NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.12k stars 359 forks source link

Plain text DNS requests to root servers on start #1138

Open jouskaSockets opened 1 month ago

jouskaSockets commented 1 month ago

When unbound starts it sends DNS request to root servers, How can i disable this behavior?

Aura67 commented 1 month ago

What is your goal with unbound?

wcawijngaards commented 1 month ago

The queries are called root priming queries [RFC8109]. This happens because unbound is asked to perform recursion, the iterative lookup of the DNS queries using authoritative servers. This is the default for unbound. It has a list of built-in root servers, but it is also possible to set the root server addresses that it uses.

This should not really be disabled, root priming queries. But perhaps what you want is to run a forwarder, where unbound only sends traffic to one particular address and caches the results if possible, this is done with forward-zone:. Then the queries to the root servers are not made, it instead sends queries to that server.

It is also possible to stop unbound from sending traffic to the root servers, and also stop root priming queries. This is useful for test setups, where a test set of authoritative servers is created. It is configured by setting stub-zone: options. Ordinarily, the root-hints and also stub-zone options can also be used to configure a list of root servers manually, instead of using the defaults.

jouskaSockets commented 1 month ago

But isn't insecure to be sent using plain text DNS instead of TLS ? root-dns

I would also appreciate if there is a way to increase DNSSEC cache duration. The benefit is not great in this case because unbound will continue to send verification requests to DNSSEC. What I am trying to achieve here is stale cache.

A final question: When cachedb is activated, does unbound continue to store cache in memory at the same time? unbound.conf:

server:

  module-config: "validator cachedb iterator"
  #module-config: "cachedb iterator"

    ###########################################################################
    # BASIC SETTINGS
    ###########################################################################
    # Time to live maximum for RRsets and messages in the cache. If the maximum
    # kicks in, responses to clients still get decrementing TTLs based on the
    # original (larger) values. When the internal TTL expires, the cache item
    # has expired. Can be set lower to force the resolver to query for data
    # often, and not trust (very large) TTL values.
    cache-max-ttl: 2147483647

    # Time to live minimum for RRsets and messages in the cache. If the minimum
    # kicks in, the data is cached for longer than the domain owner intended,
    # and thus less queries are made to look up the data. Zero makes sure the
    # data in the cache is as the domain owner intended, higher values,
    # especially more than an hour or so, can lead to trouble as the data in
    # the cache does not match up with the actual data any more.
    cache-min-ttl: 2147483647

    # Set the working directory for the program.
    directory: "/opt/unbound/etc/unbound"

    # If enabled, Unbound will respond with Extended DNS Error codes (RFC 8914).
    # These EDEs attach informative error messages to a response for various
    # errors.
    # When the val-log-level: option is also set to 2, responses with Extended
    # DNS Errors concerning DNSSEC failures that are not served from cache, will
    # also contain a descriptive text message about the reason for the failure.
    ede: yes

    # If enabled, Unbound will attach an Extended DNS Error (RFC 8914)
    # Code 3 - Stale Answer as EDNS0 option to the expired response.
    # This will not attach the EDE code without setting ede: yes as well.
    ede-serve-expired: yes

    # RFC 6891. Number  of bytes size to advertise as the EDNS reassembly buffer
    # size. This is the value put into  datagrams over UDP towards peers.
    # The actual buffer size is determined by msg-buffer-size (both for TCP and
    # UDP). Do not set higher than that value.
    # Default  is  1232 which is the DNS Flag Day 2020 recommendation.
    # Setting to 512 bypasses even the most stringent path MTU problems, but
    # is seen as extreme, since the amount of TCP fallback generated is
    # excessive (probably also for this resolver, consider tuning the outgoing
    # tcp number).
    edns-buffer-size: 1232

    # Listen to for queries from clients and answer from this network interface
    # and port.
    interface: 0.0.0.0@53

    # Rotates RRSet order in response (the pseudo-random number is taken from
    # the query ID, for speed and thread safety).
    rrset-roundrobin: yes

    # Drop user  privileges after  binding the port.
    username: "_unbound"

    ###########################################################################
    # LOGGING
    ###########################################################################

    # Do not print log lines to inform about local zone actions
    log-local-actions: no

    # Do not print one line per query to the log
    log-queries: yes

    # Do not print one line per reply to the log
    log-replies: yes

    # Do not print log lines that say why queries return SERVFAIL to clients
    log-servfail: yes

    # If you want to log to a file, use:
    # logfile: /opt/unbound/etc/unbound/unbound.log
    # Set log location (using /dev/null further limits logging)
    logfile: /opt/unbound/etc/unbound/unbound.log

