Hello there,
I have successfully been using overrides in Unbound for locally hosted web services (e.g. website, mail server, etc.) to access them from LAN. The issue is that with such a setup client apps cannot confirm DNSSEC (unbound simply provides a local IP for a service, hence no DNSSEC check is in place). I tried to move overrides to dnscrypt-proxy, hoping that it would perform such check but, alas, it doesn't work either. I have almost none experience with DNS (except configuring it in DNS/hoster provider for about a dozen subdomains). Probably, I should host a DNS server as well (which, I suppose, could provide DNSSEC validation), but I am not sure. Maybe there is a simpler solution.
Could you please put me on the right track to solve this? If the local DNS server is the only answer, could you please link me to a good tutorial to setup Unbound for such a task? What I would like to achieve is to be able using locally hosted web apps with DNSSEC and DANE support both from LAN and from Internet.
You could try from here https://calomel.org/unbound_dns.html
No you can not avoid a local dns server as in an authoritative one if you want to do dnssec because the answers need to be signed. To sign them you need to create the chain of trust, and you can not have your internal zone signed by a publicly available authoritative dns server.
@cookiemonster Thank you for a quick reply.
Quote from: cookiemonster on April 11, 2025, 11:34:25 AMcan not avoid a local dns server as in an authoritative one if you want to do dnssec
If I understand correctly, this mean I have to
replace a DNS provider (currently I use Cloudflare) with my own locally hosted authoritative DNS, which should provide DNS resolution for the entire internet. I didn't realise that when I posted the thread. If this is the case, I am not ready for that (consumer level Internet provider for one reason, relatively unreliable hardware for another...)
I've got another idea: If I use OPNSense firewall to simply redirect IP. E.g. any traffic from LAN network to WAN IP address (which is resolved in Cloudflare) would be forwarded to local nginx IP address, which in turn will serve the apps. Would that work in general? Would it still support DNSSEC and DANE from LAN? And if yes, where exactly I should place such a forward? I mean, in which FW group: LAN, WAN or both? Or this would break the correct network functioning?
No, no. Not a dns server for the whole internet, just for your zone. Like in the diagram on that link, down the middle. One server just for your clients. Everything else would of course need to be forwarded on to the roots. You read it, right? Maybe a re-read ;)
From the follow up question though there seems like you could really benefit from understanding the whole dnssec concept. Perhaps this is of use https://bind9.readthedocs.io/en/latest/dnssec-guide.html#dnssec-on-private-networks
Apologies, I have not implemented dnssec internally myself (I fail to see the point for me) so I can not give you a specific instruction.
Thank you for the link to DNSSEC in private networks, that really hit the base. Now I understand this much better (I hope :) ) I certainly need to learn more, thatns for showing the path.
Quote from: cookiemonster on April 11, 2025, 06:44:40 PMYou read it, right? Maybe a re-read ;)
Will do :)
Actually, I screened it right to the point where it states I have the choices between forwarder and authoritative, and I realized (falsely, as it seems :) ) that I should setup my own DNS server as authoritative. Again, I am not experienced with DNS, didn't wrap my head around the entire concept of it. Just know how to setup some simple things. But I will dive into it, I promise :)
As an exercise IMHO it is a good thing. As for the benefit of running your own DNS authoritative server for your home (presumably) that also signs the responses to ensure to the clients that the answers haven't been tampered with, seems to me unnecessarily overcomplicated.
As a learning exercise, yes of course.