If you're reading this, the chances are good that you have a household or small office containing one or more Internet-capable devices which all require access to the Domain Name System (DNS) to resolve names (e.g. google.com) to IP addresses. You'll typically have a small router which hands out addresses to your equipment via DHCP and which provides DNS resolution service.

Chances are also good, that you've heard of DNSSEC, the Domain Name Security Extensions -- a suite of protocol extensions to the DNS which provide origin authentication and data integrity to the DNS. DNSSEC protects clients from forged DNS data; answers to DNS requests are digitally signed and validated. Most, if not all, small home routers (a.k.a. CPE) do not provide this service, and we don't think they'll be providing DNSSEC-capability in any near future.

In order to bring the fuzzy warm feeling of having secure DNS (DNSSEC) as close as possible to your home office or small office (SOHO), we've created what we call DAP, a DNSSEC Appliance. DAP isn't a bit of hardware, but rather a suite of tools packaged together to run on your existing (or future, if you like this idea?) Network Attached Storage (NAS). In its first incarnation, DAP runs very nicely on Netgear's ReadyNAS series of boxes.

Architecture

DAP's central component is a recursive caching and validating DNS server which is provided by Unbound. In addition, a DHCP service is provided by dnsmasq. As you may know, dnsmasq also contains an embedded DNS server, and DAP uses that as well: Unbound forwards DNS queries for your personal yTLD to dnsmasq which provides answers for, say, devices which have registered a DHCP lease.

In addition to DHCP, you can enable dnsmasq's built-in TFTP server to provide boot services on your network if you need that.

Features

DAP currently has the following features:

  • A configurable, personal, top-level-domain (we call this a yTLD here, which stands for your TLD), for naming and managing your own hosts in your network. For example, assume you have a networked printer with an awkward name, you can create your own host name for that printer (e.g. printer.intern) which you use henceforth.
  • A recursive, validating, DNSSEC server powered by Unbound. We won't say much about that here (except that it rocks!), but please do browse and consult the Unbound documentation.
  • An integrated DHCP server powered by dnsmasq which makes your devices resolvable in yTLD. The DHCP server is disabled by default: your SOHO network must have one DHCP only, so you can get started with DAP and later disable your existing DHCP server.
  • A Web interface with which to:
    • edit configuration files
    • view logs and system information
    • restart services if necessary
    • show statistics. In addition, the total number of DNS queries, cache hits and misses are updated on the interface every few seconds, with a graphical representation of these counters.
    • test the DNSSEC capabilities of DAP as well as a handy link to the SIDN DNSSEC browser test.
    • quick access to the original program documentation of the components involved
  • Secure version-update alerts on Web interface, via DNSSEC.
  • Behind the scenes, DAP offers the following:
    • DNSSEC root trust anchor is updated daily.
    • DLV is integrated and enabled by default.

The DAP control panel

DAP Web GUI

The Control Panel (or Web GUI) should be simple to use in spite of it being all AJAXy. :) Individual menu entries select a particular option or function, and those in the Edit: line can edit some of DAP's configuration files. After any modification, we strongly recommend you display the logfile to ensure you haven't introduced an error. If an edit requires a DAP component to be restarted, you'll be notified on the Panel.

The top-right corner of the panel shows current query statistics for your DNS server, and this area is updated periodically.

DAP in your network

DAP is designed to fit nicely into your network, alongside your existing equipment.

DAP in your network

We decided to disable DAP's built-in DHCP service by default as you'll already have such service provided by your router. We do however, recommend you disable the latter and enable DHCP on DAP.

Getting started

Upon first launching the appliance (see Implementations below) all required services are automatically started with quite sane defaults. Nevertheless, you should review these and decide whether they suit your environment.

Your top-level-domain (yTLD)

Decide on the name you wish to assign to your own personal "top-level-domain". This name (default: intern) is the domain in which devices which get a DHCP lease will register themselves. For example, when my iPhone obtains a DHCP address from DAP it will provide a name for itself (JPs-iPhone) and DAP will resolve the name jps-iphone.intern to the device's address.

Do not choose an existing domain name as your yTLD; if you need suggestions, perhaps an abbreviation of your name, or one of the unassigned ISO country codes might work well.

To change your yTLD click on the domain name at the top of the control panel. After saving the name, you'll be prompted to restart the services.

Built-in DHCP or not?

