Community discussions

 
User avatar
Xymox
Member
Member
Topic Author
Posts: 338
Joined: Thu Jan 21, 2010 5:04 pm
Location: Phoenix, Arizona US
Contact:

DNSSEC

Tue Jun 15, 2010 7:53 pm

Does RouterOS support DNSSEC ?

DNSSEC is making news. July deployment apparently..
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6610
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: DNSSEC

Wed Jun 16, 2010 1:15 pm

MikroTik DNS cache does not support it (it does not mark answer with digital signature).
 
User avatar
EMOziko
Member Candidate
Member Candidate
Posts: 129
Joined: Mon Aug 23, 2010 9:42 pm
Location: Georgia

Re: DNSSEC

Wed Nov 06, 2013 3:04 pm

Is there any news about this?
DNSSEC becoming world standard and more and more ISP's are implementing it. But if ISP is using Mikrotik production, it can't deploy DNSSEC.
Please Mikrotik, give us more reasons to use your production :)
We want new versions of The Dude!!!!!!!
 
itchycube
just joined
Posts: 4
Joined: Mon Jan 06, 2014 3:13 pm

Re: DNSSEC

Mon Feb 24, 2014 6:08 am

I'd add a +1 to this.

Would love to be able to turn on validation on routeros.
 
oreggin
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Oct 16, 2009 9:21 pm

Re: DNSSEC

Wed Oct 01, 2014 12:01 pm

+1 for feature request
 
Zorro
Long time Member
Long time Member
Posts: 676
Joined: Wed Apr 16, 2014 2:43 pm

Re: DNSSEC

Wed Oct 01, 2014 3:58 pm

nope :(
its don't support DNSCurve too (DNSSec successor/replacement, proposed ~2yrs ago, but delayd for approval).
 
mhoungbo
just joined
Posts: 6
Joined: Wed Apr 11, 2012 4:04 pm

Re: DNSSEC

Sun Feb 15, 2015 5:13 pm

+1000000 for feature request
 
zopper
just joined
Posts: 10
Joined: Sat Dec 27, 2014 5:12 pm

Re: DNSSEC

Sun Apr 26, 2015 5:08 pm

Is there any reason why DNSSEC is still not implemented?
 
User avatar
IPANetEngineer
Trainer
Trainer
Posts: 959
Joined: Fri Aug 10, 2012 6:46 am
Location: Jackson, MS, USA
Contact:

Re: DNSSEC

Sun Apr 26, 2015 6:15 pm

+1 for DNSSEC

We have clients that need this feature
Global - MikroTik Support & Consulting - English | Francais | Español | Portuguese +1 855-645-7684
https://iparchitechs.com/services/mikro ... l-support/ mikrotiksupport@iparchitechs.com
 
papuas
just joined
Posts: 1
Joined: Thu May 28, 2015 3:10 pm

Re: DNSSEC

Thu May 28, 2015 3:14 pm

+1 for feature request
 
User avatar
chebedewel
just joined
Posts: 4
Joined: Tue Feb 02, 2016 6:41 am
Location: Noumea
Contact:

Re: DNSSEC

Tue May 24, 2016 9:34 am

up ! +1 for DNSSec on the resolver
Bertrand Cherrier
MTCNA - MTCTCE
_______________________________________________________
MikroTik Consultant & Distributor for New Caledonia
 
loredo
just joined
Posts: 1
Joined: Mon Jan 16, 2017 8:20 pm

Re: DNSSEC

Mon Jan 16, 2017 8:52 pm

+1 for feature request
 
Tabco2
just joined
Posts: 1
Joined: Mon Feb 06, 2017 4:19 am

Re: DNSSEC

Mon Feb 06, 2017 4:24 am

+1 for DNSSec As added feature
 
msatter
Forum Veteran
Forum Veteran
Posts: 876
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: DNSSEC

Mon Feb 06, 2017 9:58 am

I can't see any extra's functionality in this that I need. The DNS functionality that is current available is in my eyes there to change the real DNS responses or to create DNS responses for only internal use. The DNS of the Mikrotik let through the DNSSEC response from the real DNSsever to the client.
RB760iGS (hEX S) with the SFP being cooled.
Running:
RouterOS 6.43 / Winbox 3.18 / MikroTik APP 0.69
Cooling a SFP module: viewtopic.php?f=3&t=132258&p=671105#p671105
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNSSEC

Mon Feb 06, 2017 3:51 pm

The problem with just passing DNSSEC data to clients, when they ask for it, is that nothing actually does. Web browsers, as the most commonly used type of program today, couldn't care less about DNSSEC and will happily accept any fake reply. And other programs or operating systems are not any better.

