Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Thu Nov 1 07:46:58 CET 2012


Hi Paul,
Thanks, for the response. Was beginning to get
a sense that no one ever reads my posting at all.

I will contact him, if he had enough time to place
your patch with unbound source code, and if i can
get a hold on such for using from windows side.

Currently, in unbound config file, when a zone
is pointing toward a specific name-server, for
example, like below:
forward-zone: name: "sld.tld"
forward-addr: 62.141.58.13 at 110

# Then i have changed above lines like below:
forward-zone: name: "sld.tld"
forward-addr: 127.0.0.1 at 58001

Then, by using windows edition of "socat",
placed command-line(s) like below inside a
batch .cmd / .bat file, to start necessary
routing or forwarding:

@start  "socat LH:58001 62.141.58.13 SP:1080"
/D"%ProgramFiles%\socat\" socat.exe
tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork
SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080

(in above, from "@" to "=1080" is a 1 single command line)
(a space character exist after these words:
start, SP:1080", socat\", .exe, fork)

Similarly (like above command-line), specified
unique port for each unique DNS-Server, and
i've executed around 50 socat instances (from
batch file), to forward all dns queries from
Unbound, inside different local SOCKS proxy
server(s), and sent DNS-queries toward different
(public & private) DNS-servers & name-servers.

Works fine, with complete DNSSEC support.

But need to combine these into one or lesser
amount of "socat" instances.
or, need a support inside Unbound.
or, need another tool which can efficiently
do these type of TCP-DNS-to-SOCKS traffic
routing.

And also want to connect with (public and
private) DNS-servers (or name-servers) which
supports TLS cert based/encrypted connections.
You may see below (in previous email) where
i've mentioned about these.

If anyone worked/working on these pls reply
on this posting,
Thanks in advance.

-- Bright Star (Bry8Star).

USERS: when you reply, make sure the "To:" field
has below email address:
unbound-users at unbound.net



