{"id":23,"date":"2020-11-11T14:09:46","date_gmt":"2020-11-11T13:09:46","guid":{"rendered":"https:\/\/blog.kihr.online\/?p=23"},"modified":"2020-11-11T14:23:32","modified_gmt":"2020-11-11T13:23:32","slug":"dnssec-mit-fritzbox-und-pihole","status":"publish","type":"post","link":"https:\/\/blog.kihr.online\/?p=23","title":{"rendered":"DNSSEC mit Fritz!Box und PiHole"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Lesedauer<\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">Minuten<\/span><\/span>\n<p class=\"wp-block-paragraph\">Mit der Version 7.20 von Fritz!OS ist es m\u00f6glich, DNSSEC auf der Fritz!Box zu konfigurieren. Wenn man zus\u00e4tzlich noch <a href=\"https:\/\/pi-hole.net\" data-type=\"URL\" data-id=\"https:\/\/pi-hole.net\" target=\"_blank\" rel=\"noreferrer noopener\">PiHole<\/a> als Ad Blocker im Heimnetz verwendet, ergibt sich daraus eine gute Kombination, um die eigene Kommunikation im Internet zu anonymisieren. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Voraussetzung ist, das Sie PiHole bereits installiert haben und eine Fritz!Box mit der entsprechenden OS Version verwenden.<\/p>\n\n\n\n<!--more-->\n\n\n\n<p class=\"wp-block-paragraph\">Zun\u00e4chst konfigurieren wir DNSSEC auf der Fritz!Box. Dazu w\u00e4hlen wir unter dem Men\u00fcpunkt Internet\/Zugangsdaten den Tabulator DNS. Hier m\u00fcssen wir als erstes die DNS Server eintragen, die wir verwenden wollen. Selbstverst\u00e4ndlich m\u00fcssen diese DNSSEC unterst\u00fctzen. Freie Server mit DNSSEC Unterst\u00fctzung und no logging policy findet man unter anderen <a href=\"https:\/\/www.privacy-handbuch.de\/handbuch_93d.htm\" target=\"_blank\" rel=\"noreferrer noopener\">hier<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ich habe die Server von DigitalCourage e.v. (als prim\u00e4rer Server) und der Schweizer Digitalen Gesellschaft (als sekund\u00e4rer Server) ausgew\u00e4hlt.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Diese tr\u00e4gt man dann in die entsprechenden Felder auf der Seite ein. Als IPv6 DNS tr\u00e4gt man die entsprechenden IPv6 Adressen ein.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Dann muss man noch die Aufl\u00f6sungsnamen der DNS Server eintragen. Die kann man mittels dig ermitteln:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig -x 2a05:fc84::42\n; &lt;&lt;>> DiG 9.10.6 &lt;&lt;>> -x 2a05:fc84::42\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER&lt;&lt;- opcode: QUERY, status: NOERROR, id: 50947\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n;; QUESTION SECTION:\n;2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.8.c.f.5.0.a.2.ip6.arpa. IN PTR\n;; ANSWER SECTION:\n2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.8.c.f.5.0.a.2.ip6.arpa. 2170 IN PTR dns1.digitale-gesellschaft.ch.\n;; Query time: 286 msec\n;; SERVER: 192.168.1.120#53(192.168.1.120)\n;; WHEN: Wed Nov 11 14:21:52 CET 2020\n;; MSG SIZE rcvd: 144<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Hier also f\u00fcr die IPv6 Adresse der Name dns1.digitale-gesellschaft.ch.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ausserdem muss sollte man noch alle Haken in den entsprechenden Feldern setzen. Am Ende sollte die Seite so aussehen:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"843\" src=\"https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part1-1024x843.png\" alt=\"\" class=\"wp-image-24\" srcset=\"https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part1-1024x843.png 1024w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part1-300x247.png 300w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part1-768x632.png 768w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part1.png 1440w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Einstellungen der Fritz!Box f\u00fcr die DNSSEC Server<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Eventuell wurde ja vorher hier der PiHole als Forward DNS eingetragen. Das funktioniert nun nat\u00fcrlich nicht mehr. Damit alle Clients im Netz den PiHole als DNS Server verwenden, muss dieser jetzt per DHCP verteilt werden. Hierzu w\u00e4hlen wir in der Fritz!Box GUI unter Heimnetz\/Netzwerk den Tab Netzwerkeinstellungen aus. Wir scrollen zum Ende der Seite und sehen dort die beiden Button IPv4-Konfiguration und IPv6-Konfiguration.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Hier k\u00f6nnen wir die DHCP Einstellungen konfigurieren. Hier tragen wir jeweils als lokalen DNS Server die IP des Pi-Hole ein. F\u00fcr die IPv6 Konfiguration sollten immer die local link Adressen verwendet werden, da sich der Prefix der anderen Adressen bei jeder neuen Verbindung zum Provider \u00e4ndern kann. Zumindest bei 1und1 ist das der Fall und leider gibt es dort auch noch immer die t\u00e4gliche Zwangstrennung.