Recommended way to set a DNS upstream such as NextDNS (aka allowing to disable dnssec validation ?)?

Hello,

I use NextDNS.io for DNS filtering on different devices, to be able to protect my family about ads and other non expected content wherever they are (home or away from home). So I set NextDNS dns as DNS upstream. So far so good.

But as NextDNS do some content filtering and already does DNSSEC validation, it sometimes lead to troubles at IPFire level (I use IPFire 2.25 v157).

For ex, resolution of duckduckgo.com failed as I enforced safesearch as NextDNS level.

I see such messages at ipfire level:

18:40:30unbound: [18949:0]info: validation failure <www.duckduckgo.com. A IN>: DS got unsigned CNAME answ er from 45.90.28.26 and 45.90.30.26 for DS duckduckgo.com. while building chain of trust

If I edit /etc/unbound/unbound.conf to disable DNSSEC trust directive, it will work but I think I’ll have to edit again after next ipfire update.

So is there a better way to disable dnssec validation or to disable it only for the concerned upstreams dns servers ?

Thanks and have a good day !

Hello,

this is currently not supported and not recommended.

If you really want to, you could disable DNSSEC manually in unbound, but you are opening your network wide for a large number of possible attacks.

-Michael

3 Likes