DNSSEC

From ArchWiki

From the DNSSEC Wikipedia article:

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Basic DNSSEC validation

Note: Further setup is required for your DNS lookups DNSSEC by default. See #Install a DNSSEC-validating resolver and #Enable DNSSEC in specific software.

Installation

Install the ldns package, which provides drill. The drill tool can be used for basic DNSSEC validation.

For other available tools, see Domain name resolution#Lookup utilities.

Query with DNSSEC validation

Then to query with DNSSEC validation, use the -D flag:

$ drill -D example.com

Testing

As a test use the following domains, adding the -T flag, which traces from the root name servers down to the domain being resolved.

The result should end with the following lines, indicating that the DNSSEC signature is bogus:

$ drill -DT badsig.go.dnscheck.tools
[B] badsig.go.dnscheck.tools.   1       IN      A       142.93.10.179
;; Error: Bogus DNSSEC signature
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Now to test a trusted signature, the result should end with the following lines, indicating the signature is trusted:

$ drill -DT go.dnscheck.tools
[T] go.dnscheck.tools.  1       IN      A       142.93.10.179
;;[S] self sig OK; [B] bogus; [T] trusted; [U] unsigned

Install a DNSSEC-validating resolver

To use DNSSEC system-wide, you can use a DNS resolver that is capable of validating DNSSEC records, so that all DNS lookups go through it. See Domain name resolution#DNS servers for available options. Note that each requires specific options to enable their DNSSEC validation feature.

If you attempt to visit a site with a bogus (spoofed) IP address, the validating resolver will prevent you from receiving the invalid DNS data and your browser (or other application) will be told there is no such host. Since all DNS lookups go through the validating resolver, you do not need software that has DNSSEC support built-in when using this option.

Enable DNSSEC in specific software

If you choose not to #Install a DNSSEC-validating resolver, you need to use software that has DNSSEC support builtin. Often this means you must patch the software yourself. Hopefully, a full list of several patched applications will eventually (Dec 2020) be found at [1]. Additionally, some web browsers, some of them mentioned at [2], have extensions or add-ons that can be installed to implement DNSSEC without patching the program.

See also

https://github.com/gene-git/dns_tools || dns_toolsAUR