DNS fun on a Friday night.
Set up DNSSEC enforcement, multicast, dns over tls, turn off link layer failover
Data is authenticated: yes = DNSSEC signature success
$ sudo apt install systemd-resolved
/etc/systemd/resolved.conf
Domains=~.
DNSSEC=yes
MulticastDNS=yes
Cache=yes
DNS=8.8.8.8#dns.google 8.8.4.4#dns.google
DNSOverTLS=yes
LLMNR=no
$ resolvectl status
Global
Protocols: -LLMNR +mDNS +DNSOverTLS DNSSEC=yes/supported
resolv.conf mode: stub
Current DNS Server: 8.8.8.8#dns.google
DNS Servers 8.8.8.8#dns.google 8.8.4.4#dns.google
DNS Domain ~.
DNSSEC signed domain
$ resolvectl query www.waitman.net
www.waitman.net: 45.79.97.18 -- link: enp0s31f6
2600:3c01::f03c:91ff:fed3:e6a8 -- link: enp0s31f6
-- Information acquired via protocol DNS in 214.8ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: network
unsigned domain still resolves
$ resolvectl query rumbly.net
rumbly.net: 2605:a140:2037:5070::1 -- link: enp0s31f6
209.126.4.161 -- link: enp0s31f6
-- Information acquired via protocol DNS in 180.4ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network
from cache:
$ resolvectl query www.waitman.net
www.waitman.net: 45.79.97.18 -- link: enp0s31f6
2600:3c01::f03c:91ff:fed3:e6a8 -- link: enp0s31f6
-- Information acquired via protocol DNS in 1.7ms.
-- Data is authenticated: yes; Data was acquired via local or encrypted transport: yes
-- Data from: cache
check a broken test domain (does not resolve)
# resolvectl query dnssec-failed.org
dnssec-failed.org: resolve call failed: DNSSEC validation failed: missing-key