Paul Wouters wrote:
Received on 2012-10-31 8:03 PM [GMT-08:00]:
> On Wed, 31 Oct 2012, Bry8 Star wrote:
> 
>> No one seems to be replying or understanding what i have
>> requested for, very strange !
>> 
>> In windows, no one found solution(s) ! ! ! for sending
>> DNS-queries (for specific dns-servers) from unbound toward a
>> socks-proxy-server ! ?
> 
> I gave Jake Applebaum a patch/configuration to test for using
> unbond with tor using a SOCKS proxy. I never got feedback, but he
> might still have the patch and config lying around for you.
> 
> Paul
> 
>> trying to do this: [start] (1) local software --> (2) local
>> unbound --> --> (3) local socks-proxy/srvr --> (4)
>> socks-tunnel --> (5) Internet (My ISP) --> (6)
>> socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's ISP) 
>> --> (8) name-server/DNS-server. [End]
>> 
>> -- Bright Star (Bry8Star).
>> 
>> 
>> 
>> Bry8 Star wrote: Received on 2012-10-25 8:13 PM [GMT-08:00]::
>>> Hi,
>>> 
>>> My (side) Scenario (Pre-Conditions) :
>>> 
>>> MyNet = My Local Network computers & devices. SOCKS-Srvr =
>>> origin SOCKS-server on remote servr. SOCKS-prxy =
>>> SOCKS-proxy-server = is local SOCKS forwarding proxy server. 
>>> Socks-Tnl = SOCKS-Tunnel = connection between (local)
>>> socks-proxy & (origin) socks-server. SOCKS = is a type of
>>> gateway, a type of tunnel, a routing process between a client
>>> & a server.
>>> 
>>> (start from right most side "MyNet")
>>> 
>>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V -->
>>> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V -->
>>> SOCKS-Srvr <-> Internet <-> DNS-Servers.
>>> 
>>> 
>>> I have multiple SOCKS proxy server, (SOCKS v4a, v5), Running
>>> & listening on (a server computer): 10.0.1.10:1080 (ip:port) 
>>> 10.0.1.10:1082 ... This gateway/server computer 10.0.1.10
>>> has an instance of "Unbound" (01) DNS-Resolver running on
>>> 10.0.1.10:53 interface: 10.0.1.10 port: 53 access-control:
>>> 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control:
>>> 10.0.1.10/8 allow
>>> 
>>> Different socks tunnel ending on (aka, routed to) different
>>> destination locations (which has the origin-SOCKS-server
>>> gateway software), and ending/origin gateway computer there,
>>> is connected with different ISP.
>>> 
>>> Need to use this 10.0.1.10:53 DNSSEC supported DNS-Resolver,
>>> from all clients, (under my local network).
>>> 
>>> This DNS-Resolver must connect with destination DNS-Server(s)
>>> or nameservers(NS) via different ISPs, which are connected at
>>> the end of SOCKS tunnel.
>>> 
>>> Those destination Nameserver(s) (NS-DNS-Srv) ( or Recursive
>>> dns-server(s) (Rc-DNS-Srv) or Authoritative dns-server(s)
>>> (A-DNS-Srv) ) are able to work with both TCP & UDP DNS, and 
>>> listening on multiple ports 53, 110, 443, etc.
>>> 
>>> "Unbound" (01) (10.0.1.10:53) has multiple Forward and Stub
>>> zones. Each forward or stub zone/domain has at least 4, (in
>>> some cases 10), specific nameservers (or specific Rc-DNS-Srv,
>>> or specific A-DNS-Srv).
>>> 
>>> I'm using at least 10 different set of (custom/special)
>>> zones, where each zone has from 4 to 10 (different)
>>> nameservers. stub-zone: # 01 name: "custom-domain1.org" 
>>> stub-host: ath-d1.namesrv-hostnam.org. stub-host:
>>> ath-d2.namesrv-hostnam.org. stub-host:
>>> ath-d3.namesrv-hostnam.org. stub-host:
>>> ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name:
>>> "custom-domain10.org" forward-addr: ath-namesrvr.37.ip.adrs 
>>> forward-addr: ath-namesrvr.38.ip.adrs forward-addr:
>>> ath-namesrvr.39.ip.adrs forward-host:
>>> ath-namesrvr40-hostnam.org.
>>> 
>>> And, when a DNS-query does not match any of those
>>> custom/special zones, then standard set of DNS-Servers are to
>>> be used, like: Root DNS-Servers, TLD DNS-Servers, SLD (Second
>>> Level Domain) DNS-Servers, HSP (Hosting Service Providers)
>>> DNS-Servers, Public DNSSEC based DNS-Servers, etc, via
>>> another SOCKS proxy: forward-zone: name: "." forward-addr:
>>> 94.75.228.29 # GPF DNSSEC forward-addr: 149.20.64.20 # OARC
>>> DNSSEC forward-addr: 217.31.204.130 # CZ.NIC DNSSEC 
>>> forward-addr: 198.41.0.4 # ROOT a USC-ISI forward-addr:
>>> 192.5.5.241 # ROOT f ICANN forward-addr: 192.58.128.30 # ROOT
>>> j forward-addr: 193.0.14.129 # ROOT k RIPE forward-addr:
>>> 199.7.83.42 # ROOT l forward-addr: 128.8.10.90 # ROOT d
>>> UniMaryland forward-addr: 192.36.148.17 # ROOT i 
