ECS and DNSSEC Setup

Started by spetrillo, December 21, 2025, 05:21:41 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2025, 05:21:41 PM
Hello all,

I am using Quad9's Secured w/ECS: Malware blocking, DNSSEC Validation, ECS enabled DNS service. How do I configure Unbound to handle this? Do I need to worry about dnsmasq DNS services also?

Thanks,
Steve
December 24, 2025, 08:10:10 AM #1 Last Edit: December 24, 2025, 08:30:28 AM by OPNenthu
ECS or not makes no difference in how you configure Quad9 for Unbound.  It's just a forwarding address with a different IP than the non-ECS version:  9.9.9.11 vs. 9.9.9.9.  Unbound doesn't care :)

Quad9's TLS forwarding guide for OPNsense: https://docs.quad9.net/Setup_Guides/Open-Source_Routers/OPNsense_%28Encrypted%29/

Curious- why do you prefer the ECS version?  Do you get an appreciable performance boost from CDNs?

If Unbound is doing your DNS resolution then Dnsmasq should not be reached by your clients.  You need to configure it as per the examples in https://docs.opnsense.org/manual/dnsmasq.html#configuration-examples and make sure Unbound is forwarding to Dnsmasq for your internal domains.  Dnsmasq doesn't need to know anything about Quad9 in this case.  It should never be answering queries for any domain except those configured on your network.
December 25, 2025, 08:57:33 PM #2
I do get a boost from CDNs but I am not sure the juice is worth the squeeze. With that said I am now setup for DoT only and DNSSEC is turned off on both dnsmasq and Unbound.
Today at 04:34:45 PM #3
I have been reading up on this.
https://blog.cloudflare.com/dns-encryption-explained/
https://www.cloudflare.com/learning/dns/dns-security/
https://security.stackexchange.com/questions/239698/does-cloudflares-dns-over-tls-dot-implement-dnssec-too

I think DSNSEC should be enabled. It is a client/server situation.
"DNSSEC allows clients to verify the integrity of the returned DNS answer"

It seems like a provider, like cloudflare, will use DNSSEC flags and the client, like OPNsense, will process them.

In summary:
DoT: Encrypts your DNS query
DNSSEC: cryptographically verifies DNSSEC-signed records (only within unbound)

Therefore, these are two different functions that work together to increase DNS security. Quite fascinating.

Today at 05:28:26 PM #4
Per Quad9, turn it off.

https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/

QuoteDisable DNSSEC Validation

Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.
Today at 06:12:02 PM #5
So many businesses dissapeared swallowed by BOGUS responses. Personally I haven't seen one, and have deployments with over 1M queries daily, roughly 70% being DNSSEC validated by the local resolvers regardless of the upstream.

Trust but don't verify - it's the old security adage that keeps businesses alive.
Today at 06:31:53 PM #6
I do not think it is too much of an issue with DNSSEC off because it is hard to imagine something trying to interfere with a DoT encrypted request to Quad9. And I can picture Quad9 uses DNSSEC when making a query to an upstream authoritative DNS server.

And @newsense, is there a way to see queries that are not validated from within unbound?

However, just for my own knowledge, I am interested in taking this further.
Using cloudflare, with "Enable DNSSEC Support" = true, for many years, there have not been any issues.
Under Unbound DNS: Advanced the "Harden DNSSEC Data" is currently false. If this is changed to true, and the chain of DNSKEY is broken, at any point in the chain of DNS servers, then the answer part of the query will fail because OPNsense cannot verify the response. Which equals 'false bogus' in Quad9's language. And by 'chain' I mean:
unbound --> cloudflare (or Quad9) --> not resolved in their cache --> some authoritative DNS server --> answer returned to cloudflare (or Quad9)--> answer returned to unbound where DNSKEY is verified.
It seems the risk on this is that any authoritative server that is queried from cloudflare (or Quad9) that does not have DNSSEC configured will result in a failed answer. This is more discussion all the way back from 2017:
https://github.com/opnsense/core/issues/1962

To check performance, this should work (pwsh)
(Measure-Command { Resolve-DnsName apple.com }).TotalMilliseconds
But the cache needs to be cleared.
Windows: ipconfig /flushdns
unbound: Flush DNS Cache during reload = true
But is there a command to clear unbound, other than restarting the service?
Print
Go Up Pages1
User actions