============ DNS Resolver ============ The DNS Resolver in DefenseBolt utilizes unbound, which is a validating, recursive, caching DNS resolver that supports DNSSEC and a wide variety of options. The DNS Resolver is enabled by default in current versions of DefenseBolt. By default, the DNS Resolver queries the root DNS servers directly and does not use DNS servers configured under **System > General Setup** or those obtained automatically from a dynamic WAN. This behavior may be changed, how ever, using the **DNS Query Forwarding** option. By contacting the roots directly bydefault, it eliminates many issues typically encountered by users with incorrect local DNS configurations, and the DNS results are more trustworthy and verifiable with Domain Name System Security Extensions (DNSSEC). -------------------------- DNS Resolver Configuration -------------------------- To configure the DNS Resolver, navigate to **Services > DNS Resolver** .. image:: ./dnsresolver/image1.png :scale: 100% **Enable** Checking this box turns on the DNS Resolver, or uncheck to disable this functionality. The DNS Forwarder and DNS Resolver cannot both be active at the same time on the same port, so disable the DNS Forwarder or move one service or the other to a different port before attempting to enable the DNS Resolver. **Listen Port** By default, the DNS Resolver listens on TCP and UDP port 53. This is normal for any DNS server, as it is the port clients will try to use. There are some cases where moving the DNS Resolver to another Listen Port, such as 5353 or 54 is desirable, and then specific sources may be forwarded there via port forwards. **Interfaces** By default, the DNS Resolver listens on every available interface and IPv4 and IPv6 address. The Interface control limits the interfaces where the DNS forwarder will accept and answer queries. This can be used to increase security in addition to firewall rules. If a specific interface is selected, both the IPv4 and IPv6 addresses on that interface will be used for answering queries. The unbound daemon will only bind to the selected interface. Queries sent to other IP addresses on the firewall will be silently discarded. **Outgoing Network Interfaces** By default the DNS Resolver utilizes all interfaces for outbound queries, so it will source the query from whichever interface and IP address is closest to the target server from a routing perspective. Selecting specific interfaces will limit the choices to only specific interfaces that may be used as a source of queries. .. image:: ./dnsresolver/image2.png :scale: 100% **System Domain Local Zone Type** This option determines the type of local- zone configured in unbound for the system domain. The zone type governs the type of response to give clients when there is no match in local data such as Host Overrides, DHCP hosts, etc. In each case, if there is a local match, the query is answered normally. The available types to govern non- matching responses are: **Deny** Drops the query and does not answer the client. **Refuse** Notifies the client that the query was refused (Using rcode REFUSED). **Static** Returns a NODATA or NXDOMAIN response to the client. **Transparent** This is the default behavior. If the query is for a name that does not exist locally, it is resolved as usual. If the name has a local match but the type is different, a NOERROR, NODATA response is sent to the client **Type Transparent** Similar to transparent, it also passes through queries where the name matches but the type does not. For example, if a client queries for an AAAA record but only an A record exists, the AAAA query is passed on rather than receiving a negative response. **Redirect** Handles queries from local data and redirects queries for zones underneath the local zone (e.g. subdomains). This can be used to control queries for all subdomains under the given domain. **Inform** Answers normally, but logs the client query. **Inform Deny** Denies and logs the query. **No default** Disables any default content for the zone without affecting query behavior. **DNSSEC** Enables Domain Name System Security Extensions (DNSSEC), which allows clients to trust the origin and content of DNS responses. This is enabled by default. DNSSEC protects against manipulation of DNS responses, such as DNS cache poisoning or other query interception, but it does not make the contents of responses secret. DNSSEC works best when using the root servers directly, unless the forwarding servers support DNSSEC. If upstream DNS servers do not support DNSSEC in forwarding mode or with domain overrides, DNS queries are known to be intercepted upstream, or clients have issues with over-size DNS responses, DNSSEC may need to be disabled. **DNS Query Forwarding** Disabled by default. When enabled, unbound will use the system DNS servers from **System > General Setup** or those received from a dynamic WAN, rather than using the root servers directly. This is better for a multi-WAN scenario where fine control of DNS query routing is desired, but typically also requires disabling DNSSEC due to a lack of support by upstream DNS servers or other problems forwarding the queries. **DHCP Registration** When active, internal machine names for DHCP clients can be resolved using DNS. This only works for clients that specify a hostname in their DHCP requests. **System > General Setup** is used as the domain name on the hosts. .. image:: ./dnsresolver/image3.png :scale: 100% **Static DHCP** This works the same as Register DHCP leases in DNS forwarder, except that it registers the DHCP static mapping addresses instead. **Custom Options** A text area for placing advanced directives for unbound that are not supported by the GUI directly. If unbound does not start correctly after entering custom options, add server: on a line before the custom options .. image:: ./dnsresolver/image3.1.png :scale: 100% **Host Overrides** Custom DNS entries can be created in the Host Overrides section of the page. **Host overrides** can definenew records, or override existing records so that local clients receive the