Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Paul Wouters
Thu Nov 1 04:03:02 CET 2012


On Wed, 31 Oct 2012, Bry8 Star wrote:

> No one seems to be replying or understanding
> what i have requested for, very strange !
>
> In windows, no one found solution(s) ! ! !
> for sending DNS-queries (for specific dns-servers)
> from unbound toward a socks-proxy-server ! ?

I gave Jake Applebaum a patch/configuration to test for
using unbond with tor using a SOCKS proxy. I never got
feedback, but he might still have the patch and config
lying around for you.

Paul

> trying to do this:
> [start] (1) local software --> (2) local unbound -->
> --> (3) local socks-proxy/srvr --> (4) socks-tunnel
> --> (5) Internet (My ISP) --> (6) socks-(origin)-srvr
> --> (7) Internet (socks-origin-srvr's ISP)
> --> (8) name-server/DNS-server. [End]
>
> -- Bright Star (Bry8Star).
>
>
>
> Bry8 Star wrote:
> Received on 2012-10-25 8:13 PM [GMT-08:00]::
>> Hi,
>>
>> My (side) Scenario (Pre-Conditions) :
>>
>> MyNet = My Local Network computers & devices.
>> SOCKS-Srvr = origin SOCKS-server on remote servr.
>> SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
>> forwarding proxy server.
>> Socks-Tnl = SOCKS-Tunnel = connection between
>> (local) socks-proxy & (origin) socks-server.
>> SOCKS = is a type of gateway, a type of tunnel,
>> a routing process between a client & a server.
>>
>> (start from right most side "MyNet")
>>
>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
>> A
>> |
>> V
>> --> SOCKS-Srvr <-> remote local-netwrk (DNS).
>> A
>> |
>> V
>> --> SOCKS-Srvr <-> Internet <-> DNS-Servers.
>>
>>
>> I have multiple SOCKS proxy server,
>> (SOCKS v4a, v5),
>> Running & listening on (a server computer):
>> 10.0.1.10:1080 (ip:port)
>> 10.0.1.10:1082
>> ...
>> This gateway/server computer 10.0.1.10 has
>> an instance of "Unbound" (01) DNS-Resolver
>> running on 10.0.1.10:53
>> interface: 10.0.1.10
>> port: 53
>> access-control: 0.0.0.0/0 refuse
>> access-control: ::0/0 refuse
>> access-control: 10.0.1.10/8 allow
>>
>> Different socks tunnel ending on (aka, routed
>> to) different destination locations (which has
>> the origin-SOCKS-server gateway software),
>> and ending/origin gateway computer there, is
>> connected with different ISP.
>>
>> Need to use this 10.0.1.10:53 DNSSEC supported
>> DNS-Resolver, from all clients, (under my local
>> network).
>>
>> This DNS-Resolver must connect with destination
>> DNS-Server(s) or nameservers(NS) via different
>> ISPs, which are connected at the end of SOCKS
>> tunnel.
>>
>> Those destination Nameserver(s) (NS-DNS-Srv)
>> ( or Recursive dns-server(s) (Rc-DNS-Srv)
>> or Authoritative dns-server(s) (A-DNS-Srv) )
>> are able to work with both TCP & UDP DNS, and
>> listening on multiple ports 53, 110, 443, etc.
>>
>> "Unbound" (01) (10.0.1.10:53) has multiple Forward
>> and Stub zones. Each forward or stub zone/domain
>> has at least 4, (in some cases 10), specific
>> nameservers (or specific Rc-DNS-Srv, or specific
>> A-DNS-Srv).
>>
>> I'm using at least 10 different set of
>> (custom/special) zones, where each zone
>> has from 4 to 10 (different) nameservers.
>> stub-zone: # 01
>> name: "custom-domain1.org"
>> stub-host: ath-d1.namesrv-hostnam.org.
>> stub-host: ath-d2.namesrv-hostnam.org.
>> stub-host: ath-d3.namesrv-hostnam.org.
>> stub-host: ath-d4.namesrv-hostnam.org.
>> ...
>> forward-zone: # 10
>> name: "custom-domain10.org"
>> forward-addr: ath-namesrvr.37.ip.adrs
>> forward-addr: ath-namesrvr.38.ip.adrs
>> forward-addr: ath-namesrvr.39.ip.adrs
>> forward-host: ath-namesrvr40-hostnam.org.
>>
>> And, when a DNS-query does not match any
>> of those custom/special zones, then standard
>> set of DNS-Servers are to be used, like: Root
>> DNS-Servers, TLD DNS-Servers, SLD (Second Level
>> Domain) DNS-Servers, HSP (Hosting Service
>> Providers) DNS-Servers, Public DNSSEC based
>> DNS-Servers, etc, via another SOCKS proxy:
>> forward-zone:
>> name: "."
>> forward-addr: 94.75.228.29 # GPF DNSSEC
>> forward-addr: 149.20.64.20 # OARC DNSSEC
>> forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
>> forward-addr: 198.41.0.4 # ROOT a USC-ISI
>> forward-addr: 192.5.5.241 # ROOT f ICANN
>> forward-addr: 192.58.128.30 # ROOT j
>> forward-addr: 193.0.14.129 # ROOT k RIPE
