From owner-freebsd-questions@freebsd.org Sat Oct 14 23:15:48 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 85C87E2F1F1 for ; Sat, 14 Oct 2017 23:15:48 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from mail.cyberleo.net (paka.cyberleo.net [216.226.128.180]) by mx1.freebsd.org (Postfix) with ESMTP id 6911483690 for ; Sat, 14 Oct 2017 23:15:46 +0000 (UTC) (envelope-from cyberleo@cyberleo.net) Received: from [172.16.44.4] (vitani.den.cyberleo.net [216.80.73.130]) by mail.cyberleo.net (Postfix) with ESMTPSA id C713630855; Sat, 14 Oct 2017 19:08:28 -0400 (EDT) Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( To: RW , freebsd-questions@freebsd.org References: <4172.1507827505@segfault.tristatelogic.com> <20171014224323.1ed35da3@gumby.homeunix.com> From: CyberLeo Kitsana Message-ID: <64e5525d-fd1c-6e9b-526c-0d9c4e8f788c@cyberleo.net> Date: Sat, 14 Oct 2017 18:08:27 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20171014224323.1ed35da3@gumby.homeunix.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Oct 2017 23:15:48 -0000 On 10/14/2017 04:43 PM, RW via freebsd-questions wrote: > On Thu, 12 Oct 2017 17:31:32 -0400 > Baho Utot wrote: > >> On 10/12/2017 12:58 PM, Ronald F. Guilmette wrote: > >>> During this (fresh) install, I -never- explicitly selected any >>> option that would obcviously hav the effect of telling unbound to >>> forward/route all of its DNS queries through any other specific >>> name servers). So why on earth would it be doing so? >> >> Because the base system uses unbound as the resolver. > > That doesn't explain why it forwards by default. FreeBSD's local_unbound setup will, by default, forward to the nameservers provided by DHCP or hardcoded in the config files, rather than doing full lookups by itself. See below for why this is safe. > Is ISP cache poisoning entirely a thing of the past? IIRC there are > also attacks where a DSL router is hacked and reconfigured to give bogus > DNS servers via DHCP. Properly implemented DNSSEC mitigates cache-poisoning or DNS redirection attacks, as any answers not properly signed by the authority for the name you're looking up (and every parent up to the root zone) will be rejected. The name will simply fail to resolve, rather than returning corrupt, forged, or tampered results. FreeBSD implemented local_unbound specifically to add DNSSEC validation to machines that rely on external recursing nameservers, like those provided by your ISP. DNSSEC is slow, as any given validation requires many lookups and cryptographic operations to chain the signature to a trusted root, so any local caching is beneficial. Offloading the validation to a single local caching daemon is much easier and less error-prone than dealing with the complexities of adding validation and cache management to a library that is loaded into pretty much every process on your machine. > There's also the issue that mail servers should avoid using shared > caches because of per IP address limits on blocklists. Linux resolver > packages that set-up forwarding without making it clear have been a > problem for a while now. -- Fuzzy love, -CyberLeo Technical Administrator CyberLeo.Net Webhosting http://www.CyberLeo.Net Element9 Communications http://www.Element9.net Furry Peace! - http://www.fur.com/peace/