Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Paul Wouters
Thu Nov 1 14:39:42 CET 2012


On Wed, 31 Oct 2012, Bry8 Star wrote:

Why don't you just tell unbound to use TCP only, and not UDP?

Then specify the forwarders using unbound-control? Then you
can even route that through tor.

Paul

> Date: Thu, 1 Nov 2012 02:46:58
> From: Bry8 Star <bry8star at yahoo.com>
> To: unbound-users at unbound.net
> Subject: Re: [Unbound-users] From Unbound To DNS Via SOCKS, and Choices
> 
> Hi Paul,
> Thanks, for the response. Was beginning to get
> a sense that no one ever reads my posting at all.
>
> I will contact him, if he had enough time to place
> your patch with unbound source code, and if i can
> get a hold on such for using from windows side.
>
> Currently, in unbound config file, when a zone
> is pointing toward a specific name-server, for
> example, like below:
> forward-zone: name: "sld.tld"
> forward-addr: 62.141.58.13 at 110
>
> # Then i have changed above lines like below:
> forward-zone: name: "sld.tld"
> forward-addr: 127.0.0.1 at 58001
>
> Then, by using windows edition of "socat",
> placed command-line(s) like below inside a
> batch .cmd / .bat file, to start necessary
> routing or forwarding:
>
> @start  "socat LH:58001 62.141.58.13 SP:1080"
> /D"%ProgramFiles%\socat\" socat.exe
> tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork
> SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080
>
> (in above, from "@" to "=1080" is a 1 single command line)
> (a space character exist after these words:
> start, SP:1080", socat\", .exe, fork)
>
> Similarly (like above command-line), specified
> unique port for each unique DNS-Server, and
> i've executed around 50 socat instances (from
> batch file), to forward all dns queries from
> Unbound, inside different local SOCKS proxy
> server(s), and sent DNS-queries toward different
> (public & private) DNS-servers & name-servers.
>
> Works fine, with complete DNSSEC support.
>
> But need to combine these into one or lesser
> amount of "socat" instances.
> or, need a support inside Unbound.
> or, need another tool which can efficiently
> do these type of TCP-DNS-to-SOCKS traffic
> routing.
>
> And also want to connect with (public and
> private) DNS-servers (or name-servers) which
> supports TLS cert based/encrypted connections.
> You may see below (in previous email) where
> i've mentioned about these.
>
> If anyone worked/working on these pls reply
> on this posting,
> Thanks in advance.
>
> -- Bright Star (Bry8Star).
>
> USERS: when you reply, make sure the "To:" field
> has below email address:
> unbound-users at unbound.net
>
>
>
> Paul Wouters wrote:
> Received on 2012-10-31 8:03 PM [GMT-08:00]:
>> On Wed, 31 Oct 2012, Bry8 Star wrote:
>>
>>> No one seems to be replying or understanding what i have
>>> requested for, very strange !
>>>
>>> In windows, no one found solution(s) ! ! ! for sending
>>> DNS-queries (for specific dns-servers) from unbound toward a
>>> socks-proxy-server ! ?
>>
>> I gave Jake Applebaum a patch/configuration to test for using
>> unbond with tor using a SOCKS proxy. I never got feedback, but he
>> might still have the patch and config lying around for you.
>>
>> Paul
>>
>>> trying to do this: [start] (1) local software --> (2) local
>>> unbound --> --> (3) local socks-proxy/srvr --> (4)
>>> socks-tunnel --> (5) Internet (My ISP) --> (6)
>>> socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's ISP)
>>> --> (8) name-server/DNS-server. [End]
>>>
>>> -- Bright Star (Bry8Star).
>>>
>>>
>>>
>>> Bry8 Star wrote: Received on 2012-10-25 8:13 PM [GMT-08:00]::
>>>> Hi,
>>>>
>>>> My (side) Scenario (Pre-Conditions) :
>>>>
>>>> MyNet = My Local Network computers & devices. SOCKS-Srvr =
>>>> origin SOCKS-server on remote servr. SOCKS-prxy =
>>>> SOCKS-proxy-server = is local SOCKS forwarding proxy server.