>> forward-addr: 199.7.83.42 # ROOT l
>> forward-addr: 128.8.10.90 # ROOT d UniMaryland
>> forward-addr: 192.36.148.17 # ROOT i
>> forward-addr: 202.12.27.33 # ROOT m
>> forward-addr: 128.63.2.53 # ROOT h
>> forward-addr: 192.203.230.10 # ROOT e NASA
>> forward-addr: 192.228.79.201 # ROOT
>> forward-addr: 192.33.4.12 # ROOT
>> forward-addr: 192.112.36.4 # ROOT
>>
>>
>> QUESTION(s):
>>
>> Can i consider existing below command
>> outgoing-interface:
>> of Unbound, as it's outbound traffic
>> binding or forcing command/option ?
>>
>> How can i bind/force "Unbound" (01) (10.0.1.10:53)
>> to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port)
>> for resolving a 1st set of zones ? (so that
>> Unbound can connect with correct 1st set of
>> nameservers assigned for that 1st set of zones),
>> And how to resolve another/2nd set of zones
>> via using another/2nd SOCKS at 10.0.1.10:1081 ?
>> (and allowing Unbound to connect with another
>> /2nd set of pre-assigned nameservers for that
>> 2nd set of zones).
>>
>> if there is a one command-line in "Unbound"
>> to use/bind/force outbound traffic go-through
>> a SOCKS proxy that will be best.
>>
>> if not, then can anyone please point-to/indicate
>> /discuss/suggest what tools can be used to
>> achieve such function. Unbound to socks proxy.
>>
>> (NOT looking for a solution on Linux/Unix).
>> (Looking for a solution on Windows, the local
>> "Unbound" (01) (10.0.1.10:53) is running on
>> Windows based computer).
>>
>> if i have to run 5 "Unbound", even that type
>> of solution is also ok. but reduced Unbound
>> instance will be better.
>>
>> Is there a tool, which can accept all
>> (incoming) traffic coming (from Unbound)
>> toward a network interface adapter's
>> (different ports & single) IP address,
>> and can forward those ports toward a
>> (single ip:port based) SOCKS proxy
>> server ? what functions like TAP-to-SOCKS ?
>>
>> if a tool can perform TUN-to-SOCKS function,
>> then can such tool be used for send all
>> queries via SOCKS from Unbound, by binding
>> Unbound with that TUN's ip-address ?
>>
>> for example, can an OpenSSH instance be run
>> in L2/3 tun VPN mode & forward tun ip-adrs
>> traffic toward a SOCKS proxy ?
>>
>> Can this below command/option
>> "outgoing-port-permit:" be set to
>> use only 4 ports ? like:
>> outgoing-port-permit: 53001-53004
>> or, even set to use only 1 port ?
>> outgoing-port-permit: 53001-53001
>> What tool can allow to forward such
>> traffic from Unbound to a SOCKS proxy ?
>>
>> Can i run an instance of OpenSSH to listen a
>> range of ports, from 53001 to 53004 on ip-adrs
>> 127.0.0.53 and forward those toward a single
>> SOCKS proxy at 10.0.1.10:1080 ? and, after
>> running OpenSSH, can i run & force Unbound to
>> use outbobund traffic via:
>> outgoing-interface: 127.0.0.53
>>
>>
>> Will these four commands work ? to
>> force using only 1 outgoing port:
>> outgoing-range: 1
>> num-queries-per-thread: 1
>> outgoing-port-permit: 53001
>> outgoing-port-avoid: "1-53000,53002-65535"
>> will those slow down dns-resolving process
>> very slow ?
>>
>> or, is there a tool which can function
>> like DNS-to-SOCKS ? how can it be used
>> with Unbound ?
>>
>> How can i specify in "Unbound" to use port
>> 110 with a DNS-Server, instead of port 53 ?
>>
>> Can i specify SSL cert (server cert or CA/Root cert)
>> for a DNS-Server in Unbound ?
>>
>>
>> REFERENCES:
>>
>> https://en.wikipedia.org/wiki/SOCKS
>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
>> http://www.inet.no/dante/doc/ Dante.
>>
>> SOCKet Secure (SOCKS) is an Internet Protocol that
>> routes network packets between a client and server
>> through a proxy server. It works in Layer 5
>> (Session) of OSI.
>>
>> OpenSSH: An "ad hoc" SOCKS proxy server can be
>> created using OpenSSH, and allows more flexible
>> proxying than is possible with ordinary port
>> forwarding. http://www.openssh.com/
>> DynamicForward 10.0.1.10:1080 # will create a
>> SOCKS on that ip:port.
>> GatewayPorts option allows wildcard address
>> usage. And tun-based VPN tunnel allowing
>> applications to transparently access remote
>> network resources without "socksification"
>> is now possible via OpenSSH.
>>
>> --Bright Star (Bry8Star).
>>
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
>
>