configured responses instead of responses from upstream DNS servers. This is also useful for split DNS configurations (see Split DNS), and as a semi-effective means of blocking access to certain specific websites. Multiple records may be defined for the same hostname, and all IP addresses will be returned in the result. This can be used to supply both an IPv4 (A) and IPv6 (AAAA) result for a single hostname. .. Note:: We do not recommended using only the DNS override functionality as a means of blocking access to certain sites. There are countless ways to get around this. It will stop non-technical users, but it is easy to circumvent for those with more technical aptitude. **Host** This field defines only the hostname portion of the DNS record (without the domain), e.g. www. It may be left blank to make an override record for the domain itself (Similar to an “@” record in bind.) **Domain** This field is required, and defines the domain name for the override entry, e.g. example.com. **IP Address** The IP address (either IPv4 or IPv6) to return as the result for a DNS lookup of this entry. **Description** A text description used to identify or give more information about this entry. **Additional Names for This Host** Defines additional hostnames for the same IP address (much like CNAME records) to keep them in a single override entry. .. image:: ./dnsresolver/image3.2.png :scale: 100% **Domain Overrides** Domain overrides are found at the bottom of the DNS Resolver page. These entries specify an alternate DNS server to use for resolving a specific domain. One example of where this is commonly deployed is in small business networks with a single internal server with Active Directory, usually Microsoft Small Business Server. The DNS requests for the Active Directory domain name must be resolved by the internal Windows Server forActive Directory to function properly. Adding an override for the Active Directory domain pointing to the internal Windows server IP address ensures these records are resolved properly whether clients are using this firewall as a DNS server or the Windows Server directly. In an Active Directory environment the best practice is to have clients always use the Windows DNS server as the primary DNS server so dynamic name registration and other domain-related DNS tasks function properly. In environments with only one Windows DNS server, enable the DNS Resolver with an override for the Active Directory domain and use this firewall as the secondary DNS server for the internal machines. This ensures DNS resolution (except for Active Directory) does not have a single point of failure, and loss of the single server won’t mean a complete Internet outage. The loss of a single server in such an environment will usually have significant consequences, but users will be more apt to leave the administrator alone to fix the problem if they can still check out their lolcats, Facebook, Twitter, et al in the mean time. Another common use of DNS overrides is to resolve internal DNS domains at remote sites using a DNS server at the main site accessible over VPN. In such environments all DNS queries are typically resolved at the central site for centralized control over DNS, however some organizations prefer letting Internet DNS resolve with DefenseBolt at each site, and only forwarding queries for internal domains to the central DNS server. Note a static route is necessary for this to function over IPsec. See DefenseBolt initiated Traffic and IPsec for more information. Domain The Domain field sets the domain name that will be resolved using this entry. This does not have to be a valid TLD, it can be anything (e.g. local, test, lab), or it can be an actual domain name ( example.com). **IP Address** Specifies the IP Address of the DNS server to which the queries for hostnames in Domain are sent. If the target DNS server is running on a port other than 53, add the port number after the IP address with an @ separating the values, for example: 192.0.2.3@5353 **Description** A text description used to identify or give more information about this entry. **DNS Resolver and Multi-WAN** With the default settings, the DNS Resolver will have issues in a Multi-WAN environment. The main issue is that the DNS Resolver wants to query the root DNS servers directly. These queries will only be sent out using the default gateway. If the WAN containing the default gateway fails then DNS queries will also likely fail. There are ways to work around this limitation, however: **Forwarding Mode** Enable **DNS Query Forwarding** and configure at least one DNS server per WAN gateway under **System > General Setup.** DNSSEC may also need to be disabled, depending on upstream DNS server support. **Default Gateway Switching** Enable **Default Gateway Switching** under **System > Advanced, Miscellaneous** tab. This will move the default gateway to the next available gateway if the preferred default fails. However, this option is still considered experimental and may have problems in certain cases. ---------------- Advanced Options ---------------- Defensebolt provides a GUI to configure some of the more common advanced options available in unbound. The options below are documented as found in the unbound.conf man page. .. image:: ./dnsresolver/image4.png :scale: 100% **Hide Identity** When set, attempts to query the server identity (id.server and hostname.bind) are refused. **Hide Version** When set, attempts to query the server version (version.server and version.bind) are refused. **Prefetch Support** When enabled, message cache elements are prefetched before they expire to help keep the cache up to date. This option can cause an increase of around 10% more DNS traffic and load on the server, but frequently requested items will not expire from the cache. **Prefetch DNS Key Support** When enabled, DNSKEYs are fetched earlier in the validation process when a Delegation Signer record is encountered. This helps lower the latency of requests but utilizes a little more CPU, and requires the cache to be set above zero. .. image:: ./dnsresolver/image4.1.png :scale: 100% **Harden DNSSEC Data** If this option is disabled and no DNSSEC data is received, then the zone is made insecure. DNSSEC data is required for trust-anchored zones. If such data is absent, the zone becomes bogus. **Message Cache Size** The message cache stores DNS response codes and validation statuses. The re- source record set (RRSet) cache will automatically be set to twice this amount. The RRSet cache contains the actual resource record data. The default is 4 MB. **Outgoing TCP Buffers** The number of outgoing TCP buffers to allocate per thread. The default value is 10. If set to 0, TCP queries will not be sent to authoritative servers. .. image:: ./dnsresolver/image5.png :scale: 100% **Incoming TCP Buffers** The number of incoming TCP buffers to allocate per thread. The default value is 10. If set to 0, TCP queries will not be accepted from clients. **EDNS Buffer Size** Number of bytes size to advertise as the EDNS reassembly buffer size. This value is placed in UDP datagrams sent to peers. RFC recommendation is 4096 (the default). If fragmentation reassembly problems occur, usually observed as timeouts, then a value of 1480 may help. The 512 value bypasses most MTU path problems, but it is excessive and can generate an excessive amount of TCP fallback. **Number of Queries per Thread** The number of queries that every thread will service simultaneously. If additional queries arrive that need to be serviced, and no queries can be jostled out, the new queries are dropped .. image:: ./dnsresolver/image5.1.png :scale: 100% **Jostle Timeout** Timeout used when the server is very busy. This protects against denial of service by slow queries or high query rates. The default value is 200 milliseconds. Set to a value that approximates the round-trip time to the authority servers. As new queries arrive, 50% are allowed to run and 50% are replaced by new queries if they are older than the stated timeout. **Maximum TTL for RRsets and Messages** The Maximum Time to Live (TTL) for RRsets and messages in the cache, specified in seconds. The default is 86400 seconds (1 day). When the internal TTL expires the cache item is expired. This can be configured to force the resolver to query for data more often and not trust (very large) TTL values **Minimum TTL for RRsets and Messages** The Minimum Time to Live for RRsets and messages in the cache, specified in seconds. The default is 0 seconds. If a record has a TTL lower than the configured minimum value, data can be cached for longer than the domain owner intended, and thus less queries are made to look up the data. The 0 value ensures the data in the cache is not kept longer than the domain owner intended. High values can lead to trouble as the data in the cache may not match up with the actual data if it changes. .. image:: ./dnsresolver/image6.png :scale: 100% **TTL for Host Cache Entries** Time to Live, in seconds, for entries in the infrastructure host cache. The infrastructure host cache contains round trip timing, lameness, and EDNS support information for DNS servers. The default value is 15 minutes. **Number of Hosts to Cache** Number of infrastructure hosts for which information is cached. The default is 10,000. **Unwanted Reply Threshold** If enabled, a total number of unwanted replies is tracked in every thread. When the threshold is reached, a defensive action is taken and a warning is printed to the log file. The defensive action is to clear the RRSet and message caches, hopefully flushing away any poison. The default is disabled, but if enabled a value of 10 million is suggested. **log Level** Select the log verbosity. Default is Level 1. **Level 0** No verbosity, only errors. **Level 1** Operational information. **Level 2** Detailed operational information. **Level 3** Query level information, output per query. **Level 4** Algorithm level information. **Level 5** Logs client identification for cache misses. .. image:: ./dnsresolver/image6.1.png :scale: 100% **Disable Auto-added Access Control** Disables the automatically-added access control entries. By de- fault, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Allowed networks must be manually configured on the Access Lists tab if when checked. **Experimental Bit 0x20 Support** Use 0x20-encoded random bits in the DNS query to foil spoofing at- tempts. See the implementation draft dns-0x20 for more information: **DNS Resolver and IPv6** The DNS Resolver is fully compatible with IPv6. It accepts and makes queries on IPv6, supports AAAA records, and has no known issues with any aspect of IPv6 and handling DNS. --------------------- Resolver Access Lists --------------------- .. image:: ./dnsresolver/image7.png :scale: 100% Unbound requires access lists (ACLs) to control which clients are allowed to submit queries. By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Additional networks must be allowed manually. .. Note: The automatic ACLs may be disabled using the Disable Auto-added Access Control option on the Advanced Settings tab. To manage Access Lists for the DNS Resolver, navigate to **Services > DNS Resolver**, Access Lists tab. From this list, new entries may be added and existing entries may be edited or deleted. When adding or editing an entry, the following options are available: .. image:: ./dnsresolver/image8.png :scale: 100% **Access List Name** The name for the Access List, which appears as a comment in the access list configuration file. **Action** Method for handling the networks contained in this Access List **Deny** Stops queries from from clients in the configured networks **Refuse** Stops queries from clients in the configured networks and sends back a REFUSED response code **Allow** Allows queries from clients in the configured networks **Allow Snoop** Allows recursive and nonrecursive queries from clients in the configured networks, used for cache snooping, and typically only configured on administrative hosts. **Description** A longer text field for reference notes about this entry. **Networks** A list of networks to be governed by this access list entry.