upstream of dnsmasq must be DNSSEC-capable, ie. capable of returning DNSSEC records with data. If they are not, then dnsmasq will not be able to determine the trusted status of answers. In the default mode, this means that all replies will be marked as untrusted. If --dnssec-check-unsigned is set and the upstream servers don't support DNSSEC, then DNS service will be entirely broken.

There are 2 workarounds this problem:

  • dnssec-no-timecheck DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGHUP. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGHUP should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked.
  • dnssec-timestamp=<path>Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the unprivileged user that dnsmasq runs as.

The third way would be to add IP's to the system NTP servers intstead of domain names. Hopefully updating the time after every update/reboot of the edgerouter: These IP's correspond to 'ubnt.pool.ntp.org' but you can choose your own

set system ntp server 193.145.15.15
set system ntp server 213.251.52.234
set system ntp server '2001:720:1410:101f::15' 

 

Established Member
Posts: 912
Registered: ‎02-04-2015
Kudos: 529
Solutions: 36

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

My method above failed me a couple of days ago.  Here's a rundown of what happened:

 

1. Power outage at 5:20 PM local time at my remote site

2. Power restored at 9:50 PM, router clock shows 6:26 AM on boot according to the log

3. dnsmasq timestamp file shows 6:26 AM

4. Some but not all name resolution is broken.  Multiple log entries "host name not found 0.ubnt.pool.ntp.org" etc.

 

I think the timestamp is only updated when dnsmasq gets started / restarted.  I don't think I did anything to trigger a 6:26 AM reboot of dnsmasq before the power outage so my only guess is dnsmasq mistakenly updated the file.  The documentation doesn't really say how dnsmasq decides if:

a) name resolution is working and it should update the timestamp on startup,

or b) if name resolution is broken (or working by ignoring time checking) and it should leave it alone and wait for the system time to update instead while using dnssec without time checking.

 

I thought it would only update the timestamp if it was older than the system clock, and leave it alone if it was newer than the system clock (just let it update on the next reboot), but maybe there's someting I'm missing.

I think it must be related to the partial name resolution I had available to me.  I couldn't resolve google.ca on a computer at the remote site.  The router maintains two VPN tunnels, one to a .ca domain and one to a .net domain.  The .net domain was resolving so that tunnel was up (luckily for me, this was the tunnel I was at the other end of), and the .ca domain was not so that tunnel was down.  I did not think to do any other testing.  I don't really know how dnssec time checking works but maybe the time difference of about 16 hours was just enough that some checks would fail and some would pass.

 

Anyway I am going to try switching to the dnssec-no-timecheck option as @Adrao  mentioned above.  It seems like the command "sudo /etc/init.d/dnsmasq restart" is how you send a SIGHUP to dnsmasq so I think a cron job (set with the EdgeOS task scheduler) that runs a script after restart would be best.  I could probably be lazy and just have it wait 5 minutes after boot (surely it could find an ntp server by then), or maybe find some way of checking the system time against a server with known good time online.

New Member
Posts: 33
Registered: ‎04-05-2017
Kudos: 19

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

I'd gotten dnscrypt-proxy compiled and working (my post might resurface as the boards stabilize, I posted it when the "new" board was up), but I wasn't aware that dnsmasq had dnssec functionality!

 

Have a couple of suggestions:

 

There are two published keys, they both can be configured. Just add a second trust-anchor parameter:

 

set service dns forwarding options trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
set service dns forwarding options trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

 

For dnssec-timestamp, the /var/run/dnsmasq directory already exists and is owned by the nonprivledged dnsmasq user, no need to create or chown another directory:

 

set service dns forwarding options dnssec-timestamp=/var/run/dnsmasq/dnsmasq.time

 

Without reverse-engineering dnsmasq, not sure why it wouldn't honor the timestamp - it should account for the entire time, not just the time of day (the timestamp is represented as an integer epoch, I would figure).

Emerging Member
Posts: 98
Registered: ‎07-31-2016
Kudos: 14
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Nice one.  Does dnscrypt-proxy use much resources?

New Member
Posts: 33
Registered: ‎04-05-2017
Kudos: 19

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

[ Edited ]

MindTooth wrote:

Nice one.  Does dnscrypt-proxy use much resources?


Well, top is saying that both dnsmasq and dnscrypt-proxy are using pretty much zero CPU and 0.3% memory so I'm going to say no? I'm not exactly a heavy usage site - I wouldn't expect that many DNS requests.

 

Right now I'm seeing that enabling dnssec-check-unsigned is making dnsmasq not return queries, so not sure what's up with that. The dnscrypt server I'm pointing at says it supports DNS security extensions.

 

EDIT: May be related to a bug in dnsmasq that it's sending multiple DNS queries on the same TCP connection, which is incompatible with the DNSCRYPT protocol. I'm investigating a test build of dnsmasq that might resolve it.

Emerging Member
Posts: 98
Registered: ‎07-31-2016
Kudos: 14
Solutions: 2

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

Check out DNSProxy.is, I know they support. Or d0wn DNS.
New Member
Posts: 33
Registered: ‎04-05-2017
Kudos: 19

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5


MindTooth wrote:
Check out DNSProxy.is, I know they support. Or d0wn DNS.

No, I'm already using d0wn. I verified that dnscrypt-proxy was reporting that DNS security extensions were enabled. Turns out it's an interaction with dnsmasq - it tries to send mutiple requests on a TCP connection, rather than one at a time. The DNSCRYPT protocol requires the latter.

 

It's fixed in dnsmasq-2.77test4 and later (I compiled test5). But it means in addition to compiling the whole dnscrypt-proxy dependency chain, now you gotta compile dnsmasq too. Which is not intuitive. I posted about the whole thing here.

Established Member
Posts: 912
Registered: ‎02-04-2015
Kudos: 529
Solutions: 36

Re: DNSSEC & dnsmasq with EdgeRouter 1.8.5

@darkgruethanks for the info on the trust anchor.  I added the 2nd one and things are working well

 

The reason I put the timestamp in /config/ is it is the only folder that survives a firmware upgrade.  In my first post in this thread, when I remotely upgraded a router, if I put the timestamp in /var/run/dnsmasq/ I think I would have had the same problem.  In fact, I do not think the /var/ folder even survives a reboot.  The logs in /var/log/ are all reset on a reboot, and I created a test file in /var/run/ and it disappeared on reboot.

 

I am thinking of using the dnssec-no-timecheck option instead, since the timestamp let me down.  It disables time checking but there are other protections provided by DNSSEC.  At the end of the day, losing part of DNSSEC's protection is much better for me than losing access to a remote site.  Once I know the internet is up and running I could issue

 

sudo pkill -HUP dnsmasq

and that would turn time checking on.  I could even set it up as a cron job that runs a few minutes after the router reboots.  The only problem I can think of, is if dnsmasq restarts without the router restarting (it does this when you add or remove static leases in the GUI, for example, on 1.9.7-beta2 at least), then time checking would be disabled again and you might not notice.

Reply