DNSSec question

[agilani]

I just want to verify that in order to use the DNSSec feature effectively, I need to enable it. Point my routers wan dns to providers like cloudflare or google that support dnssec and then point the clients to the router? Or do current modern day windows, mac, linux workstations support dnssec directly?

 

[skeal]

I just want to verify that in order to use the DNSSec feature effectively, I need to enable it. Point my routers wan dns to providers like cloudflare or google that support dnssec and then point the clients to the router? Or do current modern day windows, mac, linux workstations support dnssec directly?

On the lan page enable dnssec and rebind protection.

 

[skeal]

You can then test to see if it is working by going here and test. https://dnssec.vs.uni-due.de/

 

[agilani]

On the lan page enable dnssec and rebind protection.

I just tested this and according to this site those settings are only applicable when the clients are pointed to the router as a resolver. I am pointing my clients directly to cloudflare and google for resolvers and it looks like dnssec is still working which means the client in this instance is doing the validation....

thanks for the link. some pretty good stats

 

[skeal]

I just tested this and according to this site those settings are only applicable when the clients are pointed to the router as a resolver. I am pointing my clients directly to cloudflare and google for resolvers and it looks like dnssec is still working which means the client in this instance is doing the validation....

Outside of asuswrt-merlin I have no experience with dnssec sorry.

 

[Striker317]

I just want to verify that in order to use the DNSSec feature effectively, I need to enable it. Point my routers wan dns to providers like cloudflare or google that support dnssec and then point the clients to the router? Or do current modern day windows, mac, linux workstations support dnssec directly?

Cloudflare and google dns didn’t seem to support dnssec fully. Errors in the logs.

Using quad9 and no errors in the logs re dnssec. Ymmw.

 

[HowIFix]

Cloudflare and google dns didn’t seem to support dnssec fully. Errors in the logs.

Using quad9 and no errors in the logs re dnssec. Ymmw.

Google DNS also has full support with DNSSEC, but Google and Quad9 log, so I do not recommend these DNS servers.

• Test: DNS server, DNSSEC and WebRTC

I only use these DNS servers (DNS.WATCH or Google or Quad9) in the router because they has full support with DNSSEC, to install DNSCrypt without problems, because I have DNSSEC enabled in the router (LAN -> DHCP Server) and then in DNSCrypt I choose Manually the DNS servers that no log.

If you are not going to use DNSCrypt, I recommend DNS.WATCH because this DNS server no log and has full support with DNSSEC.

Read my post about CloudFlare DNS and DNSCrypt:

• Important information about CloudFlare DNS and DNSCrypt

 

[Treadler]

I just want to verify that in order to use the DNSSec feature effectively, I need to enable it. Point my routers wan dns to providers like cloudflare or google that support dnssec and then point the clients to the router? Or do current modern day windows, mac, linux workstations support dnssec directly?

Yes, enable DNSSEC support in router.

I personally would point everything at the router. You may as well have your router’s dnsmasq doing some resolving for you, rather than pushing every query to an off site server. Just my 10 cents worth......

Specify your DNS in the WAN of the router.
(Making sure they’re DNSSEC supporting).

 

[agilani]

Google DNS also has full support with DNSSEC, but Google and Quad9 log, so I do not recommend these DNS servers.

• Test: DNS server, DNSSEC and WebRTC

I only use these DNS servers (Google or Quad9) in the router because they has full support with DNSSEC, to install DNSCrypt without problems, because I have DNSSEC enabled in the router (LAN -> DHCP Server) and then in DNSCrypt I choose Manually the DNS servers that no log.

Read my post about CloudFlare DNS and DNSCrypt:

• Important information about CloudFlare DNS and DNSCrypt

thanks, good info

 

[richardeid]

I have my router pointing to Quad9 DNS but when I enabled DNSSEC and rebind protection I had lots of trouble loading pages. Not everything would load but not everything would fail. As an example, if I did a Bing search for, let's say "skeletons", I'd get the normal search results back fine but at the top of the page where it would show a couple of the first image results I'd just get big X's in place of where the pictures would be. Another example is that I'd go to load a web page and I'd get an error (which I don't recall exactly what it was but it was some DNS or IP address of site not found error), but then if I waited a minute or two and try to reload it would come up just fine.

Did I do something wrong?

