Hi Bob. See if this article helps any first, before we get into configs: https://kb.isc.org/docs/the-umbrella-feature-in-detail
Cheers, Greg > On 16 Oct 2024, at 14:55, Robert Mankowski <robert.mankow...@hotmail.com> > wrote: > > I recently implemented a forward only BIND server for home. I was forwarding > to OpenDNS FamilyShield using TLS and DNSSEC at first, but I was getting a > noticeable amount of SERVFAIL responses. I believe it is related to DNSSEC > (see delv tests below), but I don’t believe it is my configuration because > when I forward to Cloudflare’s Family service, or to Google DNS, I don’t have > any problems with the same domains (e.g. www.cdc.gov <http://www.cdc.gov/>). > > I contacted Cisco Umbrella support because I was thinking it’s an issue with > their servers, but they didn’t really help, so I thought I would try this > list for advice. > > Would appreciate it if someone could review my configuration and/or reproduce > my results to see if I’m doing something wrong. > > Thanks, > > Bob > > Here are some tests I ran: > > admin@router1:~$ apt-cache policy bind9 > bind9: > Installed: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 > Candidate: 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 > Version table: > *** 1:9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7 500 > 500 https://packages.sury.org/bind-dev bookworm/main amd64 Packages > 100 /var/lib/dpkg/status > 1:9.18.28-1~deb12u2 500 > 500 http://deb.debian.org/debian bookworm/main amd64 Packages > 500 http://security.debian.org/debian-security bookworm-security/main > amd64 Packages > > > admin@router1:~$ delv -v > delv 9.21.1-1+0~20240920.124+debian12~1.gbp62e0e7-Debian > > admin@router1:~$ delv -4 @208.67.220.123 www.cdc.gov <http://www.cdc.gov/>. A > ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': > <http://cdc.gov/DNSKEY/IN':> 208.67.220.123#53 > ;; broken trust chain resolving 'www.cdc.gov/A/IN': > <http://www.cdc.gov/A/IN':> 208.67.220.123#53 > ;; resolution failed: broken trust chain > > admin@router1:~$ delv -4 @208.67.222.123 www.cdc.gov <http://www.cdc.gov/>. A > ;; insecurity proof failed resolving 'cdc.gov/DNSKEY/IN': > <http://cdc.gov/DNSKEY/IN':> 208.67.222.123#53 > ;; broken trust chain resolving 'www.cdc.gov/A/IN': > <http://www.cdc.gov/A/IN':> 208.67.222.123#53 > ;; resolution failed: broken trust chain > > admin@router1:~$ delv -4 @1.1.1.3 www.cdc.gov <http://www.cdc.gov/>. A > ; fully validated > www.cdc.gov <http://www.cdc.gov/>. 248 IN CNAME > www.akam.cdc.gov <http://www.akam.cdc.gov/>. > www.cdc.gov <http://www.cdc.gov/>. 248 IN RRSIG CNAME 8 > 3 300 20241019153420 20241009150230 1503 cdc.gov <http://cdc.gov/>. > b99UIGmCOTJj+C7JFXORmtUXQEIIGdF0q3Z5u6HfAbKcJhjfFjJrkRE6 > yntzr0pSksCp1Uwi146xvKz7ImCqkYK67/WlOujyquOGSfgOwO1DvUyj > TfvXJWvjSRLTx30lwU6RV80RrC596A16anTpLc7Zi4VEAVncRHeUl1y1 > /MG/CSCtE/Ef6tPD1FtGZjhXszVAgrk3fhISCsImRHuGAoIBnIKCKx2M > YMhxirfV0z9Qq46PnW9zTzh+EbVKZkN0C+Xl3j2+4sqyHlubhrtgklG/ > g0u+99/g/jdfex+Vh7dtcAXFcTZ1XGuPQXgsn6GrznecB8PaXmCxXfft GaDOdQ== > www.akam.cdc.gov <http://www.akam.cdc.gov/>. 20 IN A > 23.51.224.222 > www.akam.cdc.gov <http://www.akam.cdc.gov/>. 20 IN RRSIG A > 10 4 20 20241018102927 20241015092927 16701 akam.cdc.gov > <http://akam.cdc.gov/>. > Lcd7WthqqU+A7UwQkBHZsT0nqxztJkn9cx57wXr4eHHCvJR0cCxZFkwl > eIbSffPIu364terXJlcEvuWbWTLrCX7bo0c6B9bA5EPi2DsbegTfkG5u > cqrZP9RTzXbfbs5l5w6CQ9DfSPcYx9BIYkusErQu5qQnGhoQ5bXI1VxT Otc= > > The relevant portion of my named configuration is: > > tls opendns-tls { > remote-hostname "dns.opendns.com <http://dns.opendns.com/>"; > }; > > tls cloudflare_family-tls { > remote-hostname "one.one.one.one"; > }; > > tls google-tls { > }; > > tls router1-tls { > key-file "/var/cache/bind/privkey.pem"; > cert-file "/var/cache/bind/fullchain.pem"; > dhparam-file "/var/cache/bind/dhparam.pem"; > ciphers > "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384"; > prefer-server-ciphers yes; > session-tickets no; > }; > > options { > directory "/var/cache/bind"; > recursion yes; > allow-query { trusted_nets; }; > version "none"; > > forwarders { > # 1.1.1.3 port 853 tls cloudflare_family-tls; > # 1.0.0.3 port 853 tls cloudflare_family-tls; > 208.67.222.123 port 853 tls opendns-tls; > 208.67.220.123 port 853 tls opendns-tls; > # 8.8.8.8 port 853 tls google-tls; > # 8.8.4.4 port 853 tls google-tls; > }; > > forward only; > > allow-transfer { none; }; > > dnssec-validation auto; > > listen-on port 443 tls router1-tls http default { trusted_interfaces; }; > listen-on port 853 tls router1-tls { trusted_interfaces; }; > listen-on { trusted_interfaces; }; > listen-on-v6 { none; }; > > zone-statistics yes ; > }; > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org <mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
