DNSSEC question

asked 2024-10-13 18:41:46 +0000

net_tech gravatar image

updated 2024-10-13 23:32:36 +0000

Hi,

We are using DNSSEC on the internal network (Windows 2022 DNS server / 172.16.4.10). Recently I came across a chrome extension from https://dnssec.uz and added it to my browser.

image description

When accessing phl-esxi1 the extension confirms that DNSSEC is enabled and working correctly, but if i look at DNS traffic in Wireshark, nothing in the DNS answer options has any indication of DNSSEC being present.

image description

Does DNSSEC use something other than DNS protocol to check the authenticity of the record?

Thanks

Edit:

Seeing DNSSEC fields after getting GPO applied to the computer object

image description

edit retag flag offensive close merge delete

Comments

What is the full domain for phl-esxi1? (The column is truncated in the Wireshark screenshot)

Chuckc gravatar imageChuckc ( 2024-10-13 20:28:40 +0000 )edit

it's ourdomain.local

truncated to hide the identity

net_tech gravatar imagenet_tech ( 2024-10-13 20:56:32 +0000 )edit

Have you looked at this presentation: dnssec.uz: Protect your website

Is the browser extension using dnsviz probe?

Chuckc gravatar imageChuckc ( 2024-10-13 21:40:27 +0000 )edit

the chrome extension is irrelevant, i only mentioned it to show that DNSSEC is enabled.

I may have figured it out, AD team blocked the inheritance on the GPO with DNSSEC name resolution policy. Once computer object moved out to another OU, the policy applied and I am able to see additional records I was missing earlier.

net_tech gravatar imagenet_tech ( 2024-10-13 23:27:06 +0000 )edit

So Wireshark did not display the data that is not in the capture file?

There are sample captures in Wireshark Gitlab issues - search on "dnssec"

Chuckc gravatar imageChuckc ( 2024-10-14 12:50:31 +0000 )edit
see more comments