Deploy360 11 January 2014

Weekend Project: Enable DNSSEC Validation On Your DNS Resolver

By Dan YorkDirector, Internet Technology

SURFnet whitepaper on deploying DNSSECLooking for a weekend project to learn more about a new technology?  How about seeing if you can enable DNSSEC on the DNS resolver you use in your home network?  (or in your business network?)

This whitepaper from SURFnet about deploying DNSSEC validation on recursive caching name servers provides an excellent guide to get started.

If you operate your own home server/gateway/router and use any of these three recursive name servers, the document provides step-by-step instructions:

  • BIND 9.x
  • Unbound
  • Microsoft Windows Server 2012

Once have DNSSEC validation configured, you should be able to go to our list of DNSSEC test sites to test your installation. Specifically you should NOT be able to get to the sites with bad DNSSEC signatures.

If you do not operate your own home server, or if you just have a wireless “home router” from one of the various manufacturers, you may need to do a bit more digging to see where your DNS resolution is happening.

To start, you may want to download the DNSSEC-check tool from the DNSSEC Tools Project and run that tool on one of the computers on your network.  It may be that your ISP is already providing DNSSEC validation and if so you can congratulate yourself and go find another project to work on!

If that doesn’t show that you have DNSSEC validation, you need to figure out where your DNS resolvers are located.  The DNSSEC-check tool will give you the IP addresses of the DNS resolvers your computer is configured to use.  Alternatively you can go into one of your computers on your home network and look in the network settings where you should be able to find the IP addresses for whatever DNS servers are being given out by DHCP on your local network.

If the IP address of the DNS resolver is in the same address range as your computer’s IP address (i.e. the same subnet), you are most likely using a DNS resolver located on your home router.  You’ll need to go into the administrative interface for the home router (assuming you have access to it) and look around to see if there is a setting there for DNS resolution and if so if there is a setting to enable DNSSEC.

If you don’t see a way to enable DNSSEC, your home router vendor doesn’t support DNSSEC yet. If you have the time and patience, it would be great if you could go to the website for that router vendor and see if there is a way to file a feature request or bug ticket.  It might be in support forums or in a bug tracker somewhere.

If the IP address of the DNS resolver is in a different address range from your computer’s IP address, odds are that it is probably operated by your Internet service provider (ISP) or is perhaps from a service such as Google’s Public DNS (although if it was from Google, the DNSSEC-check tool would have already shown that DNSSEC validation was working).

Again, if you have the time and patience, it would be great if you would contact your ISP to ask if you can get DNSSEC validation. We hear from both ISPs and vendors that “customers aren’t asking for DNSSEC”  – and we need to change that!

Thanks for your help!  Working together we’ll make a more secure Internet!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...