How To Secure DNS with DNSCrypt

Jun 23, 2020 · OpenDNS is happy to announce support for DNSSEC validation in our DNS resolvers. With this release, the OpenDNS resolvers will act as fully RFC compliant security aware resolvers by performing DNSSEC validation on queries to authoritative nameservers for signed zones. The full scope of our support for DNSSEC can be found here: OpenDNS doesn't support DNSSEC, and prevents doing the validation yourself if you wanted to do so, by stripping required records before forwarding a response to you. If you need DNSSEC for specific zones (like, for publishing SSH host keys), you can configure BIND to forward queries to OpenDNS except for these zones. 1 Jan 13, 2014 · While I can't speak for operating a system at OpenDNS' scale, typically enabling DNSSEC validation is a simple one-line, one-time option in a configuration file. No additional support resources are necessary to maintain it -- it's a "set it and forget it" change. The OpenDNS DNSCrypt page reads, "There are benefits to DNSSEC that DNSCrypt isn’t trying to address. In fact, we hope DNSSEC adoption grows so that people can have more confidence in the entire DNS infrastructure, not just the link between our customers and OpenDNS."

The +cd option provides DNS results without any DNSSEC validation in place. $ dig A brokendnssec.net @1.0.0.1 +dnssec +cd +short 104.20.49.61 104.20.48.61 In the above example, DNSSEC is misconfigured if a proper DNS response is received when using the +cd option but queries using DNSSEC return a SERVFAIL response.

May 28, 2020

The primary IP address for Quad9 is 9.9.9.9, which includes the blocklist, DNSSEC validation, and other security features. However, we do provide an unsecured service and it can be helpful in determining if there are false positives in the Quad9 threat feed or DNSSEC errors with a specific domain.

DNSCrypt - FAQ - DNSCrypt vs DoH What is DNSSEC. DNSSEC is a DNS Extension that allows a client to validate the DNS response on supported domains and TLDs. Resolvers check the digital signature of DNS responses to verify that the data match what the zone owner initially configured. Troubleshooting DNSSEC – Cloudflare Help Center