 

[skeal]

I have my router pointing to Quad9 DNS but when I enabled DNSSEC and rebind protection I had lots of trouble loading pages. Not everything would load but not everything would fail. As an example, if I did a Bing search for, let's say "skeletons", I'd get the normal search results back fine but at the top of the page where it would show a couple of the first image results I'd just get big X's in place of where the pictures would be. Another example is that I'd go to load a web page and I'd get an error (which I don't recall exactly what it was but it was some DNS or IP address of site not found error), but then if I waited a minute or two and try to reload it would come up just fine.

Did I do something wrong?

Q9 uses filtering to produce a family environment. The X's are probably banned images or videos.

 

[richardeid]

Well it wasn't just a search for skeleton. It was many searches. I thought at one point it might have something to do with page caches and maybe DNS caches that would just work itself out, but it never did and became a hindrance to use. Would you recommend I try again with maybe Google DNS?

 

[Tekneek]

It probably wouldn't be DNSSEC, because basically the only time that becomes relevant is when a domain is being forged.

 

[richardeid]

It was either that or rebind protection, because I changed them both at the same time (enabled) and began noticing browsing issues immediately. After a while it was just more trouble than it was worth so I disabled both at the same time and refreshed a couple of the pages that had loading issues and instantly the problem was remedied.

Also I want to mention that skeal's suggestion that it could be Quad9 doesn't seem likely because wouldn't I have had issues before enabling DNSSEC and rebind protection? I've been using Quad9 for months now without issue.

 

[richardeid]

OK and just to follow up, this was the error I see on a lot of pages. And then about a minute later without me doing anything, Chrome tries to reload the page and most of the time successfully does it. This happens on tons of sites, but not every site.

 

[Treadler]

I have both DNSSEC & dns rebind protection enabled.
I get dnssec errors with both Google & Cloudflare. No problems at all with Quad9.
Go figure......

 

[Treadler]

Google DNS also has full support with DNSSEC, but Google and Quad9 log, so I do not recommend these DNS servers.

• Test: DNS server, DNSSEC and WebRTC

I only use these DNS servers (DNS.WATCH or Google or Quad9) in the router because they has full support with DNSSEC, to install DNSCrypt without problems, because I have DNSSEC enabled in the router (LAN -> DHCP Server) and then in DNSCrypt I choose Manually the DNS servers that no log.

If you are not going to use DNSCrypt, I recommend DNS.WATCH because this DNS server no log and has full support with DNSSEC.

Read my post about CloudFlare DNS and DNSCrypt:

• Important information about CloudFlare DNS and DNSCrypt

The ‘rootcanary’ dnssec test you link to shows Quad9 to be the most dnssec compliant, followed by Google, then Cloudflare.
Maybe why I’m having a good run with Quad9, but not the other two.

 

[richardeid]

Could you elaborate a little on "most dnssec compliant"? I'm pretty new to the DNSSEC stuff and this is what I see when I run the rootcanary test:

I'm on 9.9.9.9 as my only listed DNS server for the time being. Running the GRC test gives me a few different PCH servers with 74.63.17.* but provides for all Excellent results. Some of the other tests listed appear to give me good results but I'm still having some issues with pages not loading or not loading on the first try. All I should need to do is enable DNSSEC and DNS rebind protection on the LAN>DHCP Server tab, right?

 

[Treadler]

Could you elaborate a little on "most dnssec compliant"? I'm pretty new to the DNSSEC stuff and this is what I see when I run the rootcanary test:
View attachment 13931

I'm on 9.9.9.9 as my only listed DNS server for the time being. Running the GRC test gives me a few different PCH servers with 74.63.17.* but provides for all Excellent results. Some of the other tests listed appear to give me good results but I'm still having some issues with pages not loading or not loading on the first try. All I should need to do is enable DNSSEC and DNS rebind protection on the LAN>DHCP Server tab, right?

Hi, I too am a latecomer to this dnssec concept. Appears to be something worth having.
Your ‘rootcanary’ results are the same as mine.
Yes, I have dnssec & dns rebind both enabled.
Works well for me.

 

[skeal]

It was either that or rebind protection, because I changed them both at the same time (enabled) and began noticing browsing issues immediately. After a while it was just more trouble than it was worth so I disabled both at the same time and refreshed a couple of the pages that had loading issues and instantly the problem was remedied.

Also I want to mention that skeal's suggestion that it could be Quad9 doesn't seem likely because wouldn't I have had issues before enabling DNSSEC and rebind protection? I've been using Quad9 for months now without issue.

I will say again Quad9 is filtered it is promoted as such. That is all I was saying. DNSSEC and Rebind Protection should work fine with Quad9....