OpenDNS and DNSSEC

Follow

hunglikethor

September 19, 2013 19:23

Have a DNSSEC-enabled BIND caching server which runs fine without using opendns servers as forwarders.

As soon as I add the opendns servers to "forwarders" my caching server cannot resolve queries.

 

Have implemented DNSSEC many times with no issues until now.

Is there a DNSSEC implementation for opendns?

0

• Official comment

  

  Robbie Grue February 10, 2020 21:55

  OpenDNS is happy to announce support for DNSSEC. 

  Details can be found in the following article: https://support.opendns.com/hc/en-us/articles/360039659971

  Comment actions Permalink
• 

  rotblitz September 19, 2013 21:08

  No, not DNSSEC, but DNSCrypt.
  http://www.opendns.com/technology/dnscrypt/
  http://dnscrypt.org/

  -2

  Comment actions Permalink
• 

  jedisct1 September 19, 2013 22:54

  OpenDNS doesn't support DNSSEC, and prevents doing the validation yourself if you wanted to do so, by stripping required records before forwarding a response to you.

  If you need DNSSEC for specific zones (like, for publishing SSH host keys), you can configure BIND to forward queries to OpenDNS except for these zones.

   

  1

  Comment actions Permalink
• 

  quantum7 October 19, 2013 22:33

  Will OpenDNS ever support DNSSEC?

   

  If not, how can I point dnscrypt at another resolver?

  0

  Comment actions Permalink
• 

  jedisct1 October 20, 2013 04:20

  Anyone can run a DNSCrypt server, OpenDNS is an option, but there are other free and public DNSCrypt-enabled resolvers.

  See the project home page for a list and how to configure them:http://dnscrypt.org/

  These are just the public resolvers I am aware of. There are probably more.

  CloudNS resolvers support DNSSEC validation.

  0

  Comment actions Permalink
• 

  quantum7 October 20, 2013 05:23

  Nice, I like the edns option too. Trying tomorrow.

  0

  Comment actions Permalink
• 

  quantum7 October 20, 2013 15:34

  Yep, works great with a resolver 10,000km away, with edns enabled. So nice to be able to choose.

  0

  Comment actions Permalink
• 

  artanisbunker February 28, 2015 06:41

  Is there a good reason DNSSEC has not been implemented yet? Even OpenDNS's own FAQ clearly states they are pro-DNSSEC and hope it sees more global adoption. But they don't actually support it at OpenDNS.

   

  Having new requirements handed down to me, we now need to use DNSSEC. Which we really should have been a while ago. But I cannot use OpenDNS (which has been great and I really like) until DNSSEC is enabled.

  0

  Comment actions Permalink
• 

  rotblitz March 01, 2015 14:17

  I bet OpenDNS will get over your loss.  They have still more than 30 millions of users and will not miss you...

  -5

  Comment actions Permalink
• 

  quantum7 March 06, 2015 18:06

  Now, let's not be an asshole, rotblitz. We have to open the windows around here whenever you vent like that. artanisbunker, no need to use OpenDNS, which is way behind the times. Check the link to dnscrypt above, where you'll find a number of name servers which -do- use DNSSEC. Not only that, but a number of them do not log as well. Check this guy's blog: https://quantum-sci.com/cacook/howto-prevent-dns-cache-poisoning/

  2

  Comment actions Permalink

Please sign in to leave a comment.