Dnsmasq/Stubby TLS and enable DNSSEC by dnsmasq

Need some advice on this, is it a good idea to enable DNSSEC over TLS-encrypted links, is it really bring up a good combination to do further DNSSEC validation data to the client?

Should I consider blocking sending DNS requests to ISP-provided DNS servers? My understanding is that the ISP DNS may request queries ahead of dnsmasq/stubby being active when OpenWRT starts up, if this is so, can we eliminate and secure the DNS resolver only used by the openWRT system is dnsmasq/stubby.

TLS protects the privacy of your TCP session with the recursive resolver from an eavesdropper. DNSsec is about validating the answer you receive, but provides no privacy. TLS will prevent any tampering on the path between you and the recursive, but there's no such protection between the recursive and the authoritative, and TLS can't prevent any tampering by the recursive itself either.

If your recursive performs dnssec validation, and you trust it with that responsibility, then you can leave dnssec validation turned off. Otherwise, turn it on. Also, remember that dnssec validation can't be performed if the authoritative hasn't signed the zone. The root and all the tld zones are signed, but many other zones aren't yet.

You can block dns queries to your isp if you wish, but note that openwrt by default hands out the ip for dnsmasq to the clients for dns and not any upstream dns ip. If dnsmasq hasn't started yet, the clients simply don't get any response.

1 Like