To get protection, validation must happen on DNS resolver. It probably does on ISP's, but then the reply must travel through their network to you, and it's again possibly vulnerable. It's even worse for all kinds of public resolvers (longer path). If resolver in RouterOS could validate DNSSEC, it would help. On the other hand, it's a little more than just a simple addition, so MikroTik probably won't be rushing into it.
 
lysanev
just joined
Posts: 2
Joined: Sat Apr 19, 2014 9:03 am

Re: DNSSEC

Fri Apr 20, 2018 10:34 am

Today we have a public DNS 1.1.1.1 by Cloudflare, 8.8.8.8 by Google with DNS-over-TLS, and DNS-over-HTTPS, which both provide last mile encryption to keep DNS queries private and free from tampering. We wanna use it on our devices!!!

Full list DNS with dnssec https://download.dnscrypt.info/resolver ... solvers.md

Yes, it is not simple addition, but topic created years ago

p.s. Couple of DNS servers were hijacked to resolve http://myetherwallet.com users to be redirected to a phishing site. This is not on @myetherwallet side, we are in the process of verifying which servers to get it resolved asap.
Last edited by lysanev on Thu Apr 26, 2018 7:39 am, edited 1 time in total.
 
MechanicF
just joined
Posts: 3
Joined: Fri Apr 20, 2018 9:59 am

Re: DNSSEC

Fri Apr 20, 2018 1:20 pm

I fully support dnssec as an additional feature !! +100500 for feature request

Cheers, Mechanic
 
DummyPLUG
newbie
Posts: 36
Joined: Wed Jan 03, 2018 10:17 am

Re: DNSSEC

Tue May 22, 2018 8:52 am

Just switch from a draytek to ccr1009, but because lack of DNSSEC I am not sure if the CCR will go in production at all
 
candlerb
just joined
Posts: 8
Joined: Fri Jun 30, 2017 12:07 am

Re: DNSSEC

Fri Jul 06, 2018 7:41 pm

I believe I got bitten by this today. On Ubuntu 16.04, with lxd 3.0.1 installed from xenial-backports, the following command consistently failed:
root@nuc1:~# lxc launch images:debian/jessie/amd64 snf-image-jessie
Creating snf-image-jessie
Error: Failed container creation: Get https://images.linuxcontainers.org/streams/v1/index.json: lookup images.linuxcontainers.org on 10.12.255.1:53: read udp 10.12.255.11:46962->10.12.255.1:53: i/o timeout
/etc/resolv.conf
pointed to 10.12.255.1, which is Mikrotik hEX PoE. tcpdump showed that DNS packets were being sent, and responses returned by the Mikrotik. But after changing DNS to point to 8.8.8.8, it worked fine.

