Maintained by: NLnet Labs

[Unbound-users] "Tunnel" dnssec through local forward-zone?

Anders Sundman
Tue Jul 26 02:01:39 CEST 2011

On 2011-07-25 19:50, Paul Wouters wrote:
> On Mon, 25 Jul 2011, Anders Sundman wrote:
>> I'm running unbound locally on and a DNS TCP proxy (ttdnsd) on
>> The setup is a simple forward-zone; I ask unbound and unbound
>> asks ttdnsd:
>> forward-zone:
>>  name: "."
>>  forward-addr:
>> Now I'm trying to get dnssec working but I've run in to some problems.
> Why are you doing this? unbound can do queries using just tcp per
> default, so you
> do not need to use ttdnsd. I assume you're trying to proxy dns to an
> anonymiser
> network like tor?

Indeed, I am trying to set up a sane DNS resolution strategy for tor.

> Try this unbound patch, and set unbound to use tcp only in unbound.conf
> using
> do-udp:no and do-tcp:yes.

I've tried your patch (using yes/yes as suggested in a later mail).  It
seems to be working just fine.  Unbound is resolving all types over tcp
through tor, with and without dnssec.  Perfect!

I was initially using ttdnsd as a fallback for resolving non A/PTR
records, since those can't be resolved using tor's built in mechanism.
The later provides good anonymity, but is susceptible to spoofing by
exits, exits ISP's, et al..

I'm tempted to drop ttdnsd.  It has served me well (thanks Jake), but
it's always nice to get rid of complexity.  But, before doing so I have
to ponder what it's implications will be on anonymity.  It's not obvious
to me that using unbound tcp over tor is any more or less anonymous than
using the tor resolution.

That might be a discussion best suited for another (tor) mailing list

Best regards,