Decide on whether you want to use DAP's built-in DHCP server or not. One advantage is that you get a nice little Web interface with which you can review current DHCP assignments (see screen shot above). If you do use DAP's DHCP server, you will have to disable any other DHCP servers on your network. (Consult your router's documentation to find out how to accomplish that.)

The rest of this document assumes you'll be running DAP's built-in DHCP service.

To enable DHCP in DAP chose Edit: dhcp.conf in the Control Panel, whereupon you'll see something like this:

# ---: NOTE
# The integrated DHCP server is disabled. To enable it
# remove the comment for dhcp-range and verify the range
# of addresses you wish to provide on your network, as
# well as the default gateway, and DNS server (DAP)
# on the following 4 options.
# 
# ---: (1) DHCP server
# dhcp-range=192.168.1.180,192.168.1.220,255.255.255.0,24h
# ::
# ---: (2) Default gateway
# dhcp-option=option:router,192.168.1.1
# ::# ---: (3) DNS server
# dhcp-option=option:dns-server,192.168.1.80
# ::
# dhcp-option=option:dns-server,192.168.1.1,192.168.1.4
# ---: (4) NTP (time) server
dhcp-option=option:ntp-server,85.214.230.247,178.63.101.8,192.53.103.108
# ::

There are four (4) settings you have to verify, and you'll want to enable the first three, after consulting the dnsmasq manual:

  1. dhcp-range enables the DHCP server on DAP. Here you specify the address range you want to dole out on your network. The example above will hand out leases in the range 192.168.1.180 through 192.168.1.220.
  2. dhcp-option=option:router tells your devices which gateway they should use. Specify the IP address of your existing router.
  3. dhcp-option=option:dns-server tells your devices which DNS server(s) they should use. Here you specify the address of the machine on DAP is running. (This is typically pre-configured for you.)

Special cases

Unbound allows us to inject records into it, which it will reply with when queried for particular domain names. DAP implements this in what we call local.data, a file containing records which are injected into Unbound upon start-up, and whenever the file is submitted via the DAP's Web interface. This functionality opens up all sorts of possibilities and pitfalls: make sure you know what you are doing.

Say you want to ensure members of your household or office should not access a particular malware site (malware.example.com), and you prefer to redirect them to the address 127.0.0.1. DAP's local.data allows you to do that on the fly, without having to restart any of the DAP services.

Notes

  • Because of timestamps used in validating RRSIG records in DNSSEC, Unbound requires correct system time: use NTP if at all possible.

Questions

How can I determine which version of Unbound is on DAP?

The server.info option in the GUI will show you, or you can use either the dig (from BIND) or drill (from ldns) commands:

$ dig @192.168.1.81 version.bind. chaos txt
$ drill @192.168.1.81 version.bind. ch txt

;; ANSWER SECTION:
version.bind.    0   CH   TXT   "unbound 1.4.13"

Which network ports do the DAP components use?

The following ports are utilized by the DAP services:

  • 53 (tcp/udp) - unbound
  • 67 (udp) - dnsmasq
  • 69 (udp) - dnsmasq
  • 8053 (tcp) - mini_httpd Web gui
  • 8853 (tcp/udp) - dnsmasq internal DNS responder
  • 8953 (tcp) - unbound control

Implementations

ReadyNAS

ReadyNAS Frontview

Stefan Rubner has created a Frontview Add-on for DAP for the ReadyNAS series of NAS servers, and he's gracefully making a version available for the each of the following architectures:

  • Sparc (e.g. Duo, NV/NV+)
  • ARM (e.g. Duo v2, NV+ v2)
  • x86 (e.g. NVX, Pro, Ultra, 2xxx, 3xxx, 4xxx)

(If you, like I, can't remember which architecture your ReadyNAS has, I recommend you look at this page to refresh your memory.)

In order to successfully install and use DAP on ReadyNAS, please note:

  • Make sure you have enabled NTP in FrontView.
  • If you forget how to access the DAP Control Panel, select the DAP add-on from Frontview and click on Manage DAP.

Changelog

  • 0.8.2

    first public version. Contains Unbound 1.4.14 and dnsmasq 2.59

  • 0.8.3

    date fixed in showleases

  • 0.8.4

    Speed-up in status display of Unbound statistics (ischanged) thanks to code by Frank Denis

Comments

blog comments powered by Disqus