nomadbsd / handbook

NomadBSD handbooklet
BSD 2-Clause "Simplified" License
8 stars 3 forks source link

Simple DNS over TLS and DNSSEC for added security on NomadBSD. #11

Open globetrotterdk opened 2 years ago

globetrotterdk commented 2 years ago

I have been researching and working on a simple, low resource method for added security on a NomadBSD system, that goes beyond what a VPN can provide. I have been led to understand that Unbound can provide this, so I have tried to configure the version (?) of Unbound, that is found in the base FreeBSD system. I have experienced some issues along the way and could use some help.

I currently have the line in my /etc/rc.conf as follows to try to help diagnose some of the problems that I am experiencing: local_unbound_enable=NO Here is what I get when I try to start Unbound manually: # service local_unbound onestart Starting local_unbound. Waiting for nameserver to start...[1645112025] unbound-control[2874:0] warning: control-enable is 'no' in the config file. [1645112025] unbound-control[2874:0] error: connect: Connection refused for 127.0.0.1 port 8953 .[1645112026] unbound-control[2879:0] warning: control-enable is 'no' in the config file. [1645112026] unbound-control[2879:0] error: connect: Connection refused for 127.0.0.1 port 8953 .[1645112027] unbound-control[2884:0] warning: control-enable is 'no' in the config file. [1645112027] unbound-control[2884:0] error: connect: Connection refused for 127.0.0.1 port 8953 .[1645112028] unbound-control[2889:0] warning: control-enable is 'no' in the config file. [1645112028] unbound-control[2889:0] error: connect: Connection refused for 127.0.0.1 port 8953 .[1645112029] unbound-control[2894:0] warning: control-enable is 'no' in the config file. [1645112029] unbound-control[2894:0] error: connect: Connection refused for 127.0.0.1 port 8953 giving up My /etc/unbound/unbound.conf is very basic: `server: port: 5300 tls-upstream: yes
tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"

forward-zone: name: "." forward-addr: 2a05:fc84::42@853#dns.digitale-gesellschaft.ch`

The following is what I used as a point of reference in starting to work with Unbound: I made sure that ntpd was installed and running for correct time. # sysrc local_unbound_enable=YES This should set local_unbound to be used as a local resolver. # pkg install bind-tools This is to get the "dig" command. Next, reboot or run: # service local_unbound start Test with: # dig @::1 -p 5300 mozilla.org I am not sure, but I believe this works. I believe that the following is used for capturing traffic. Here, I start getting on thin ice, regarding what I have learned so far: # tcpdump host 2a05:fc84::42 -w tls.pcap AND # dig @::1 -p 5300 mozilla.org OR # dig @::1 -p 5300 mozilla.org +dnssec tcdump appears to work, but when running Wireshark, I only see UDP, no DNS, TCP or TLS protocols. There are no man pages for local_unbound and references to unbound-checkconf and unbound-anchor, I suspect refer to the full Unbound install, while I am trying to run this on a desktop system. I am a bit lost at this point, as I have no experience in network security, but am trying my best. However, I could definitely use some help at this point.

For the future, it would be nice if some form of Simple DNS over TLS and DNSSEC for added security were implemented in NomadBSD, without any particular configuration needed, for the desktop user...