    # Set logging level
    # Level 0: No verbosity, only errors.
    # Level 1: Gives operational information.
    # Level 2: Gives detailed operational information including short information per query.
    # Level 3: Gives query level information, output per query.
    # Level 4:  Gives algorithm level information.
    # Level 5: Logs client identification for cache misses.
    verbosity: 4

    ###########################################################################
    # PRIVACY SETTINGS
    ###########################################################################

    # RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
    # denials, using information from previous NXDO-MAINs answers. In other
    # words, use cached NSEC records to generate negative answers within a
    # range and positive answers from wildcards. This increases performance,
    # decreases latency and resource utilization on both authoritative and
    # recursive servers, and increases privacy. Also, it may help increase
    # resilience to certain DoS attacks in some circumstances.
    aggressive-nsec: yes

    # Extra delay for timeouted UDP ports before they are closed, in msec.
    # This prevents very delayed answer packets from the upstream (recursive)
    # servers from bouncing against closed ports and setting off all sort of
    # close-port counters, with eg. 1500 msec. When timeouts happen you need
    # extra sockets, it checks the ID and remote IP of packets, and unwanted
    # packets are added to the unwanted packet counter.
    delay-close: 10000

    # Prevent the unbound server from forking into the background as a daemon
    do-daemonize: no

    # Add localhost to the do-not-query-address list.
    do-not-query-localhost: yes

    # Number  of  bytes size of the aggressive negative cache.
    neg-cache-size: 4M

    # Send minimum amount of information to upstream servers to enhance
    # privacy (best privacy).
    qname-minimisation: yes

    ###########################################################################
    # SECURITY SETTINGS
    ###########################################################################
    # Only give access to recursion clients from LAN IPs
    access-control: 127.0.0.1/32 allow
    access-control: 192.168.0.0/16 allow
    access-control: 172.16.0.0/12 allow
    access-control: 10.0.0.0/8 allow
    # access-control: fc00::/7 allow
    # access-control: ::1/128 allow

    # File with trust anchor for  one  zone, which is tracked with RFC5011
    # probes.
    auto-trust-anchor-file: "var/root.key"

    # Enable chroot (i.e, change apparent root directory for the current
    # running process and its children)
    chroot: "/opt/unbound/etc/unbound"

    # Deny queries of type ANY with an empty response.
    deny-any: yes

    # Harden against algorithm downgrade when multiple algorithms are
    # advertised in the DS record.
    harden-algo-downgrade: yes

    # Harden against unknown records in the authority section and additional
    # section. If no, such records are copied from the upstream and presented
    # to the client together with the answer. If yes, it could hamper future
    # protocol developments that want to add records.
    harden-unknown-additional: yes

    # RFC 8020. returns nxdomain to queries for a name below another name that
    # is already known to be nxdomain.
    harden-below-nxdomain: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the
    # zone becomes bogus. If turned off you run the risk of a downgrade attack
    # that disables security for a zone.
    harden-dnssec-stripped: yes

    # Only trust glue if it is within the servers authority.
    harden-glue: yes

    # Ignore very large queries.
    harden-large-queries: yes

    # Perform additional queries for infrastructure data to harden the referral
    # path. Validates the replies if trust anchors are configured and the zones
    # are signed. This enforces DNSSEC validation on nameserver NS sets and the
    # nameserver addresses that are encountered on the referral path to the
    # answer. Experimental option.
    harden-referral-path: no

    # Ignore very small EDNS buffer sizes from queries.
    harden-short-bufsize: yes

    # If enabled the HTTP header User-Agent is not set. Use with caution
    # as some webserver configurations may reject HTTP requests lacking
    # this header. If needed, it is better to explicitly set the
    # the http-user-agent.
    hide-http-user-agent: no

    # Refuse id.server and hostname.bind queries
    hide-identity: yes

    # Refuse version.server and version.bind queries
    hide-version: yes

    # Set the HTTP User-Agent header for outgoing HTTP requests. If
    # set to "", the default, then the package name and version are
    # used.
    http-user-agent: "DNS"

    # Report this identity rather than the hostname of the server.
    identity: "DNS"

    # These private network addresses are not allowed to be returned for public
    # internet names. Any  occurrence of such addresses are removed from DNS
    # answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
    # This  protects  against DNS  Rebinding
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    # private-address: fd00::/8
    # private-address: fe80::/10
    # private-address: ::ffff:0:0/96

    # Enable ratelimiting of queries (per second) sent to nameserver for
    # performing recursion. More queries are turned away with an error
    # (servfail). This stops recursive floods (e.g., random query names), but
    # not spoofed reflection floods. Cached responses are not rate limited by
    # this setting. Experimental option.
    ratelimit: 1000