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Dann m\u00fcssen wir noch den forward DNS des Pi-Hole konfigurieren. Das wird dann die Fritz!Box. Wir gehen also auf die Webseite des Pi-Hole. Dort tragen wir unter Settings im TAB DNS die Adressen der Fritz!Box als upstream DNS Server ein. Auch hier sollte wieder die link local Adresse der Fritz!Box verwendet werden. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Das ganze sieht dann so aus:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"877\" src=\"https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part2-1024x877.png\" alt=\"\" class=\"wp-image-25\" srcset=\"https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part2-1024x877.png 1024w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part2-300x257.png 300w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part2-768x657.png 768w, https:\/\/blog.kihr.online\/wp-content\/uploads\/2020\/11\/DNSSEC-Part2.png 1362w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Settings des Upstream DNS in der Pi-Hole Konfiguration<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Nun kann man auf einem der DHCP clients testen, ob die DNS Ausl\u00f6sung mit DNSSEC funktioniert:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig example.com +dnssec +multi\n\n; <<>> DiG 9.10.6 <<>> example.com +dnssec +multi\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13243\n;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags: do; udp: 1232\n; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (\".............................................................................................................................................................................................................................................\")\n;; QUESTION SECTION:\n;example.com.\t\tIN A\n\n;; ANSWER SECTION:\nexample.com.\t\t68862 IN RRSIG A 8 2 86400 (\n\t\t\t\t20201130073413 20201109053021 62811 example.com.\n\t\t\t\touYMqxaXEa23LFr1Fwb0vGaJ+VVSTZrgymnqYMm6kVdL\n\t\t\t\tJf\/LsTwCET\/iPZBQll4hsTqzVU5QRt21+ImJWFwrYvVt\n\t\t\t\tJCyJr0AqZLLfcHmd+FnwGkHJrJ9bYIEFLq6J1Am6Wh\/z\n\t\t\t\tQqDS1+e2FBtSihi1wse7exxwgVXErSpEjNelHHk= )\nexample.com.\t\t68862 IN A 93.184.216.34\n\n;; Query time: 9 msec\n;; SERVER: 192.168.1.120#53(192.168.1.120)\n;; WHEN: Wed Nov 11 14:01:55 CET 2020\n;; MSG SIZE  rcvd: 468<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Die Antwort sollte \u00e4hnlich wie hier aussehen. Wichtig ist in der Zeile flags der Eintrag ad (steht f\u00fcr authenticated answer). <\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Ob das ganze auch f\u00fcr IPv6 funktioniert testet man dann mit dem Zusatz AAAA:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dig example.com AAAA +dnssec +multi\n\n; <<>> DiG 9.10.6 <<>> example.com AAAA +dnssec +multi\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6175\n;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags: do; udp: 4096\n;; QUESTION SECTION:\n;example.com.\t\tIN AAAA\n\n;; ANSWER SECTION:\nexample.com.\t\t42890 IN AAAA 2606:2800:220:1:248:1893:25c8:1946\nexample.com.\t\t42890 IN RRSIG AAAA 8 2 86400 (\n\t\t\t\t20201130143723 20201109073021 62811 example.com.\n\t\t\t\tm1CY\/NpIYk7g50iFiL3I7dM21D6KkGo75T\/uQRWq2uC9\n\t\t\t\tQGhFgZSCSM1xBkncfdt8qP6tVmoLCiegztdfI2TbADQc\n\t\t\t\tKAacsf\/kiF\/W8NVtQIg4BEh6BQ3aCZjPWwn6QZ83OhVq\n\t\t\t\t66OI7IgjxV0rFI\/b2MPkORw8udO+O5kIM6kdqEQ= )\n\n;; Query time: 325 msec\n;; SERVER: 192.168.1.120#53(192.168.1.120)\n;; WHEN: Wed Nov 11 14:05:13 CET 2020\n;; MSG SIZE  rcvd: 239<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Viel Spass nun beim surfen.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Lesedauer<\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">Minuten<\/span><\/span>Mit der Version 7.20 von Fritz!OS ist es m\u00f6glich, DNSSEC auf der Fritz!Box zu konfigurieren. Wenn man zus\u00e4tzlich noch PiHole als Ad Blocker im Heimnetz verwendet, ergibt sich daraus eine gute Kombination, um die eigene Kommunikation im Internet zu anonymisieren. Voraussetzung ist, das Sie PiHole bereits installiert haben und eine Fritz!Box mit der entsprechenden OS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23","post","type-post","status-publish","format-standard","hentry","category-uncategorized","entry"],"_links":{"self":[{"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23"}],"version-history":[{"count":4,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions"}],"predecessor-version":[{"id":30,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions\/30"}],"wp:attachment":[{"href":"https:\/\/blog.kihr.online\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.kihr.online\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}