| View previous topic :: View next topic |
| Author |
Message |
davidshen84
Apprentice
Joined: 09 Aug 2008
Posts: 286
|
 Posted: Sat Sep 12, 2020 11:47 pm Post subject: Is google.com not secure or my dnscrypt-proxy is not working |
 |
|
Hi
On my system I have systemd, systemd-resolved and dnscrypt-proxy. I have configured systemd-resolved to work in client mode and use my local dnscrypt-proxy service which listens on 53 port. After system start up, I can confirm my wlan0 IF is using 127.0.0.1 for DNS and it reports supporting DNSSEC. However, it seems most DNS queries are not authenticated. Does this mean they are not secure?
Query is authenticated:
| Code: | > resolvectl query rsync.gentoo.org
rsync.gentoo.org: 2a01:90:200:10::1a
89.238.71.6
-- Information acquired via protocol DNS in 3.4455s.
-- Data is authenticated: yes
|
Query is NOT authenticated:
| Code: |
> resolvectl query www.google.com
www.google.com: 2404:6800:4003:c00::6a
2404:6800:4003:c00::93
2404:6800:4003:c00::69
2404:6800:4003:c00::67
74.125.200.105
74.125.200.104
74.125.200.99
74.125.200.106
74.125.200.147
74.125.200.103
-- Information acquired via protocol DNS in 3.0600s.
-- Data is authenticated: no
|
Some logs
| Code: | Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
|
_________________
David Shen |
|
| Back to top |
|
 |
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Sun Sep 13, 2020 2:50 am Post subject: |
|
|
| Well, looking through the query logs for my own setup (it's not using dnscrypt-proxy, but is setup to use dnssec); I'm seeing over 80% of all dns queries (according to my logs) come back as not secure including google's. Gentoo's were one of few that are authenticated. |
|
| Back to top |
|
|
|
Networking & Security
