Enabling DNSSEC on Debian and Ubuntu (with systemd-resolved)
Using systemd-resolved opens up some options that may be easier to configure then in the past.
Enabling DNSSEC:
- systemd-resolve –status
- look for “DNSSEC setting: no”
- sudo mkdir -p /etc/systemd/resolved.conf.d
- sudo nano /etc/systemd/resolved.conf.d/dnssec.conf
- enter:
- [Resolve]
DNSSEC=true
- [Resolve]
- enter:
- sudo systemctl restart systemd-resolved
- systemd-resolve –status
- look for “DNSSEC setting: yes”
What DNS Servers is my Ubuntu system using?
It’s not so simple as “cat /etc/resolv.conf” anymore. DNS is now handled by systemd-resolved in Ubuntu and Debian and their derivatives. This is easy to spot if you do check resolv.conf and it contains “nameserver 127.0.0.53”. The correct command now is “systemd-resolve –status”.
Some Ubuntu 18.04 problems fixed today
I’ve drafted but not published a long list of problems I’ve experienced with Ubuntu 18.04. In short it’s been one of the worst desktop releases of Ubuntu I’ve used. My experience on servers has been fine. Anyway I haven’t looked into the details of these patches but:
- libwebkit2gtk-4.0-37:amd64 (2.22.6-0ubuntu0.18.04.1)
- libjavascriptcoregtk-4.0-18:amd64 (2.22.6-0ubuntu0.18.04.1)
These package releases seem to have fixed some of my issues that have been present since May 2018. In particular Liferea has been broken on my desktop for that long. Better late than never I guess.
Shopping for a wired router
I’ve often run a wired router at the front of my network (well immediately behind the modem). The only other topology has been a linux server at the front of the network. Then I like a network behind that where a wireless router can live. I keep my wireless router turned off when not in use, which is an uncommon setup it seems. Anyway, for 1 network I’m managing I’m considering replacing the linux system with a wired router. Wired routers are not super popular for SOHO uses as mos tpeople seem to prefer a wireless router to do everything. Because there is not a huge market options can be limited. Here are some products I’ve investigated.
- Specs:
- 4 gigabit ethernet ports
- cost <= $100
- TP-Link TL-R600VPN
- I’ve had good experiences with TP-Link wired routers in the past. However, this router is believed to be vulnerable to VPNFilter malware so that makes it too risky at this time.
- TPLink routers affected by VPNfilter malware?
- Ubiquiti ER-X
- I’ve had no first-hand experiences with Ubuquiti products.
- POE passthrough support.
- Cisco RV042G
- Grandstream GS-GWN7000
- Cisco RV130
- Research
- Networking Companies Country of Operation
- TP_Link – China
- MicroTik – Latvia
- Cisco – United States
- Ubiquiti – United States
- GrandStream – United States
- TrendNet – United States
- Other Products
- TRENDnet TW100-S4W1CA – 10/100 only
- D-Link – no gigabit products in price range
- Netgear – no gigabit products in price range
- Linksys LRT214 – outside price range
- Further research
- There are many more options above $100.
Even More Facebook Awfulness
Making the Internet Better (For Yourself)
- Install uBlock Origin in all of your web browsers
- Configure uBlock Origin in each of your web browsers
- enable Fanboy’s Social Blocking List
- add the following to “My filters”
- disqus.com
disquscdn.com
instagram.com
twitter.com
facebook.com
- disqus.com
- Enjoy a better internet
Recent Talks I’ve watched
Securing NTP Servers
Rarely am I using ntpd to serve ntp information. It is more useful for clock-correction than a strict ntp/sntp client. Thus I don’t want the service listening on a wildcard address, even when there is certainly a firewall in place. I prefer the service to not be listening at all, or listening only to the loopback interface. Here is how to configure that in ntpd and chrony.
ntpd
interface ignore wildcard
chrony
bindaddress 127.0.0.1
port 0
bindcmdaddress 127.0.0.1
cmdport 0
NTP Servers
There are many NTP server implementations now. Here are some:
- ntpd
- chrony
- ntpsec
- openntpd
- sntp clients
- systemd-timesyncd
- sntp
- also:
- ntimed – appears abandoned
Resources:
- Securing Network Time
- A security review of three NTP implementations
- concludes chrony is probably the best choice of ntpd, ntpsec, and chrony
- A rift in the NTP world
- Chrony: Comparison of NTP implementations
- NTPSec: Differences from NTP Classic
- NTPsec is not quite a full rewrite
I plan to give chrony a try.