Adding your FRiTZ!Box as a „secure“ DNS resolver for the pseudo-domain

FRiTZ!BoxYour FRiTZ!Box maintains a useful list of names of machines in your local network in its pseudo-domain, based on DHCP requests and web interface. This information is useful, but adding the pseudo-domain „“ to your own DNS hierarchy is no longer straightforward in the days of DNSSEC. Here is how to include it into your own ISC BIND9 DNS server.

The naïve way

BIND allows to delegate a zone easily using the a zone by adding a zone to named.conf as follows (assuming is the address of your FRiTZ!Box):

zone "" {
  type forward;
  forward only;
  forwarders {; };

This tells your local BIND named to send all requests within the domain to your FRiTZ!Box. With a modern dig and named, this gives problems due to the DNSSEC interaction:

$ dig

; <<>> DiG 9.9.5-3-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38726
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;            IN      A

;; Query time: 3 msec
;; WHEN: Sat Oct 18 21:43:10 CEST 2014
;; MSG SIZE  rcvd: 47

Why it does not work

Please note the SERVFAIL (emphasis mine), i.e., the server complains about a problem. Looking into /var/log/syslog, we can see (emphasis again mine):

Oct 18 21:43:02 capacity named[31015]: error (insecurity proof failed) resolving '':
Oct 18 21:43:10 capacity named[31015]:   validating @0x7feb10019180: SOA: got insecure response; parent indicates it should be secure
Oct 18 21:43:10 capacity named[31015]: error (no valid RRSIG) resolving '':
Oct 18 21:43:10 capacity named[31015]: error (no valid DS) resolving '':

„Got insecure response“ is true, the FRiTZ!Box does not sign its DNS responses. However, what should „parent indicates it should be secure“ mean? There is no parent zone, box, there is only However, it believes this zone should be signed because the parent zone does not say the child zone is unsigned.

To understand this, let us look at the „normal“ hierarchy: The root zone is signed. To indicate whether a child zone is signed, it includes a valid DS (Delegation Signer) record for the child, which authenticates the key used in the subdomain. To indicate that a child zone is without DNSSEC, there is no DS record.

To prevent an attacker from suppressing this DS record in order to be able to modify any DNS record in the domain and subvert the entire DNSSEC infrastructure, the absence of a DS record needs to be cryptographically signed, typically through an NSEC3 (Next Secure Record, version 3) that explicitly lists the DS as absent.

As the parent zone includes neither, named errs on the side of an attacker doing something malicious.

How to make it work

The way around that misconception is to actually have a parent zone which tells that the child zone is without DNSSEC support. Create a file zone /etc/bind/ with the following contents.

$TTL    3600
@       SOA (
               2014101800 ; Serial
               1d         ; Refresh
               3h         ; Retry
               4w         ; Expire
               300s )     ; Negative Cache TTL
@       NS
fritz   NS

(In your setup, you will have to change the bold parts: @ NS should state your real nameserver and has to be replaced with the IP address of your FRiTZ!Box.)

Of course, this file needs to be DNSSEC protected.

To make this database visible, our named.conf zone entry needs to be changed to:

zone "" {
  type master;
  file "/etc/bind/";

Schreibe einen Kommentar