Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Is google.com not secure or my dnscrypt-proxy is not working
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
davidshen84
Apprentice
Apprentice


Joined: 09 Aug 2008
Posts: 286

PostPosted: Sat Sep 12, 2020 11:47 pm    Post subject: Is google.com not secure or my dnscrypt-proxy is not working Reply with quote

Hi

On my system I have systemd, systemd-resolved and dnscrypt-proxy. I have configured systemd-resolved to work in client mode and use my local dnscrypt-proxy service which listens on 53 port. After system start up, I can confirm my wlan0 IF is using 127.0.0.1 for DNS and it reports supporting DNSSEC. However, it seems most DNS queries are not authenticated. Does this mean they are not secure?

Query is authenticated:

Code:
> resolvectl query rsync.gentoo.org                                                                                                                                 
rsync.gentoo.org: 2a01:90:200:10::1a
                  89.238.71.6

-- Information acquired via protocol DNS in 3.4455s.
-- Data is authenticated: yes


Query is NOT authenticated:

Code:

> resolvectl query www.google.com                                                                                                                                   
www.google.com: 2404:6800:4003:c00::6a
                2404:6800:4003:c00::93
                2404:6800:4003:c00::69
                2404:6800:4003:c00::67
                74.125.200.105
                74.125.200.104
                74.125.200.99
                74.125.200.106
                74.125.200.147
                74.125.200.103

-- Information acquired via protocol DNS in 3.0600s.
-- Data is authenticated: no


Some logs

Code:
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question googleapis.com IN DS: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN SOA: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN A: no-signature
Sep 13 09:43:45 gentoo systemd-resolved[736714]: DNSSEC validation failed for question oauthaccountmanager.googleapis.com IN AAAA: no-signature

_________________
David Shen
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1784

PostPosted: Sun Sep 13, 2020 2:50 am    Post subject: Reply with quote

Well, looking through the query logs for my own setup (it's not using dnscrypt-proxy, but is setup to use dnssec); I'm seeing over 80% of all dns queries (according to my logs) come back as not secure including google's. Gentoo's were one of few that are authenticated.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum