Verify TLS certificates for DNS over TLS connections in unbound
- 19 Jun 2018: Post was created (diff)
I was just notified by the operator of uncensoreddns.org that I should be pinning the public key of the DNS server’s TLS certificate.
I am using unbound as my local DNS resolver and uncensoreddns.org as my “SSL upstream” forwarding zone.
I was surprised to learn that unbound did not perform any verification by itself, and that I have been open to MITM-attacks just as easily as with plaintext DNS over port 53 for a long ass time.
Enable TLS certificate verification
forward-tls-upsteam option to use DNS over TLS. However, without
tls-cert-bundle, no TLS certificate authentication will be
Here is a working example unbound.conf that performs validation that the hostname matches the DNS hostname of the certificate:
server: use-syslog: yes username: "unbound" directory: "/etc/unbound" trust-anchor-file: trusted-key.key tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt forward-zone: name: "." forward-tls-upstream: yes # The below end-of-line comments (without spaces) are used for hostname # verification of the TLS certificate forward-addr: 2a01:3a0:53:53::@853#unicast.censurfridns.dk forward-addr: 188.8.131.52@853#unicast.censurfridns.dk
To verify that the hostname check is actually performed, try changing the
hostname that has been suffixed to the
forward-addr lines into
and see what happens when requesting a lookup with
dig @127.0.0.1 blog.stigok.com:
systemd: Started Unbound DNS Resolver. unbound: [1221:0] notice: init module 0: validator unbound: [1221:0] notice: init module 1: iterator unbound: [1221:0] info: start of service (unbound 1.7.2). unbound: [1221:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed unbound: [1221:0] notice: ssl handshake failed 2a01:3a0:53:53:: port 853 unbound: [1221:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed unbound: [1221:0] notice: ssl handshake failed 2a01:3a0:53:53:: port 853
If you have any comments or feedback, please send me an e-mail. (stig at stigok dotcom).
Did you find any typos, incorrect information, or have something to add? Then please propose a change to this post.