New DNS page in core 141

Thanx a lot for the new DNS page! This is way better than the old stuff.

But I really wish there would be an info (table column) if the DNS server supports DNSSEC or not.
In recent cores this info was found in external network status - and was really helpful.

Infos I didn’t found in the wiki yet:
Is the order of the list the order the servers are queried? Or is a round robin scheme used?
Short explanation of what exactly is the difference between “standard” and “strict” QNAME minimisation?
Asking that, cause I haven’t read the named RFCs.

This function is there but you have to press “Check DNS Server” button because this need some time to test. If you git “OK” it support DNSSec if not, you get “Brocken” and if you mouseover you get the “strip RRSIG” ot other DNSSec messages.

There is no order in this list. All enabled server are set in unbound and unbound regular run some tests (speed and dnssec) and choose the best.

1 Like

Thanks for clarification, Arne, I didn’t know that in detail.

I thought, that “OK” means, server is responding.
IMHO, it should say “OK, DNSSEC validating”, “BROKEN, no DNSSEC”, “Error, no …” but that’s cosmetic.
Functionality is implemented. Great.

1 Like

An alternate solution would be to change the column title from “Status” to “DNSSEC Status”.

This is my setup but when I go to I get the following result which says I am not using dns over tls. Any suggestions?

i do have the same result via the Tenta test, but e.g. the Cloudflair test --> shows TLS1.3 encryption and enabled DNSsec. You can also check this via Tshark

tshark -i red0 port 853

or ‘port 53’ for unencrypted DNS traffic or via kdig with an e.g.

kdig -d @"${ip}" "+edns=0" +dnssec +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-host="${host}";

on your own machine with more specific infos.



Tests that run in browser will display no TLS because between browser und IPFires unbound is still a normal UDP/TCP connection used.

1 Like