    # Use this certificate bundle for authenticating connections made to
    # outside peers (e.g., auth-zone urls, DNS over TLS connections).
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

    # Set the total number of unwanted replies to eep track of in every thread.
    # When it reaches the threshold, a defensive action of clearing the rrset
    # and message caches is taken, hopefully flushing away any poison.
    # Unbound suggests a value of 10 million.
    unwanted-reply-threshold: 10000

    # Use 0x20-encoded random bits in the query to foil spoof attempts. This
    # perturbs the lowercase and uppercase of query names sent to authority
    # servers and checks if the reply still has the correct casing.
    # This feature is an experimental implementation of draft dns-0x20.
    # Experimental option.
    use-caps-for-id: yes

    # Help protect users that rely on this validator for authentication from
    # potentially bad data in the additional section. Instruct the validator to
    # remove data from the additional section of secure messages that are not
    # signed properly. Messages that are insecure, bogus, indeterminate or
    # unchecked are not affected.
    val-clean-additional: yes

    ###########################################################################
    # PERFORMANCE SETTINGS
    ###########################################################################
    # https://nlnetlabs.nl/documentation/unbound/howto-optimise/
    # https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/

    # Number of slabs in the infrastructure cache. Slabs reduce lock contention
    # by threads. Must be set to a power of 2.
    infra-cache-slabs: 8

    # Number of incoming TCP buffers to allocate per thread. Default
    # is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
    # clients  are  accepted. For larger installations increasing this
    # value is a good idea.
    incoming-num-tcp: 10

    # Number of slabs in the key cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2. Setting (close) to the number
    # of cpus is a reasonable guess.
    key-cache-slabs: 8

    # Number  of  bytes  size  of  the  message  cache.
    # Unbound recommendation is to Use roughly twice as much rrset cache memory
    # as you use msg cache memory.
    #msg-cache-size: 2535257429
    msg-cache-size: 0

    # Number of slabs in the message cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2. Setting (close) to the number of
    # cpus is a reasonable guess.
    msg-cache-slabs: 8

    # The number of queries that every thread will service simultaneously. If
    # more queries arrive that need servicing, and no queries can be jostled
    # out (see jostle-timeout), then the queries are dropped.
    # This is best set at half the number of the outgoing-range.
    # This Unbound instance was compiled with libevent so it can efficiently
    # use more than 1024 file descriptors.
    num-queries-per-thread: 4096

    # The number of threads to create to serve clients.
    # This is set dynamically at run time to effectively use available CPUs
    # resources
    num-threads: 7

    # Number of ports to open. This number of file descriptors can be opened
    # per thread.
    # This Unbound instance was compiled with libevent so it can efficiently
    # use more than 1024 file descriptors.
    outgoing-range: 8192

    # Number of bytes size of the RRset cache.
    # Use roughly twice as much rrset cache memory as msg cache memory
    #rrset-cache-size: 5070514858
    rrset-cache-size: 0

    # Number of slabs in the RRset cache. Slabs reduce lock contention by
    # threads. Must be set to a power of 2.
    rrset-cache-slabs: 8

    # Do no insert authority/additional sections into response messages when
    # those sections are not required. This reduces response size
    # significantly, and may avoid TCP fallback for some responses. This may
    # cause a slight speedup.
    minimal-responses: yes

    # # Fetch the DNSKEYs earlier in the validation process, when a DS record
    # is encountered. This lowers the latency of requests at the expense of
    # little more CPU usage.
    prefetch: yes

    # Fetch the DNSKEYs earlier in the validation process, when a DS record is
    # encountered. This lowers the latency of requests at the expense of little
    # more CPU usage.
    prefetch-key: yes

    # Have unbound attempt to serve old responses from cache with a TTL of 0 in
    # the response without waiting for the actual resolution to finish. The
    # actual resolution answer ends up in the cache later on.
    serve-expired: yes
        serve-expired-ttl: 2147483647

    # UDP queries that have waited in the socket buffer for a long time can be
    # dropped. The time is set in seconds, 3 could be a good value to ignore old
    # queries that likely the client does not need a reply for any more. This
    # could happen if the host has not been able to service the queries for a
    # while, i.e. Unbound is not running, and then is enabled again. It uses
    # timestamp socket options.
    sock-queue-timeout: 3

    # Open dedicated listening sockets for incoming queries for each thread and
    # try to set the SO_REUSEPORT socket option on each socket. May distribute
    # incoming queries to threads more evenly.
    so-reuseport: yes

    ###########################################################################
    # LOCAL ZONE
    ###########################################################################

    # Include file for local-data and local-data-ptr
    include: /opt/unbound/etc/unbound/a-records.conf
    include: /opt/unbound/etc/unbound/srv-records.conf

