Test and validate dnssec in dnsmasq by docker-compose

Example code: https://github.com/RammusXu/toolkit/tree/master/docker/dnsmasq

安裝 dnsmasq-dnssec

apk add dnsmasq-dnssec

在 foreground 執行，印出所有 log

dnsmasq --no-daemon --log-queries

Let’s go

Start containers

docker-compose up

Debug in another container

docker exec -it dnsmasq_runner_1 sh          
/ #

Result

With dnssec

dig @dnsmasq +dnssec swag.live

; <<>> DiG 9.14.8 <<>> @dnsmasq +dnssec swag.live
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57890
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;swag.live.                     IN      A

;; ANSWER SECTION:
swag.live.              21599   IN      A       35.227.233.133
swag.live.              21599   IN      RRSIG   A 8 2 86400 20200406104653 20200315104653 19866 swag.live. al64n9p4EyKjVQLXawYf3gCnoZIyoZM5jI+yyY0virxuGXmSzRGvvl70 0cKBHmdPyXZThWzY2ZAQVW3RJVPrUFBNQ2bPR2WbC/8GI3S/pESMEboN r8nyVllydj00My//PA1JNxv06gn6zpH/gMN56xZDJhv/HDJ0PqPGcZ77 Aw8=

;; Query time: 87 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Tue Mar 17 04:07:30 UTC 2020
;; MSG SIZE  rcvd: 223

• Record: RRSIG。如果你的 domain 有啟用 dnssec，將會有這組 Resource Record Signature。
• flags: ad。正確驗證 dnssec 的 domain 會拿到這個 flag。

Without dnssec

dig @dnsmasq +dnssec google.com

; <<>> DiG 9.14.8 <<>> @dnsmasq +dnssec google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34327
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             232     IN      A       172.217.27.142

;; Query time: 43 msec
;; SERVER: 192.168.128.2#53(192.168.128.2)
;; WHEN: Tue Mar 17 04:07:32 UTC 2020
;; MSG SIZE  rcvd: 55

Reference

• https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/
• https://blog.zzzmode.com/2018/03/31/dnsmasq-dns-server/
• https://www.cloudxns.net/Support/detail/id/1311.html