dnssec
YYou think that your home internet is up-to-date with modern networking standards? Go to the site
您认为您的家庭互联网是最新的现代网络标准吗? 前往网站
internet.nlinternet.nl connectivity test. 连通性测试 。The Dutch test of modern internet runs two tests that everyone should pass in 2020: your IPv6 connectivity and usage of secure tamper-proof DNS. My bet is that you will fail both tests. If you passed one, you are in a tiny majority. If you passed both, you have my deepest admiration — I needed almost 4 weeks of network tinkering to finally pass that bar and get a 100% score. Below is the guide that will help you fix one of two problems above: it will help you set up a modern DNS service on OPNSense router.
荷兰人对现代互联网的测试进行了两项每个人都应该在2020年通过的测试:您的IPv6连接性和安全防篡改DNS的使用 。 我敢打赌,您将不会通过两个测试 。 如果您通过了考试,那么您将占很小的比例。 如果两者都通过,您将对我有最深的钦佩-我需要将近4周的网络修修补补才能最终通过该标准并获得100%的分数。 以下是可以帮助您解决上述两个问题之一的指南:它可以帮助您在OPNSense路由器上设置现代DNS服务 。
DNSSEC,DoT和DNSBL与未绑定 (DNSSEC, DoT and DNSBL with Unbound)
DNS standard was built when internet was still a cuddly trusted happy network and nobody anticipated weaponized malicious attack vectors of today. DNSSEC is a security extension protecting your network from believing forged or false DNS records — also known as DNS cache poisoning. DNSSEC assures the integrity of records that are returned to your queries.
DNS标准是在Internet仍然是一个值得信任的快乐网络并且没有人想到当今武器化的恶意攻击媒介时建立的。 DNSSEC是一项安全扩展,可以保护您的网络免受伪造或错误的DNS记录(也称为DNS缓存中毒)的侵害。 DNSSEC确保返回给您的查询的记录的完整性 。
DNS standard also doesn’t encrypt your queries or responses, allowing anyone on the path to collect information on what domains you visit and how often. Nobody needed to hide that 30 years ago. DNS over TLS (DoT) is a security protocol for DNS that encrypts your queries and responses, just like https does it for browsing.
DNS标准也不对您的查询或响应进行加密,它允许路径上的任何人收集有关您访问哪个域以及访问频率的信息。 30年前没有人需要隐藏它。 TLS上的DNS (DoT)是DNS的安全协议,可以加密查询和响应,就像https可以浏览一样。
You don’t want to resolve all DNS queries— especially queries for ads, spam, malicious sites and other garbage that is out on the internet. DNS Blackhole list (DNSBL) will prevent a resolution of unwanted domains, letting less trash entering your home. DNSBL is mostly used to block domains that serve ads, but it was originally designed to block spam, phishing, and other active threats.
您不想解决所有DNS查询,尤其是对广告,垃圾邮件,恶意站点和Internet上其他垃圾的查询。 DNS黑洞列表 (DNSBL)可以防止不必要的域名解析,从而减少进入您家的垃圾。 DNSBL主要用于阻止投放广告的域,但最初旨在阻止垃圾邮件,网络钓鱼和其他活动威胁。
OPNSense firewall uses Unbound DNS by NLnet Labs as a standard DNS service, installed and enabled by default.
OPNSense防火墙将NLnet Labs的未绑定DNS用作标准DNS服务,默认情况下已安装并启用。
Unbound DNS is a full DNS resolver that can talk directly to DNS root servers on the internet. Compared to typical DNS forwarders found in regular routers, Unbound DNS offers validating, recursive, caching DNS capabilities.
未绑定DNS是完整的DNS解析器,可以直接与Internet上的DNS根服务器进行通信。 与常规路由器中常见的DNS转发器相比,未绑定DNS提供了验证,递归,缓存DNS功能。
You can find Unbound DNS under Services — Unbound DNS in OPNSense GUI.