>>>> Socks-Tnl = SOCKS-Tunnel = connection between (local)
>>>> socks-proxy & (origin) socks-server. SOCKS = is a type of
>>>> gateway, a type of tunnel, a routing process between a client
>>>> & a server.
>>>>
>>>> (start from right most side "MyNet")
>>>>
>>>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V -->
>>>> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V -->
>>>> SOCKS-Srvr <-> Internet <-> DNS-Servers.
>>>>
>>>>
>>>> I have multiple SOCKS proxy server, (SOCKS v4a, v5), Running
>>>> & listening on (a server computer): 10.0.1.10:1080 (ip:port)
>>>> 10.0.1.10:1082 ... This gateway/server computer 10.0.1.10
>>>> has an instance of "Unbound" (01) DNS-Resolver running on
>>>> 10.0.1.10:53 interface: 10.0.1.10 port: 53 access-control:
>>>> 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control:
>>>> 10.0.1.10/8 allow
>>>>
>>>> Different socks tunnel ending on (aka, routed to) different
>>>> destination locations (which has the origin-SOCKS-server
>>>> gateway software), and ending/origin gateway computer there,
>>>> is connected with different ISP.
>>>>
>>>> Need to use this 10.0.1.10:53 DNSSEC supported DNS-Resolver,
>>>> from all clients, (under my local network).
>>>>
>>>> This DNS-Resolver must connect with destination DNS-Server(s)
>>>> or nameservers(NS) via different ISPs, which are connected at
>>>> the end of SOCKS tunnel.
>>>>
>>>> Those destination Nameserver(s) (NS-DNS-Srv) ( or Recursive
>>>> dns-server(s) (Rc-DNS-Srv) or Authoritative dns-server(s)
>>>> (A-DNS-Srv) ) are able to work with both TCP & UDP DNS, and
>>>> listening on multiple ports 53, 110, 443, etc.
>>>>
>>>> "Unbound" (01) (10.0.1.10:53) has multiple Forward and Stub
>>>> zones. Each forward or stub zone/domain has at least 4, (in
>>>> some cases 10), specific nameservers (or specific Rc-DNS-Srv,
>>>> or specific A-DNS-Srv).
>>>>
>>>> I'm using at least 10 different set of (custom/special)
>>>> zones, where each zone has from 4 to 10 (different)
>>>> nameservers. stub-zone: # 01 name: "custom-domain1.org"
>>>> stub-host: ath-d1.namesrv-hostnam.org. stub-host:
>>>> ath-d2.namesrv-hostnam.org. stub-host:
>>>> ath-d3.namesrv-hostnam.org. stub-host:
>>>> ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name:
>>>> "custom-domain10.org" forward-addr: ath-namesrvr.37.ip.adrs
>>>> forward-addr: ath-namesrvr.38.ip.adrs forward-addr:
>>>> ath-namesrvr.39.ip.adrs forward-host:
>>>> ath-namesrvr40-hostnam.org.
>>>>
>>>> And, when a DNS-query does not match any of those
>>>> custom/special zones, then standard set of DNS-Servers are to
>>>> be used, like: Root DNS-Servers, TLD DNS-Servers, SLD (Second
>>>> Level Domain) DNS-Servers, HSP (Hosting Service Providers)
>>>> DNS-Servers, Public DNSSEC based DNS-Servers, etc, via
>>>> another SOCKS proxy: forward-zone: name: "." forward-addr:
>>>> 94.75.228.29 # GPF DNSSEC forward-addr: 149.20.64.20 # OARC
>>>> DNSSEC forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
>>>> forward-addr: 198.41.0.4 # ROOT a USC-ISI forward-addr:
>>>> 192.5.5.241 # ROOT f ICANN forward-addr: 192.58.128.30 # ROOT
>>>> j forward-addr: 193.0.14.129 # ROOT k RIPE forward-addr:
>>>> 199.7.83.42 # ROOT l forward-addr: 128.8.10.90 # ROOT d
>>>> UniMaryland forward-addr: 192.36.148.17 # ROOT i
>>>> forward-addr: 202.12.27.33 # ROOT m forward-addr: 128.63.2.53
>>>> # ROOT h forward-addr: 192.203.230.10 # ROOT e NASA
>>>> forward-addr: 192.228.79.201 # ROOT forward-addr: 192.33.4.12
>>>> # ROOT forward-addr: 192.112.36.4 # ROOT
>>>>
>>>>
>>>> QUESTION(s):
>>>>
>>>> Can i consider existing below command outgoing-interface: of
>>>> Unbound, as it's outbound traffic binding or forcing
>>>> command/option ?
>>>>
>>>> How can i bind/force "Unbound" (01) (10.0.1.10:53) to use the
>>>> 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for resolving a 1st
