Date: Fri, 24 Nov 2017 16:46:05 -0500 (EST) From: DTD <doug@safeport.com> To: Ernie Luzar <luzar722@gmail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: local_unbound disable trusted-anchor Message-ID: <alpine.BSF.2.00.1711241642300.72866@bucksport.safeport.com> In-Reply-To: <5A189058.30500@gmail.com> References: <59EF2E9D.2060408@gmail.com> <alpine.BSF.2.20.1711241356340.15572@fledge.watson.org> <5A189058.30500@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 24 Nov 2017, Ernie Luzar wrote: > doug wrote: >> On Tue, 24 Oct 2017, Ernie Luzar wrote: >> >>> How can I stop local_unbound from automatically performing trusted anchor >>> at local_unbound start? >> >> Read the thread "Unbound(8) caching resolver no workie on ..." valuable >> stuff here. Answered why I had to do the following. Comment out >> >> auto-trust-anchor-file: /var/unbound/root.key >> >> in unbound.conf. >> > > Yes I followed that thread when it was current on the questions list. > > I took a different path to working around stopping the trust-anchor auto > fetch at start time. > > For security reasons I will not allow any daemon call home for any reason. > Its just to easy for that secdns fetch to become compromised and all of a > sudden all unbound users are compromised. They added secdns to close some > large holes in dns services and ended up adding a far more centralized > security hole. secdns needs more time to work out the design problems to > become better secured before I an willing to get in bed with it. So I turned > off the auto secdns fetch all together and run unbound without it just fine. > > It came to my attention that the version of unbound used by release 11.1 > local_unbound was 3 versions behind what was provided in the port version of > unbound. So I pkg installed unbound and then hacked the rc.d unbound script > commenting out the code that did the actual fetch of the trust-anchor file > content. > > Then I installed the dns2blackhole port and followed the great detailed > instructions for populating unbound with a file containing known bad domain > names so unbound will block those dns look ups thus protecting the host > unbound runs on and all LAN devices hard wired or wifi connected behind that > host. > > dns2blackhole man page has a lot of info on customizing unbound and > local_unbound, so it's worth it to just install it for its man page. > > I also have ntpd launched at boot time and it does complain about being > unable to resolve it's domain name until unbound completes it's start up. > This is a simple timing thing between ntpd and unbound that resolves itself > and only creates 2 warning messages in the system log which I understand and > ignore. Thanks for the reply and thoughts. I am trying to work through the security issues raised in the thread and your reply. _____ Douglas Denault http://www.safeport.com doug@safeport.com Voice: 301-217-9220 Fax: 301-217-9277
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1711241642300.72866>