Maintaining the list of secure dns servers

Networking DNS
1

hello evryone
Ive been looking at the list of secure dns servers on the wiki and using some web-based utilities I found on the web such as the dns security test by Verisign Labs and the GRC DNS Spoofability test ive realized that some of these DNS providers don’t always have 100% reliable DNSSEC all the time so id like to edit the wiki page to
possibly remove:
Freifunk München e.V.
dns.sb
CMRG DNS
post-factum
Digitalcourage e.V.
click to see why
and maybey adding:
DNS CMRG (the new one)
the new DoHProxy.com(198.199.103.49 kiri.nonexiste.net)

let me know what you think of those changes servers and give some sugestions thatd be great

2

Hi @noobusinghacks

If you believe that you have found some DNSSEC weaknesses/issues with those DNS Servers then I would think a first step would be to contact them and inform them about those and see what response you get.

I have had contact with Freifunk München in the past about an issue and got a rapid response from them.

2 Likes
3

I think Freifunk ans Digital Courage are pretty solid DNS servers

THey do have some errors because of their domain setup:

No DS records found for ffmuc.net in the net zone

No DNSKEY records found

No RRSIGs found

I am not sure if this affects DNS security. maybe someone can point out.
No DS records found for ffmuc.net in the net zone

4

Hi,

if I understood your post correctly, you are mixing up DNSSEC signing and DNSSEC validation.

The latter is critical to IPFire, as we required DNSSEC validation to work. Resolvers not providing necessary DNS record types (NSEC, RRSIG, etc.) for doing so are not listed as recommendable ones in the wiki.

At this level, however, DNSSEC signing of the operators’ zone is irrelevant: You connect to a DNS resolver by it’s IP address - there is no other way to do so, since your machine cannot resolve FQDNs without speaking to a resolver (chicken-and-egg-problem) -, which does not depend on DNS even working.

Of course, I would like to see as much domains DNSSEC-signed as we can. But in terms of resolver security, this does not matter.

Thanks, and best regards,
Peter Müller

1 Like