Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Thu Nov 1 01:12:52 CET 2012


No one seems to be replying or understanding
what i have requested for, very strange !

In windows, no one found solution(s) ! ! !
for sending DNS-queries (for specific dns-servers)
from unbound toward a socks-proxy-server ! ?

trying to do this:
[start] (1) local software --> (2) local unbound -->
--> (3) local socks-proxy/srvr --> (4) socks-tunnel
--> (5) Internet (My ISP) --> (6) socks-(origin)-srvr
--> (7) Internet (socks-origin-srvr's ISP)
--> (8) name-server/DNS-server. [End]

-- Bright Star (Bry8Star).



Bry8 Star wrote:
Received on 2012-10-25 8:13 PM [GMT-08:00]::
> Hi,
> 
> My (side) Scenario (Pre-Conditions) :
> 
> MyNet = My Local Network computers & devices.
> SOCKS-Srvr = origin SOCKS-server on remote servr.
> SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
> forwarding proxy server.
> Socks-Tnl = SOCKS-Tunnel = connection between
> (local) socks-proxy & (origin) socks-server.
> SOCKS = is a type of gateway, a type of tunnel,
> a routing process between a client & a server.
> 
> (start from right most side "MyNet")
> 
> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
> A
> |
> V
> --> SOCKS-Srvr <-> remote local-netwrk (DNS).
> A
> |
> V
> --> SOCKS-Srvr <-> Internet <-> DNS-Servers.
> 
> 
> I have multiple SOCKS proxy server,
> (SOCKS v4a, v5),
> Running & listening on (a server computer):
> 10.0.1.10:1080 (ip:port)
> 10.0.1.10:1082
> ...
> This gateway/server computer 10.0.1.10 has
> an instance of "Unbound" (01) DNS-Resolver
> running on 10.0.1.10:53
> interface: 10.0.1.10
> port: 53
> access-control: 0.0.0.0/0 refuse
> access-control: ::0/0 refuse
> access-control: 10.0.1.10/8 allow
> 
> Different socks tunnel ending on (aka, routed
> to) different destination locations (which has
> the origin-SOCKS-server gateway software),
> and ending/origin gateway computer there, is
> connected with different ISP.
> 
> Need to use this 10.0.1.10:53 DNSSEC supported
> DNS-Resolver, from all clients, (under my local
> network).
> 
> This DNS-Resolver must connect with destination
> DNS-Server(s) or nameservers(NS) via different
> ISPs, which are connected at the end of SOCKS
> tunnel.
> 
> Those destination Nameserver(s) (NS-DNS-Srv)
> ( or Recursive dns-server(s) (Rc-DNS-Srv)
> or Authoritative dns-server(s) (A-DNS-Srv) )
> are able to work with both TCP & UDP DNS, and
> listening on multiple ports 53, 110, 443, etc.
> 
> "Unbound" (01) (10.0.1.10:53) has multiple Forward
> and Stub zones. Each forward or stub zone/domain
> has at least 4, (in some cases 10), specific
> nameservers (or specific Rc-DNS-Srv, or specific
> A-DNS-Srv).
> 
> I'm using at least 10 different set of
> (custom/special) zones, where each zone
> has from 4 to 10 (different) nameservers.
> stub-zone: # 01
> name: "custom-domain1.org"
> stub-host: ath-d1.namesrv-hostnam.org.
> stub-host: ath-d2.namesrv-hostnam.org.
> stub-host: ath-d3.namesrv-hostnam.org.
> stub-host: ath-d4.namesrv-hostnam.org.
> ...
> forward-zone: # 10
> name: "custom-domain10.org"
> forward-addr: ath-namesrvr.37.ip.adrs
> forward-addr: ath-namesrvr.38.ip.adrs
> forward-addr: ath-namesrvr.39.ip.adrs
> forward-host: ath-namesrvr40-hostnam.org.
> 
> And, when a DNS-query does not match any
> of those custom/special zones, then standard
> set of DNS-Servers are to be used, like: Root
> DNS-Servers, TLD DNS-Servers, SLD (Second Level
> Domain) DNS-Servers, HSP (Hosting Service
> Providers) DNS-Servers, Public DNSSEC based
> DNS-Servers, etc, via another SOCKS proxy:
> forward-zone:
> name: "."
> forward-addr: 94.75.228.29 # GPF DNSSEC
> forward-addr: 149.20.64.20 # OARC DNSSEC
> forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
> forward-addr: 198.41.0.4 # ROOT a USC-ISI
> forward-addr: 192.5.5.241 # ROOT f ICANN
> forward-addr: 192.58.128.30 # ROOT j
> forward-addr: 193.0.14.129 # ROOT k RIPE
> forward-addr: 199.7.83.42 # ROOT l
> forward-addr: 128.8.10.90 # ROOT d UniMaryland
> forward-addr: 192.36.148.17 # ROOT i
> forward-addr: 202.12.27.33 # ROOT m
