OpenDNS and DNSSEC

Comments

9 comments

  • Avatar
    rotblitz

    No, not DNSSEC, but DNSCrypt.
    http://www.opendns.com/technology/dnscrypt/
    http://dnscrypt.org/

    -1
    Comment actions Permalink
  • Avatar
    jedisct1

    OpenDNS doesn't support DNSSEC, and prevents doing the validation yourself if you wanted to do so, by stripping required records before forwarding a response to you.

    If you need DNSSEC for specific zones (like, for publishing SSH host keys), you can configure BIND to forward queries to OpenDNS except for these zones.

     

    1
    Comment actions Permalink
  • Avatar
    quantum7

    Will OpenDNS ever support DNSSEC?

     

    If not, how can I point dnscrypt at another resolver?

    0
    Comment actions Permalink
  • Avatar
    jedisct1

    Anyone can run a DNSCrypt server, OpenDNS is an option, but there are other free and public DNSCrypt-enabled resolvers.

    See the project home page for a list and how to configure them:http://dnscrypt.org/

    These are just the public resolvers I am aware of. There are probably more.

    CloudNS resolvers support DNSSEC validation.

    0
    Comment actions Permalink
  • Avatar
    quantum7
    Nice, I like the edns option too. Trying tomorrow.
    0
    Comment actions Permalink
  • Avatar
    quantum7
    Yep, works great with a resolver 10,000km away, with edns enabled. So nice to be able to choose.
    0
    Comment actions Permalink
  • Avatar
    artanisbunker

    Is there a good reason DNSSEC has not been implemented yet? Even OpenDNS's own FAQ clearly states they are pro-DNSSEC and hope it sees more global adoption. But they don't actually support it at OpenDNS.

     

    Having new requirements handed down to me, we now need to use DNSSEC. Which we really should have been a while ago. But I cannot use OpenDNS (which has been great and I really like) until DNSSEC is enabled.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    I bet OpenDNS will get over your loss.  They have still more than 30 millions of users and will not miss you...

    -3
    Comment actions Permalink
  • Avatar
    quantum7
    Now, let's not be an asshole, rotblitz. We have to open the windows around here whenever you vent like that. artanisbunker, no need to use OpenDNS, which is way behind the times. Check the link to dnscrypt above, where you'll find a number of name servers which -do- use DNSSEC. Not only that, but a number of them do not log as well. Check this guy's blog: https://quantum-sci.com/cacook/howto-prevent-dns-cache-poisoning/
    1
    Comment actions Permalink

Please sign in to leave a comment.