local_unbound disable trusted-anchor
Ernie Luzar
luzar722 at gmail.com
Fri Nov 24 21:34:17 UTC 2017
doug wrote:
> On Tue, 24 Oct 2017, Ernie Luzar wrote:
>
>> How can I stop local_unbound from automatically performing trusted
>> anchor at local_unbound start?
>
> Read the thread "Unbound(8) caching resolver no workie on ..." valuable
> stuff here. Answered why I had to do the following. Comment out
>
> auto-trust-anchor-file: /var/unbound/root.key
>
> in unbound.conf.
>
Yes I followed that thread when it was current on the questions list.
I took a different path to working around stopping the trust-anchor auto
fetch at start time.
For security reasons I will not allow any daemon call home for any
reason. Its just to easy for that secdns fetch to become compromised and
all of a sudden all unbound users are compromised. They added secdns to
close some large holes in dns services and ended up adding a far more
centralized security hole. secdns needs more time to work out the design
problems to become better secured before I an willing to get in bed with
it. So I turned off the auto secdns fetch all together and run unbound
without it just fine.
It came to my attention that the version of unbound used by release 11.1
local_unbound was 3 versions behind what was provided in the port
version of unbound. So I pkg installed unbound and then hacked the rc.d
unbound script commenting out the code that did the actual fetch of the
trust-anchor file content.
Then I installed the dns2blackhole port and followed the great detailed
instructions for populating unbound with a file containing known bad
domain names so unbound will block those dns look ups thus protecting
the host unbound runs on and all LAN devices hard wired or wifi
connected behind that host.
dns2blackhole man page has a lot of info on customizing unbound and
local_unbound, so it's worth it to just install it for its man page.
I also have ntpd launched at boot time and it does complain about being
unable to resolve it's domain name until unbound completes it's start
up. This is a simple timing thing between ntpd and unbound that
resolves itself and only creates 2 warning messages in the system log
which I understand and ignore.
More information about the freebsd-questions
mailing list