From owner-freebsd-questions@freebsd.org Fri Nov 24 21:46:08 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 23AC1DF24BB for ; Fri, 24 Nov 2017 21:46:08 +0000 (UTC) (envelope-from doug@safeport.com) Received: from bucksport.safeport.com (bucksport.safeport.com [198.74.231.101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E7C5C65D1F for ; Fri, 24 Nov 2017 21:46:07 +0000 (UTC) (envelope-from doug@safeport.com) Received: from bucksport.safeport.com (bucksport.safeport.com [198.74.231.101]) by bucksport.safeport.com (8.14.5/8.14.5) with ESMTP id vAOLk5Fr080341; Fri, 24 Nov 2017 16:46:05 -0500 (EST) (envelope-from doug@safeport.com) Date: Fri, 24 Nov 2017 16:46:05 -0500 (EST) From: DTD To: Ernie Luzar cc: "freebsd-questions@freebsd.org" Subject: Re: local_unbound disable trusted-anchor In-Reply-To: <5A189058.30500@gmail.com> Message-ID: References: <59EF2E9D.2060408@gmail.com> <5A189058.30500@gmail.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (bucksport.safeport.com [198.74.231.101]); Fri, 24 Nov 2017 16:46:06 -0500 (EST) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Nov 2017 21:46:08 -0000 On Fri, 24 Nov 2017, Ernie Luzar wrote: > doug wrote: >> On Tue, 24 Oct 2017, Ernie Luzar wrote: >> >>> How can I stop local_unbound from automatically performing trusted anchor >>> at local_unbound start? >> >> Read the thread "Unbound(8) caching resolver no workie on ..." valuable >> stuff here. Answered why I had to do the following. Comment out >> >> auto-trust-anchor-file: /var/unbound/root.key >> >> in unbound.conf. >> > > Yes I followed that thread when it was current on the questions list. > > I took a different path to working around stopping the trust-anchor auto > fetch at start time. > > For security reasons I will not allow any daemon call home for any reason. > Its just to easy for that secdns fetch to become compromised and all of a > sudden all unbound users are compromised. They added secdns to close some > large holes in dns services and ended up adding a far more centralized > security hole. secdns needs more time to work out the design problems to > become better secured before I an willing to get in bed with it. So I turned > off the auto secdns fetch all together and run unbound without it just fine. > > It came to my attention that the version of unbound used by release 11.1 > local_unbound was 3 versions behind what was provided in the port version of > unbound. So I pkg installed unbound and then hacked the rc.d unbound script > commenting out the code that did the actual fetch of the trust-anchor file > content. > > Then I installed the dns2blackhole port and followed the great detailed > instructions for populating unbound with a file containing known bad domain > names so unbound will block those dns look ups thus protecting the host > unbound runs on and all LAN devices hard wired or wifi connected behind that > host. > > dns2blackhole man page has a lot of info on customizing unbound and > local_unbound, so it's worth it to just install it for its man page. > > I also have ntpd launched at boot time and it does complain about being > unable to resolve it's domain name until unbound completes it's start up. > This is a simple timing thing between ntpd and unbound that resolves itself > and only creates 2 warning messages in the system log which I understand and > ignore. Thanks for the reply and thoughts. I am trying to work through the security issues raised in the thread and your reply. _____ Douglas Denault http://www.safeport.com doug@safeport.com Voice: 301-217-9220 Fax: 301-217-9277