So there's something about the responses from the Mikrotik DNS forwarder that lxd doesn't like; and the obvious difference is DNSSEC (although I can't prove this is the cause):
root@nuc1:~# dig @10.12.255.1 images.linuxcontainers.org +dnssec +multi
...
;; ANSWER SECTION:
images.linuxcontainers.org. 900	IN CNAME canonical.images.linuxcontainers.org.
canonical.images.linuxcontainers.org. 900 IN A 91.189.91.21
canonical.images.linuxcontainers.org. 900 IN A 91.189.88.37
versus
root@nuc1:~# dig @8.8.8.8 images.linuxcontainers.org +dnssec +multi
...
;; ANSWER SECTION:
images.linuxcontainers.org. 77 IN CNAME	canonical.images.linuxcontainers.org.
images.linuxcontainers.org. 77 IN RRSIG	CNAME 8 3 900 (
				20180718083502 20180704052307 23359 linuxcontainers.org.
				NdCMnXYwpegRTCx0b92mylHnjgS7msdjnfTvz+ozjZOc
				JqA2DQxYFqsbKETc2nE3U2eOSi3UEFtR3V2959oMNTQv
				Du8R6OdZb9hFrXh6woEyAPe93fbk+hnehKP4UtqfPRG8
				uRJn6Tiqjdqt8TubHGQqpn9uJDpNMzSArXyZhyM= )
canonical.images.linuxcontainers.org. 334 IN A 91.189.91.21
canonical.images.linuxcontainers.org. 334 IN A 91.189.88.37
canonical.images.linuxcontainers.org. 334 IN RRSIG A 8 4 900 (
				20180710143450 20180626095643 23359 linuxcontainers.org.
				Uumc8LbdvVrbtuihoZo1dsDZTylkDLZNzK6V+Z66i+L0
				CIFRkbyRuHM8x2A1LQknuhwQfDJcZftjl5fPtNaztLYk
				hkhGVZ86vVwgqCS7clZLqpr38oSroB/NbqOxP/R7ibcJ
				l2h3UqNvLev4FpqqVYHLD/KIN62llCi7MoK7HNo= )
 
pe1chl
Forum Guru
Forum Guru
Posts: 4733
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNSSEC

Fri Jul 06, 2018 10:02 pm

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)
 
eXS
newbie
Posts: 31
Joined: Fri Apr 14, 2017 4:01 am

Re: DNSSEC

Sat Jul 07, 2018 3:34 am

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)
I think there's a lot of reasons people wouldn't want to do that though.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4733
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNSSEC

Sat Jul 07, 2018 12:30 pm

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)
I think there's a lot of reasons people wouldn't want to do that though.
What are those reasons?
With most routers on the market, the built-in resolver is limited and sometimes buggy, and it is usually preferred not to use it and
directly refer to the internet resolvers of the ISP or one of those public resolvers. (there are others)
 
R1CH
Long time Member
Long time Member
Posts: 639
Joined: Sun Oct 01, 2006 11:44 pm

Re: DNSSEC

Sat Jul 07, 2018 2:42 pm

Using an external resolver also fixes latency issues caused by high CPU, routed packets through the kernel still proceed but user mode DNS server is starved, leading to slow DNS response. I also couldn't find a way to do DNS rebinding protection with Mikrotik which was the main reason I switched away.
 
DummyPLUG
newbie
Posts: 36
Joined: Wed Jan 03, 2018 10:17 am

Re: DNSSEC

Sun Jul 08, 2018 9:17 am

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)
I think there's a lot of reasons people wouldn't want to do that though.
What are those reasons?
With most routers on the market, the built-in resolver is limited and sometimes buggy, and it is usually preferred not to use it and
directly refer to the internet resolvers of the ISP or one of those public resolvers. (there are others)
such as when you need to force some domain resolve into specific IP?
 
pe1chl
Forum Guru
Forum Guru
Posts: 4733
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNSSEC

Sun Jul 08, 2018 7:08 pm

such as when you need to force some domain resolve into specific IP?
Then you are already in I-like-broken-networks territory. And DNSSEC is preventing you from doing it.
It is like "I need to do a redirect on a https:// URL". You may feel the need to do these things,
but the internet at large is trying harder and harder to prevent you from doing it.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 805
Joined: Tue Oct 11, 2005 4:53 pm

Re: DNSSEC

Sun Jul 08, 2018 7:12 pm

such as when you need to force some domain resolve into specific IP?
Ever heard of hosts file?
 
Buster2
newbie
Posts: 34
Joined: Sun Jan 06, 2013 9:04 pm
Location: Germany, Dresden
Contact:

Re: DNSSEC

Wed Jul 11, 2018 12:33 am

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
I think there's a lot of reasons people wouldn't want to do that though.
such as when you need to force some domain resolve into specific IP?
I can imagine many situations where you want to
- inject an internal domain into DNS or
- use split DNS or
- just not let Google know which websites your clients are visiting ...

Ever heard of hosts file?
Hosts file are a mess for multiple clients or any client not under your control.
 
