DoH, DNSSEC, Unbound and Pi-hole

Apologies if I should have put this in security, please move it if so, but we've just had a DNS thread in here which really prompted this question.

For a while I've run pihole and the 'unbound' recursive dns resolver on a spare RPi, to help keep my local network mostly free from ads and other nasties. Initially I didn't enable DNSSEC on the pihole, reasoning that if I'm exclusively using the authoritative DNS servers then it wouldn't buy much additional security. DNSSEC is primarily a defence against DNS spoofing and poisoning, and if the authoritative DNS servers are compromised then the world has bigger problems than mine.

Recently I switched DNSSEC on, just to see really. It slows things down a bit, but not disastrously and I'd live with that if it was worthwhile. It clutters up the pihole logs rather, but again I'd live with that if necessary. But the major thing I've seen is that support is very patchy - even major sites like the TBB forum, bbc.co.uk and google.com are flagged as insecure because they don't seem to have DNSSEC fully implemented on all subdomains. So there doesn't seem much point in using DNSSEC.

Also I thought DNS over HTTPS (DoH), which should make MITM attacks much harder, was pretty much the norm these days. Unbound supports DoH (and DoT I think) though whether I'm configured to use either of both of them is not entirely clear to me (I'm not an expert in these things).

DoH is about encryption, but DNSSEC is more about authentication. Are both necessary, or is one sufficient? I'm rather confused, as you may be able to tell.

In reply to a post by Thaumaturge:

DoH is about encryption, but DNSSEC is more about authentication. Are both necessary, or is one sufficient?

Both are important. Most DNS queries are sent in plain text meaning they can be modified or spoofed en-route by an intermediate server. DNSSEC ensures the record has not been modified.

In reply to a post by Thaumaturge:

if the authoritative DNS servers are compromised then the world has bigger problems than mine

An authoritative DNS server is just a server that hosts the records for a particular domain. They could easily be compromised if not properly managed. Do you mean the root servers (the authoratative servers for the "/" domain)?

Even if you use just the root servers (not recommended as it slows down queries and increases network traffic), without forwarding, I can't see how this protects against a compromised DNS server further down the chain of queries.

My understanding, which may be rather less than complete or accurate, of the way Unbound works is that to resolve a domain that isn't in its cache, it goes all the way back to root and requests the authoritative server for the TLD (.com, .net or whatever). It then recurses its way down finding the authoritative servers for successive subdomains till it can obtain the IP. It caches stuff so it only needs to do this once for the TTL of the address.

Not recommended by whom? NLnet Labs who maintain the thing are only a small outfit, but they are backed by some heavyweight names, eg ICANN, Verisign, AWS, Nominet to quote a few - full list on their website. It's unlikely these guys would all support something that was harmful to the internet.

In reply to a post by Oliver341:

Most DNS queries are sent in plain text ...

That's only true if "most" DNS queries are still sent over HTTP, not HTTPS (ie DoH). I thought that most folks used DoH these days, whether they know it or not. Firefox and Chrome have defaulted to it since 2020. Edge I don't know much about cos I never use the thing, but a quick look at its settings page suggests it will use whatever my defaults are (so yes in my case).

I looked around but couldn't find any useful stats on proportion of HTTP v HTTPS. Do you have any to support your assertion?

The documentation of Unboud provides several examples of configuring it to use public DNS servers (e.g. 8.8.8.8) as forwarders. As they will already contain most of the path to most queries this reduces the network traffic considerably.

I ask myself “who is better at maintaining a secure DNS server, me or Google”. Much as I like to think I understand these things, the answer has to be Google (substitute trusted name server of your choice). So I set my internal DNS server to pass queries on to a forwarder. Perhaps it’s because I’m old enough to still think of network bandwidth as a precious resource.

In reply to a post by Thaumaturge:

That's only true if "most" DNS queries are still sent over HTTP, not HTTPS (ie DoH). I thought that most folks used DoH these days, whether they know it or not. Firefox and Chrome have defaulted to it since 2020.

Your query to the resolving nameserver may indeed be via DoH or DoT, but the server you are talking will do a bunch of queries itself, and those queries will be in plaintext.

Using NextDNS 100% of my queries are encrypted but only 8.2% are authenticated.

In reply to a post by smouty:

Using NextDNS 100% of my queries are encrypted but only 8.2% are authenticated.

NextDNS makes lots of queries which are not encrypted before giving you the result.

I haven't actually quantified it - it would mean manual counting in my setup - but I agree 8.2% seems a reasonable estimate to what I've been seeing.

I can see that implementing DNSSEC could be a significant overhead for net admins, and for most companies there wouldn't be much benefit to show on the bottom line, so likely the beancounters aren't keen. If any TBB staff are reading this, briefly is that why TBB doesn't seem to implement it? Only Cloudflare of the major sites I've looked at seems to have it completely covered, but then they are a network security company so it would be embarrassing for them if they got caught out.

I'm concluding that DNSSEC does not (yet?) have sufficient take-up to make the overheads of running it worthwhile. It's necessary to accept unauthenticated lookups or it wouldn't be possible to do anything, so there seems little point.