Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
docker_notes:docker-dhcp [2024-07-21 Sun wk29 12:18] – [DNSSEC] baumkpdocker_notes:docker-dhcp [2024-08-31 Sat wk35 17:35] (current) – [DHCP testing] baumkp
Line 36: Line 36:
  
 ====DHCP testing==== ====DHCP testing====
-''%%sudo nmap --script broadcast-dhcp-discover%%'' will test the DHCP servers on the same network.+''%%sudo nmap --script broadcast-dhcp-discover%%'' will test for DHCP servers on the same network. It will only report the first DHCP server discovered. 
  
 ===Reference=== ===Reference===
Line 76: Line 77:
  
  
-=====DNSSEC===== 
-My local DNS server is a recursive caching type only.  It take local (LAN) DNS queries and answers directly for any LAN name resolution, checks the cache for any external name resolution and then if not found locally or in cache checks the specified external DNS servers to resolve names.  My DNS server is not setup as a public DNS server and is not publicly accessible. Hence DNSSEC is not relevant for this local DNS server query validation.   
- 
-For external name resolution Bind9 basically now defaults to automatic use of DNSSEC.  This can be validated with [[https://bind9.readthedocs.io/en/latest/dnssec-guide.html#how-to-test-recursive-server|(How To Test A Recursive Server)]] using: 
-    *''dig @192.168.1.14 ftp.isc.org. A +dnssec +multiline'', the query return flag ''ad'' indicates the DNS answer returned a validated answer. 
-    *''dig @192.168.1.2 ftp.isc.org. A +dnssec +multiline'' 
- 
-Equally important the following commands helps confirm that  invalid DNS queries have failed and do not rerun invalid IP address, which would be security risk.  If ''%%dig @192.168.1.14 www.dnssec-failed.org A%%'' receives ''status: SERVFAIL'' then ''dig @192.168.1.14 www.dnssec-failed.org A +cd'' will disable DNSSEC and return the IP address showing that the SERVFAIL occurred due to DNSSEC failure. 
- 
-Basic Bind9 DNSSEC configuration options 
-  * The option (in ''/etc/bind/named.conf.options'') ''dnssec-enable yes;'' is no longer valid and use will cause configuration error.  <fc #ff0000>DO NOT USE!</fc>  DNSSEC is enabled by default. 
-  * The option ''dnssec-validation'' is set default to ''auto'' The other setting options are ''yes'' and ''no'' No action is required, if the option is not specified in the configuration file it is set to auto by default.   
- 
-<fc #ff0000>So I do not need to do any configuration for ''DNSSEC'' to function on external queries.</fc> 
- 
-====reference==== 
-  *[[https://www.cloudflare.com/dns/dnssec/how-dnssec-works/|How DNSSEC Works]] 
-  *[[https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en|DNSSEC – What Is It and Why Is It Important?]] 
-  *[[https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions|Domain Name System Security Extensions]] 
-  *[[https://bind9.readthedocs.io/en/latest/dnssec-guide.html|Bind9 DNSSEC Guide]] 
-++++ old references | 
-  *[[https://www.talkdns.com/articles/a-beginners-guide-to-dnssec-with-bind-9/|DNSSEC with BIND 9 A Beginner's Guide to DNSSEC with BIND 9]] 
-  *[[https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/|APNIC How to: Deploying DNSSEC with BIND and Ubuntu Server]] 
-++++ 
-=====DNS over TLS (DoT)===== 
 =====References===== =====References=====
   *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.   *KPTree.net's bare metal implementation of [[linux_router:dns_dhcp|dns - dhcp]], based upon ISC Bind9 and DHCP on Debian 10 <fs xx-small>(was originally Ubuntu)</fs>.