> forward-addr: 128.63.2.53 # ROOT h
> forward-addr: 192.203.230.10 # ROOT e NASA
> forward-addr: 192.228.79.201 # ROOT
> forward-addr: 192.33.4.12 # ROOT
> forward-addr: 192.112.36.4 # ROOT
> 
> 
> QUESTION(s):
> 
> Can i consider existing below command
> outgoing-interface:
> of Unbound, as it's outbound traffic
> binding or forcing command/option ?
> 
> How can i bind/force "Unbound" (01) (10.0.1.10:53)
> to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port)
> for resolving a 1st set of zones ? (so that
> Unbound can connect with correct 1st set of
> nameservers assigned for that 1st set of zones),
> And how to resolve another/2nd set of zones
> via using another/2nd SOCKS at 10.0.1.10:1081 ?
> (and allowing Unbound to connect with another
> /2nd set of pre-assigned nameservers for that
> 2nd set of zones).
> 
> if there is a one command-line in "Unbound"
> to use/bind/force outbound traffic go-through
> a SOCKS proxy that will be best.
> 
> if not, then can anyone please point-to/indicate
> /discuss/suggest what tools can be used to
> achieve such function. Unbound to socks proxy.
> 
> (NOT looking for a solution on Linux/Unix).
> (Looking for a solution on Windows, the local
> "Unbound" (01) (10.0.1.10:53) is running on
> Windows based computer).
> 
> if i have to run 5 "Unbound", even that type
> of solution is also ok. but reduced Unbound
> instance will be better.
> 
> Is there a tool, which can accept all
> (incoming) traffic coming (from Unbound)
> toward a network interface adapter's
> (different ports & single) IP address,
> and can forward those ports toward a
> (single ip:port based) SOCKS proxy
> server ? what functions like TAP-to-SOCKS ?
> 
> if a tool can perform TUN-to-SOCKS function,
> then can such tool be used for send all
> queries via SOCKS from Unbound, by binding
> Unbound with that TUN's ip-address ?
> 
> for example, can an OpenSSH instance be run
> in L2/3 tun VPN mode & forward tun ip-adrs
> traffic toward a SOCKS proxy ?
> 
> Can this below command/option
> "outgoing-port-permit:" be set to
> use only 4 ports ? like:
> outgoing-port-permit: 53001-53004
> or, even set to use only 1 port ?
> outgoing-port-permit: 53001-53001
> What tool can allow to forward such
> traffic from Unbound to a SOCKS proxy ?
> 
> Can i run an instance of OpenSSH to listen a
> range of ports, from 53001 to 53004 on ip-adrs
> 127.0.0.53 and forward those toward a single
> SOCKS proxy at 10.0.1.10:1080 ? and, after
> running OpenSSH, can i run & force Unbound to
> use outbobund traffic via:
> outgoing-interface: 127.0.0.53
> 
> 
> Will these four commands work ? to
> force using only 1 outgoing port:
> outgoing-range: 1
> num-queries-per-thread: 1
> outgoing-port-permit: 53001
> outgoing-port-avoid: "1-53000,53002-65535"
> will those slow down dns-resolving process
> very slow ?
> 
> or, is there a tool which can function
> like DNS-to-SOCKS ? how can it be used
> with Unbound ?
> 
> How can i specify in "Unbound" to use port
> 110 with a DNS-Server, instead of port 53 ?
> 
> Can i specify SSL cert (server cert or CA/Root cert)
> for a DNS-Server in Unbound ?
> 
> 
> REFERENCES:
> 
> https://en.wikipedia.org/wiki/SOCKS
> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
> http://www.inet.no/dante/doc/ Dante.
> 
> SOCKet Secure (SOCKS) is an Internet Protocol that
> routes network packets between a client and server
> through a proxy server. It works in Layer 5
> (Session) of OSI.
> 
> OpenSSH: An "ad hoc" SOCKS proxy server can be
> created using OpenSSH, and allows more flexible
> proxying than is possible with ordinary port
> forwarding. http://www.openssh.com/
> DynamicForward 10.0.1.10:1080 # will create a
> SOCKS on that ip:port.
> GatewayPorts option allows wildcard address
> usage. And tun-based VPN tunnel allowing
> applications to transparently access remote
> network resources without "socksification"
> is now possible via OpenSSH.
> 
> --Bright Star (Bry8Star).
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121031/e1dc427e/attachment.pgp>