@VMlabman said in Unable to resolve acb.netgate.com:
Will trusting Netgate and checking DNS Query Forwarding break my DNS Over/TLS on 853 ?
Unbound, when resolving, is using the internet's root DNS servers directly, and from there on it will use one of the available TLD server (dot com dot org dot net dot whatever) to find the DNS name server, for example de DNS server of facebook if you are looking for one of the IPs of facebook.
If you are forwarding, you are forwarding to some other resolver, who does exactly the same thing for you.
So, the question can be reformulated in : do you trust the Internet ?
Or do you trust some one else, who then on it turn trusts Internet ?
I tend to say : more trust is gained when removing needless steps. The less you have to trust, the better it is.
The original "resolve yourself directly" can have one more massive advantage : if the domain your looking for was set up to use DNSSEC, you (unbound, pfSense) will know that the answer is valid, without being spoofed.
Example here : I own (rent !) this domain. Hover over :
43e5e492-a07c-4e4c-852e-799d3f88e22e-image.png
There you see my A (web server) address. That answer is guaranteed, as it was 'signed' using certificates from top to bottom. Same thing for the MX, AAAA, NS, any TXT fields etc.
The chart also shows the complete ordinary resolving process, which will happen in parallel. all steps will be verified.
Example : if you use a forwarder, you can't use DNSSEC, its meaningless. This means you could fall for what is known as DNS spoofing. DNS Spoofing is .... bad.
One simple example : If I could spoof one or more "microsoft.com" (sub) domain name DNS requests, I could have your PC point to my infrastructure instead of "microsoft.com". 5 minutes later your OS will download and appy updates from my servers, not "microsoft.com". 1 minutes later I own your PC, and the other x billion also.
Game over for the world's economy right after that.
Game over all together shortly after that.
The good news : all serious resolvers (1.1.1.1, 9.9.9.9 etc) you can forward to, are doing the dnssec test for you, if available - if the domain name seearch for has DNSSEC set up.
The bad news is : if they (the resolver you are forwarding to) have a security issue, you're gone.
And I get it : there is another thing going on here : forwarding permits you to 'hide' (== protect) DNS traffic between you and the resolver you forward to.
Internet's original DNS, the root servers, TLDs and domain name server don't allow this.
[ AFAIK : Why : ? because DNS traffic is small, of just one packet "up and down", and needs to be done as fast as possible. Using TLS for all DNS traffic will multiply the resources needed by .... 1000 time at least for the DNS servers. using a TLS connection is one thing, creating a new TLS connection for every DNS request is another, even worse ....
Read this one : https://news.ycombinator.com/item?id=16742638link text and discover why 'countries' (or other entities) maybe don't want to push to 'all DNS over TLS' ....
Now, we have all these people that are forwarding over "some resolver" and they think they are safe because they use DNS Over/TLS on 853.
Right.
You just made live easier for your "local government" : all they have to do is putting a tap at (in !) this resolver, and all info is there, nicely centralized.
Take note : see the resemblance : VPN ISPs could function the same way ( 😊 ).
All this boils down to : "you do you best to make yourself safe, and while doing so you managed to make spying on you easier (this is the "everybody is happy now" concept)". In the case of using VPN ISPs, add "... and you are even paying for it".
Btw : ones in while, I do test forwarding to 9.9.9.9 or 1.1.1.1 or some one else. Using TLS of course.
It always worked great for me, never had any issues.
I always fall back to plain simple resolving. As I strongly believe that 'keep things simple' is the way to go. DNS was designed 50 years ago to work 'like that' so I adhere.
I'm aware of this : it's more a politics thing actually. There is no good choice to make here. It your choice, and mine.