您可以在OPNSense GUI的“服务-未绑定的DNS”下找到“未绑定的DNS”。
Turning DNSSEC on is trivially simple with Unbound DNS:
使用未绑定DNS, 打开DNSSEC非常简单:
- Enable the Unbound DNS (if it is not enabled by default) 启用未绑定的DNS(如果默认情况下未启用)
Enable DNSSEC on the General settings page:
启用DNSSEC 在常规设置页面上:
Enabling DNS over TLS is a bit more complex because OPNSense GUI doesn’t have DoT feature integrated into interface yet. But the underlying Unbound DNS service that runs on OPNSense does have DoT built-in, so all we need to do is to supply the unbound.conf with the right DoT parameters.
通过TLS启用DNS有点复杂,因为OPNSense GUI尚未将DoT功能集成到界面中。 但是在OPNSense上运行的底层Unbound DNS服务确实具有DoT内置功能,因此我们要做的就是为unbound.conf提供正确的DoT参数。
DNS over TLS typically uses port 853 and is not offered by every DNS service out there. I personally like Quad9 and Cloudflare DNS services, but if you have your own preferred DNS provider (for example, using Google DoT), you should easily adapt settings below.
TLS上的DNS通常使用端口853,并且那里的每个DNS服务都不提供该端口。 我个人喜欢Quad9和Cloudflare DNS服务,但是如果您有自己的首选DNS提供商(例如,使用Google DoT),则应轻松调整以下设置。
That’s what my Custom options look like:
这就是我的“自定义”选项的样子:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6This is how the Custom options field looks like in OPNSense GUI:
这是“自定义选项”字段在OPNSense GUI中的样子:
To enable DNSBL on OPNSense, we need to grab a plugin that will extend Unbound DNS with the DNSBL feature. The plugin is called os-unbound-plus-devel and is available (as the name suggests) only for the development release type of OPNSense.
要在OPNSense上启用DNSBL ,我们需要获取一个插件,该插件将使用DNSBL功能扩展未绑定DNS。 该插件称为os-unbound-plus-devel ,仅可用于OPNSense的开发发行版(顾名思义)。
If you are not on Dev release yet, switch that first by going to System — Firmware-Settings:
如果尚未使用Dev版本,请先转到“ 系统—固件设置”进行切换:
Then refresh the list of plugins and install os-unbound-plus-devel:
然后刷新插件列表并安装os-unbound-plus-devel :
With this plugin installed, the new entry “Blacklist” will appear under the Unbound DNS branch. All you need is to enable it and decide what source to use for domain blacklists.
安装此插件后,新条目“ Blacklist ”将出现在Unbound DNS分支下。 您所需要做的就是启用它,并确定将哪些源用于域黑名单。
I personally don’t use any of the built-in ones — I use the ultimate list from the energized.pro collection:
我个人不使用任何内置列表,而是使用energized.pro集合中的最终列表:
https://block.energized.pro/ultimate/formats/domains.txt
Now, in order to see queries in the Unbound DNS log, we need to enable logging of queries on the bottom of Unbound DNS — Advanced page (and click Save and then restart of Unbound service):
现在,为了查看未绑定DNS日志中的查询,我们需要在“ 未绑定DNS-高级”页面的底部启用查询日志记录(并单击“保存”,然后重新启动未绑定服务):
With all of that set and active, you should get:
有了所有这些设置并处于活动状态,您应该获得:
DNSSEC tamper-proof resolution of your DNS queries
DNSSEC防篡改解决DNS查询
DNS over TLS encrypted channel to request and receive DNS entries
通过TLS加密通道的DNS来请求和接收DNS条目
DNS Blacklist to filter out all unwanted domain resolution
DNS黑名单过滤掉所有不需要的域解析
Happy secure surfing!
安全上网愉快!
翻译自: https://medium.com/swlh/dnssec-dot-and-dnsbl-on-opnsense-9ee6a766af55
dnssec
扫一扫
1567
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