    ###########################################################################
    # FORWARD ZONE
    ###########################################################################

    include: /opt/unbound/etc/unbound/forward-records.conf

  remote-control:
      control-enable: yes
      control-interface: 0.0.0.0
      control-port: 8953
      control-key-file: "/opt/unbound/etc/unbound/unbound_control.key"
      control-cert-file: "/opt/unbound/etc/unbound/unbound_control.pem"

  cachedb:
          backend: "redis"
          secret-seed: "default"
          redis-server-host: 192.168.0.8
          redis-server-port: 6379
          redis-timeout: 3000
          redis-expire-records: no
Aura67 commented 1 month ago

unbound does not encrypt the DNS requests by default because it runs over port 53. What you mean is port 853 DNS Over TLS. To do this you have to create a forward zone and use an upstream server to which you want to encrypt. eg:

forward-zone: name: "." forward-tls-upstream: yes forward-addr: ip from upstream@853#name from upstream forward-addr: ip from upstream@853#name from upstream

jouskaSockets commented 1 month ago

@Aura67 All my DNS requests use DoT, so they are all encrypted. What I am referring to are the root servers requests or "root priming queries," as @wcawijngaards referred to, which are triggered the second Unbound starts, before my device even makes any DNS requests. All other DNS requests after that are encrypted.

My forward-records.conf:

forward-zone:
    # Forward all queries (except those in cache and local zone) to
    # upstream recursive servers
    name: "."
    # Queries to this forward zone use TLS
    forward-tls-upstream: yes

    # https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

    ## Cloudflare
    forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
    forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
jouskaSockets commented 1 month ago

The problem here is that anyone listening on the wires can trick Unbound into using fake root servers, since those "root priming queries" are not encrypted. Although Unbound is set to use TLS, it seems that the forward-tls-upstream setting does not affect root priming queries.

Aura67 commented 1 month ago

the server settings are as I have created them so good because unbound sends its requests to Claudflare via port 853. Create a file on your Linux system with an editor like nano for example and paste this content:

Server:

DNS-over-TLS

tls-port: 853

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Certificates used to authenticate connections made upstream.
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
forward-addr: 1.0.0.2@853#security.cloudflare-dns.com

the port for unbound is 5335 if you use pihole or something else you just enter 127.0.0.1#5335 in pihole or if you use adguard home on linux you enter 127.0.0.1:5335 under upstream but of course you can also delete port 5335 and just leave 127.0.0.1 then you just have to enter 127.0.0.1 on your end devices. you have to set it up so that your devices then use unbound how you do it I think you know quite well :)

Here is the page where all configs for unbound are available: https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in

you can't encrypt your dns requests to the root server either you can only encrypt them by sending your requests to another upstream server otherwise your requests are not encrypted because the root servers don't support dns over tls.

Find out what you need or what you want to do with unbound. Before I forget to mention after you have created a file with these configs you should restart your unbound with service unbound restart and if you then enter service unbound status you can see if unbound is active

pemensik commented 2 weeks ago

I think this should be configured by forward-first clause in forward-zone definition. When it is by default to no, as manual says, there is not a good reason for sending priming query directly to root servers used from hints. Because in this configuration, hints should not be used in any case anyway. Priming should use forwarder, because only forwarder would be used, unless forward-first: yes is used at least in one forward-zone definition. With at least one forward-first active, then priming query is okay.

Another case which we have is when you uncomment auth-zone: name: "." in configuration. Then it needs to prove those servers on start, whether it has up-to-date copy or not.

While that query does not negatively affect privacy, it may trigger monitoring checking nobody is using unencrypted DNS on the network.

wcawijngaards commented 2 weeks ago

Unbound does not make root priming queries, unless it needs to make them. The root priming happens when unbound performs recursion. In which case, what with following the delegations from the root servers to the authority servers of the zone, this is realistically needed to perform the service correctly. But if unbound is configured as a forwarder, for zone ".", then it would not send root priming queries. This in more recent unbound versions by the way, if it does not, upgrade to a newer version. In addition, Unbound also only sends root priming queries when it needs to, when a query needs to be serviced, if the server is just started it does not do so, until a query comes in that needs the data, the root priming data is needed to perform the recursion.

If unbound is configured to use an encrypted transport, it would also use that for root priming queries.

If the desire is to suppress packets, Unbound also makes a RFC8145 key tag query after priming the root key. That is a separate lookup that happens after a recursion, separate from root priming. The intent of the mechanism is to track the deployment of root keys in validators, useful when there is a root key rollover. This query can be suppressed with trust-anchor-signaling: no.