>>>> set of zones ? (so that Unbound can connect with correct 1st
>>>> set of nameservers assigned for that 1st set of zones), And
>>>> how to resolve another/2nd set of zones via using another/2nd
>>>> SOCKS at 10.0.1.10:1081 ? (and allowing Unbound to connect
>>>> with another /2nd set of pre-assigned nameservers for that
>>>> 2nd set of zones).
>>>>
>>>> if there is a one command-line in "Unbound" to use/bind/force
>>>> outbound traffic go-through a SOCKS proxy that will be best.
>>>>
>>>> if not, then can anyone please point-to/indicate
>>>> /discuss/suggest what tools can be used to achieve such
>>>> function. Unbound to socks proxy.
>>>>
>>>> (NOT looking for a solution on Linux/Unix). (Looking for a
>>>> solution on Windows, the local "Unbound" (01) (10.0.1.10:53)
>>>> is running on Windows based computer).
>>>>
>>>> if i have to run 5 "Unbound", even that type of solution is
>>>> also ok. but reduced Unbound instance will be better.
>>>>
>>>> Is there a tool, which can accept all (incoming) traffic
>>>> coming (from Unbound) toward a network interface adapter's
>>>> (different ports & single) IP address, and can forward those
>>>> ports toward a (single ip:port based) SOCKS proxy server ?
>>>> what functions like TAP-to-SOCKS ?
>>>>
>>>> if a tool can perform TUN-to-SOCKS function, then can such
>>>> tool be used for send all queries via SOCKS from Unbound, by
>>>> binding Unbound with that TUN's ip-address ?
>>>>
>>>> for example, can an OpenSSH instance be run in L2/3 tun VPN
>>>> mode & forward tun ip-adrs traffic toward a SOCKS proxy ?
>>>>
>>>> Can this below command/option "outgoing-port-permit:" be set
>>>> to use only 4 ports ? like: outgoing-port-permit:
>>>> 53001-53004 or, even set to use only 1 port ?
>>>> outgoing-port-permit: 53001-53001 What tool can allow to
>>>> forward such traffic from Unbound to a SOCKS proxy ?
>>>>
>>>> Can i run an instance of OpenSSH to listen a range of ports,
>>>> from 53001 to 53004 on ip-adrs 127.0.0.53 and forward those
>>>> toward a single SOCKS proxy at 10.0.1.10:1080 ? and, after
>>>> running OpenSSH, can i run & force Unbound to use outbobund
>>>> traffic via: outgoing-interface: 127.0.0.53
>>>>
>>>>
>>>> Will these four commands work ? to force using only 1
>>>> outgoing port: outgoing-range: 1 num-queries-per-thread: 1
>>>> outgoing-port-permit: 53001 outgoing-port-avoid:
>>>> "1-53000,53002-65535" will those slow down dns-resolving
>>>> process very slow ?
>>>>
>>>> or, is there a tool which can function like DNS-to-SOCKS ?
>>>> how can it be used with Unbound ?
>>>>
>>>> How can i specify in "Unbound" to use port 110 with a
>>>> DNS-Server, instead of port 53 ?
>>>>
>>>> Can i specify SSL cert (server cert or CA/Root cert) for a
>>>> DNS-Server in Unbound ?
>>>>
>>>>
>>>> REFERENCES:
>>>>
>>>> https://en.wikipedia.org/wiki/SOCKS
>>>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
>>>> http://www.inet.no/dante/doc/ Dante.
>>>>
>>>> SOCKet Secure (SOCKS) is an Internet Protocol that routes
>>>> network packets between a client and server through a proxy
>>>> server. It works in Layer 5 (Session) of OSI.
>>>>
>>>> OpenSSH: An "ad hoc" SOCKS proxy server can be created using
>>>> OpenSSH, and allows more flexible proxying than is possible
>>>> with ordinary port forwarding. http://www.openssh.com/
>>>> DynamicForward 10.0.1.10:1080 # will create a SOCKS on that
>>>> ip:port. GatewayPorts option allows wildcard address usage.
>>>> And tun-based VPN tunnel allowing applications to
>>>> transparently access remote network resources without
>>>> "socksification" is now possible via OpenSSH.
>>>>
>>>> --Bright Star (Bry8Star).
>>>>
>>>> _______________________________________________ Unbound-users
>>>> mailing list Unbound-users at unbound.net
>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>>
>>>
>>>
>
>