Announcement

Collapse
No announcement yet.

Enabling DNSSEC on Pi-Hole

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enabling DNSSEC on Pi-Hole

    Upon discovering in this thread that if you have your Pi-Hole as the primary DNS but something else (like your ISP's upstream DNS) as secondary, if you're blocking things with the Pi-Hole, your machine will just say "Well lemme check secondary DNS....OH there it is, kthxbye!" I've now installed a second Pi-Hole at home :-). I also wanted to turn on DNSSEC (because why not), and found that this was a super quick and easy guide to do just that:

    https://www.mpauli.de/dnssec-on-a-ra...5-minutes.html

    Once you turn DNSSEC on you can validate it's working by heading here: https://internet.nl/
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

  • #2
    Just to follow up on this, I thought I had everything working like a champ, but after remoting into both my Pi-holes tonight, I found that every entry in the log had a big red BOGUS next to it. Long story short, I found that this was because my date/time info was set incorrectly. I found out this site (https://www.reddit.com/r/pihole/comm..._bogus_domain/) helped me understand why an entry might be logged as SECURE, BOGUS or INSECURE. The TLDR version is this:

    SECURE == I've found a signed record and they validate.
    BOGUS == I've found a signed record and the signature is bad.
    INSECURE == I've found no signed records, either the domain is unsigned and not implementing DNSSEC or there are other issues, but I can not say it's SECURE or BOGUS.
    To fix the time issue, I had to do the following:

    1. Stop the pi from auto-syncing time by issuing timedatectl set-ntp false

    2. Find the timezone that's right for me by searching using a query like timedatectl list-timezones | egrep -o "America/Chi.*"

    3. Set my timezone with timedatectl set-timezone "America/Chicago"

    4. Manually set my time with timedatectl set-time '2020-04-22 19:12:50'

    5. Turn auto-syncing back on with timedatectl set-ntp true

    When I went back into the admin GUI, several entries were still indicating INSECURE, but many of them return as clean OKs.
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

    Comment


    • #3
      You can also add to the DNSSEC, a recursive DNS server to make it more private:
      https://docs.pi-hole.net/guides/unbound/

      Comment


      • #4
        Oohhhhh I like that quite a bit, thanks Javali . That entire article is a nice breakdown of the DNS "flow." I seem to forget a lot about DNS until I have a DNS problem, and I'm going to bookmark this site for future snafus
        Brian Johnson
        7 Minute Security
        Podcaster | Security Consultant

        Comment


        • #5
          Hey Javali just wanted to report I went the "unbound" route on all my Pi-Holes and they seem to be working like absolute champs!
          Brian Johnson
          7 Minute Security
          Podcaster | Security Consultant

          Comment


          • #6
            Same for mine DNSSEC and Recursive DNS Server in those small little boxes. Love it. The next step will be the UniFi Dream Machine.

            Comment


            • #7
              DuuuuuuUUUUUUUUUUUUde Javali the Dream Machine is so awesome. I love it. And FYI found one little upgrade "bug" here to be aware of: https://forums.7minsec.com/forum/inf...-to-1-5-6-2150
              Brian Johnson
              7 Minute Security
              Podcaster | Security Consultant

              Comment

              Working...
              X