>>> forward-addr: 202.12.27.33 # ROOT m forward-addr: 128.63.2.53
>>> # ROOT h forward-addr: 192.203.230.10 # ROOT e NASA 
>>> forward-addr: 192.228.79.201 # ROOT forward-addr: 192.33.4.12
>>> # ROOT forward-addr: 192.112.36.4 # ROOT
>>> 
>>> 
>>> QUESTION(s):
>>> 
>>> Can i consider existing below command outgoing-interface: of
>>> Unbound, as it's outbound traffic binding or forcing
>>> command/option ?
>>> 
>>> How can i bind/force "Unbound" (01) (10.0.1.10:53) to use the
>>> 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for resolving a 1st
>>> set of zones ? (so that Unbound can connect with correct 1st
>>> set of nameservers assigned for that 1st set of zones), And
>>> how to resolve another/2nd set of zones via using another/2nd
>>> SOCKS at 10.0.1.10:1081 ? (and allowing Unbound to connect
>>> with another /2nd set of pre-assigned nameservers for that 
>>> 2nd set of zones).
>>> 
>>> if there is a one command-line in "Unbound" to use/bind/force
>>> outbound traffic go-through a SOCKS proxy that will be best.
>>> 
>>> if not, then can anyone please point-to/indicate 
>>> /discuss/suggest what tools can be used to achieve such
>>> function. Unbound to socks proxy.
>>> 
>>> (NOT looking for a solution on Linux/Unix). (Looking for a
>>> solution on Windows, the local "Unbound" (01) (10.0.1.10:53)
>>> is running on Windows based computer).
>>> 
>>> if i have to run 5 "Unbound", even that type of solution is
>>> also ok. but reduced Unbound instance will be better.
>>> 
>>> Is there a tool, which can accept all (incoming) traffic
>>> coming (from Unbound) toward a network interface adapter's 
>>> (different ports & single) IP address, and can forward those
>>> ports toward a (single ip:port based) SOCKS proxy server ?
>>> what functions like TAP-to-SOCKS ?
>>> 
>>> if a tool can perform TUN-to-SOCKS function, then can such
>>> tool be used for send all queries via SOCKS from Unbound, by
>>> binding Unbound with that TUN's ip-address ?
>>> 
>>> for example, can an OpenSSH instance be run in L2/3 tun VPN
>>> mode & forward tun ip-adrs traffic toward a SOCKS proxy ?
>>> 
>>> Can this below command/option "outgoing-port-permit:" be set
>>> to use only 4 ports ? like: outgoing-port-permit:
>>> 53001-53004 or, even set to use only 1 port ? 
>>> outgoing-port-permit: 53001-53001 What tool can allow to
>>> forward such traffic from Unbound to a SOCKS proxy ?
>>> 
>>> Can i run an instance of OpenSSH to listen a range of ports,
>>> from 53001 to 53004 on ip-adrs 127.0.0.53 and forward those
>>> toward a single SOCKS proxy at 10.0.1.10:1080 ? and, after 
>>> running OpenSSH, can i run & force Unbound to use outbobund
>>> traffic via: outgoing-interface: 127.0.0.53
>>> 
>>> 
>>> Will these four commands work ? to force using only 1
>>> outgoing port: outgoing-range: 1 num-queries-per-thread: 1 
>>> outgoing-port-permit: 53001 outgoing-port-avoid:
>>> "1-53000,53002-65535" will those slow down dns-resolving
>>> process very slow ?
>>> 
>>> or, is there a tool which can function like DNS-to-SOCKS ?
>>> how can it be used with Unbound ?
>>> 
>>> How can i specify in "Unbound" to use port 110 with a
>>> DNS-Server, instead of port 53 ?
>>> 
>>> Can i specify SSL cert (server cert or CA/Root cert) for a
>>> DNS-Server in Unbound ?
>>> 
>>> 
>>> REFERENCES:
>>> 
>>> https://en.wikipedia.org/wiki/SOCKS 
>>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. 
>>> http://www.inet.no/dante/doc/ Dante.
>>> 
>>> SOCKet Secure (SOCKS) is an Internet Protocol that routes
>>> network packets between a client and server through a proxy
>>> server. It works in Layer 5 (Session) of OSI.
>>> 
>>> OpenSSH: An "ad hoc" SOCKS proxy server can be created using
>>> OpenSSH, and allows more flexible proxying than is possible
>>> with ordinary port forwarding. http://www.openssh.com/ 
>>> DynamicForward 10.0.1.10:1080 # will create a SOCKS on that
>>> ip:port. GatewayPorts option allows wildcard address usage.
>>> And tun-based VPN tunnel allowing applications to
>>> transparently access remote network resources without
>>> "socksification" is now possible via OpenSSH.
>>> 
>>> --Bright Star (Bry8Star).
>>> 
>>> _______________________________________________ Unbound-users
>>> mailing list Unbound-users at unbound.net 
>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>> 
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121031/ca38a597/attachment-0001.pgp>