Topic: Will SME11 support DNSSEC?

[wdepot]

Just wondering if secure DNS will be available in SME11? We recently ran into an issue where Firefox on local computers was having issues with connecting to a website on the local server and finally figured out that it was because Firefox was requiring DNS over HTTPS for the domain so it wasn't getting the DNS from the server itself but from the registrar instead. Thankfully Firefox allows you to override secure DNS for specific sites but it would be nice if it was available directly on the server to avoid such issues.

[bunkobugsy]

SME12 might, but I doubt it will solve this kind of problems.

[ReetP]

It won't solve your issue because Firefox will still ignore you and do its own thing unless you instruct it otherwise.

Firefox should not be using offsite domains in a corprorate environment, but Mozilla in their infinite wisdom decided to make this default some while ago.

Fine if you are on the go or just an average one user. Less so in a corporate environment.

Either set a default Firefox policy to disable it per app:

https://github.com/mozilla/policy-templates/releases

policies.json

Code: [Select]

    "DNSOverHTTPS": {
      "Enabled":  true | false,
      "ProviderURL": "URL_TO_ALTERNATE_PROVIDER",
      "Locked": true | false,
      "ExcludedDomains": ["example.com"]
    },

Or more easily on your server for all clients:

https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
https://www.chromium.org/developers/dns-over-https/

Code: [Select]

db domains set use-application-dns.net domain Content Primary Decription FirefoxCanaryDomain Nameservers localhost
signal-event domain-create use-application-dns.net


(this will also create unnecessary hostnames for the domain and be a NFR to fix it, but it works perfectly well)

[wdepot]

SME12 might, but I doubt it will solve this kind of problems.

I did a bit of research and found that Rocky Linux 8 can support DNS over HTTPS and DNS over TLS which is probably all that is really needed to overcome the problem I was having. Of the two it looks like DNS over TLS will be the easiest to implement since it looks like a matter of creating one setting. From the internet result I found:

Systemd-resolved: For client-side DoT resolution on a Rocky Linux 8 workstation, you can configure systemd's built-in resolver. Simply adjust the /etc/systemd/resolved.conf file to set your DNSOverTLS=yes.

I'm guessing that as long as Firefox finds that it can get a secure connection to the specified DNS provider it will use it rather than finding its own DNS provider.

[ReetP]

You really are making your life complex.

Note your question

Will SME11 support DNSSEC?

was already answered....

I did a bit of research

If you mean used AI to fill in the gaps in your knowledge because you don't like the answers you were given then see previous replies about using AI to find answers on SME.

I'll précis it.

Don't.

It will hallucinate and use generic, incorrect, answers. YMMV.

and found that Rocky Linux 8 can support DNS over HTTPS and DNS over TLS which is probably all that is really needed to overcome the problem I was having.

So what DNS system does SME use? (Clue - not BIND which is slated for 12)

So as previously mentioned likely it won't.... You'll just break your network.

Of the two it looks like DNS over TLS will be the easiest to implement since it looks like a matter of creating one setting.

If you think it is that simple then open a NFR bug, after searching for dns, bind etc, and then add your simple patch.

Bear in mind if it was that simple we would have already done it........

Do you know what other services depend on DNS?

From the internet result I found:I'm guessing

Stop guessing. Do proper research and don't use AI.

Otherwise you will likely break your server, and lookups.

In the absence of SME doing DNSSEC we have told you your options.

(Not sure on the sudden hurry right now as DNSSEC & DoH has been around for years but we are few, get almost no help (but users expect us to help them), and have to make priorities and choices about what we build)

Your time would be better spent with a Rocket account where you can learn, help, and understand.

Then you won't become and XY problem.

[Jean-Philippe Pialasse]

we see here allusion to two different things

dnssec is related to the fact the result is authenticated and guenuine.  If you are the owner of the network and the server you can alteady check that without dnssec.

 
doH and doT is the fact to exchange this dns information under encryption. 


SME 11 is already very late to be released.  I was not viable to rewrite the whole DNS stack to get away from DJBdns.

yes patches exist, but are written without the patches we already use. 
 

As already answer good approach is to prevent firefox to bypass your corporate dns provided by sme. 


by doing so ff is acting as a trojan. Good practice is even to block any remote dns services. The place where i work is blocking all known ip providing doh and blocking port 53 / 853