Of course if you are going to fix it, you might as fix it right. I recommend something with DNSSEC support, caching, and prefetching. The best I've found so far is unbound. So I recommend:
1) aptitude/yum install unbound
2) edit /etc/unbound.conf
a) change prefetch and prefetch-key to yes
b) If you want to use a DLV for those domains whose IT/ISP don't support DNSSEC update the dlv-anchor-file. More info at Wikipedias DLV entry
c) uncomment auto-trust-anchor-file: "/etc/unbound/root.key"
d) I set threads to 2
3) run unbound-anchor to update the DNSSEC root key.
4) To test look for the ad flag with the following command.
$ dig @localhost com. SOA +dnssec | grep flags | head -1 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
5) Update /etc/resolv.conf with nameserver 127.0.0.1
6) If running dhclient
a) add/uncomment "prepend domain-name-servers 127.0.0.1;" in /etc/dhclient.conf
b) remove "domain-name-servers" from the request line in /etc/dhclient.conf
c) create a file in /etc/dhcp/dhclient-exit-hooks.d with the following in it:
6) If running dhclient
a) add/uncomment "prepend domain-name-servers 127.0.0.1;" in /etc/dhclient.conf
b) remove "domain-name-servers" from the request line in /etc/dhclient.conf
c) create a file in /etc/dhcp/dhclient-exit-hooks.d with the following in it:
echo "options edns0" >> /etc/resolv.confd) In ~/.ssh/config (per user config file) or /etc/ssh/ssh_config (global config file) add:
#until ssh-keygen and related tools get updated we can't do ecdsa keys HostKeyAlgorithms=ssh-rsa,ssh-dss VerifyHostKeyDNS yes StrictHostKeyChecking yes Host *.* Hostname %h Host * hostname %h.cse.ucdavis.edu
Enjoy faster and more secure DNS. DNSSEC also improves the functionality of putting SSH keys in DNS and lets people have more confidence in your SPF/DKIM records if you run a mail server.
No comments:
Post a Comment