User avatar
Anastasia
just joined
Posts: 6
Joined: Wed Oct 28, 2015 7:12 pm

Re: DNSSEC

Sat Sep 15, 2018 8:43 pm

+1 for DNSSec
how long will you do it? why so long?
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNSSEC

Sun Sep 16, 2018 3:13 am

Simple: do not use the resolver in the MikroTik for clients, but let them directly use 1.1.1.1 or 8.8.8.8 or similar.
(advertised via DHCP)
I think there's a lot of reasons people wouldn't want to do that though.
What are those reasons?
A late reply, but since the thread was dug up by someone else...

You need to be sure that something verifies DNSSEC signatures. None of client programs does, so it needs to be the resolver. It you use ISP's resolvers, the path between them and you is still vulnerable. If you use 1.1.1.1, 8.8.8.8 or similar, it's the same, but the path is longer. If you want to be safe, you need your resolver to verify signatures. Client programs will still not care, but securing your internal network is in your hands. Unlike ISP's network, or the whole way to 8.8.8.8 and such.
 
pe1chl
Forum Guru
Forum Guru
Posts: 4733
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNSSEC

Sun Sep 16, 2018 12:57 pm

True, so there could be some utility in a DNSSEC validating resolver inside RouterOS that returns errors to the clients for nonvalidating replies.
However, I would not consider it a first priority. It will cause unexplainable problems to many users that just turn this on "because it should be a good idea".
(similar to what you experience when enabling IPv6: initially many sites that stopped working or became unbearingly slow, currently better but still the occasional problem)
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNSSEC

Sun Sep 16, 2018 6:43 pm

Yes, it would be interesting to watch how many things it would break. All kinds of DNS overrides would stop working. You could still set static records on your own router, but if done upstream, they would not pass the validation.
 
User avatar
Joni
newbie
Posts: 40
Joined: Fri Mar 20, 2015 2:46 pm
Contact:

Re: DNSSEC

Sun Sep 16, 2018 8:12 pm

 
pe1chl
Forum Guru
Forum Guru
Posts: 4733
Joined: Mon Jun 08, 2015 12:09 pm

Re: DNSSEC

Sun Sep 16, 2018 8:23 pm

Yes, it would be interesting to watch how many things it would break. All kinds of DNS overrides would stop working. You could still set static records on your own router, but if done upstream, they would not pass the validation.
About 1.5 years ago I enabled DNSSEC on a caching resolver used by a number of users, and there were massive problems.
Many domains that were said to have DNSSEC in their parent domain but actually did not have it or had configured wrongly, so many domains failing validation.
About two months ago I enabled it again and now the problems are much less. I now leave it to the domain owners to get their act together.
(and to the users to complain)

However, I could understand when in other regions of the world the situation may still be bad. And when a manufacturer like MikroTik would make this available, they probably hit a lot of those regions.
As I mentioned, it is like IPv6: introduction of IPv6 to your clients does not bring any apparent benefits (lots of happy customers) but there is a serious risk that it will cause some issues (unhappy customers). So therefore many ISPs choose not to do that. This is of course a shame, but it is understandable.
 
Sob
Forum Guru
Forum Guru
Posts: 3437
Joined: Mon Apr 20, 2009 9:11 pm

Re: DNSSEC

Sun Sep 16, 2018 9:31 pm

My experience with DNSSEC from user perspective is positive. I have it on small hobby network for years, as an experiement, since the root zone was signed. I used to watch resolver logs and majority of failures were from various testing sites with intentionally broken DNSSEC. From admin perspective, it's a little less enjoyable, because it's easy to shoot yourself in foot. And it has happened in the past, e.g. one of local registrars, who also hosted DNS for customers, messed up DNSSEC for throusands of domains. Then next half a day everyone could see what ISPs do DNSSEC validation and what don't. Irony being that those caring about security had it seemingly broken. But I wouldn't worry about it much today, a lot of ISPs validate DNSSEC, big public DNS services too, so any broken domain won't stay broken for too long.

@Joni: DNS over TLS solves the problem between validating resolver and client. But you still have to trust the resolver. If it's something like Google's servers, they probably won't tamper with responses. But if you're at least slightly paranoid, you still can't trust them. So ideally RouterOS should have both, DNS over TLS for users where the biggest danger is evil or incompetent ISP, and also an option to actually validate DNSSEC.

Who is online

Users browsing this forum: gkk, Guntis and 42 guests