Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Fri Nov 2 02:03:10 CET 2012


(Paul, sorry i did not understand what
you indicated to).

unbound, was already configured to support
local UDP, and TCP DNS-queries, and use only
TCP DNS for upstream outbound queries with
Internet name-servers, DNS-Servers, private
remote name-servers, etc (which i have
mentioned previously).
Then i changed only name-server(s) & DNS-Server(s)
inside unbound.conf/service.conf file, with unique
local port, and placed "socat" port forwarder
& socksifier (toward actual name-server/DNS-server),
on each of those unique port.

since i've not enabled remote control
section/feature in local unbound, i guess
unbound-control will probably not work.

if remote control feature is turned on in unbound,
and then using unbound-control, can a SOCKS proxy
like 10.0.1.10:1080 be specified ? or, can a
Tor SOCKS proxy like 10.0.1.10:9050 be specified ?
(if a Tor SOCKS proxy is to be used, then i would
MUST need to use TLS encrypted tunnels (to the
destination name-server(s), DNS-server(s)), i think
that will require further modification in
interconnecting configurations of these components).

Does a feature exist in Unbound to specify
SSL/TLS cert for connecting with each/specific
DNS-Server(s) ? and then send DNS-queries ?
(pls assume these DNS-Servers supports DNS-queries
via TLS encrypted connections via their TCP port
443).
or, do i must need to use the SSL/TLS cert
(used by DNS-Server) with "socat" to use
encrypted tunnels ? (currently i have no
choice but to use such/socat for encrypted
tunnels).

-- Bright Star (Bry8Star).

Note to Users: when you reply, make sure
the "To:" field has below email address:
unbound-users at unbound.net



Paul Wouters wrote:
Received on 2012-11-01 6:39 AM [GMT-08:00]:
> On Wed, 31 Oct 2012, Bry8 Star wrote:
> 
> Why don't you just tell unbound to use TCP only, and not UDP?
> 
> Then specify the forwarders using unbound-control? Then you can
> even route that through tor.
> 
> Paul
> 
>> Date: Thu, 1 Nov 2012 02:46:58 From: Bry8 Star
>> <bry8star at yahoo.com> To: unbound-users at unbound.net Subject: Re:
>> [Unbound-users] From Unbound To DNS Via SOCKS, and Choices
>> 
>> Hi Paul, Thanks, for the response. Was beginning to get a sense
>> that no one ever reads my posting at all.
>> 
>> I will contact him, if he had enough time to place your patch
>> with unbound source code, and if i can get a hold on such for
>> using from windows side.
>> 
>> Currently, in unbound config file, when a zone is pointing
>> toward a specific name-server, for example, like below: 
>> forward-zone: name: "sld.tld" forward-addr: 62.141.58.13 at 110
>> 
>> # Then i have changed above lines like below: forward-zone:
>> name: "sld.tld" forward-addr: 127.0.0.1 at 58001
>> 
>> Then, by using windows edition of "socat", placed
>> command-line(s) like below inside a batch .cmd / .bat file, to
>> start necessary routing or forwarding:
>> 
>> @start  "socat LH:58001 62.141.58.13 SP:1080" 
>> /D"%ProgramFiles%\socat\" socat.exe 
>> tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork 
>> SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080
>> 
>> (in above, from "@" to "=1080" is a 1 single command line) (a
>> space character exist after these words: start, SP:1080",
>> socat\", .exe, fork)
>> 
>> Similarly (like above command-line), specified unique port for
>> each unique DNS-Server, and i've executed around 50 socat
>> instances (from batch file), to forward all dns queries from 
>> Unbound, inside different local SOCKS proxy server(s), and sent
>> DNS-queries toward different (public & private) DNS-servers &
>> name-servers.
>> 
>> Works fine, with complete DNSSEC support.
>> 
>> But need to combine these into one or lesser amount of "socat"
>> instances. or, need a support inside Unbound. or, need another
>> tool which can efficiently do these type of TCP-DNS-to-SOCKS
>> traffic routing.
>> 
>> And also want to connect with (public and private) DNS-servers
>> (or name-servers) which supports TLS cert based/encrypted
>> connections. You may see below (in previous email) where i've
>> mentioned about these.
>> 
>> If anyone worked/working on these pls reply on this posting, 
>> Thanks in advance.
>> 
>> -- Bright Star (Bry8Star).
>> 
>> USERS: when you reply, make sure the "To:" field has below
>> email address: unbound-users at unbound.net
>> 
>> 
>> 
>> Paul Wouters wrote: Received on 2012-10-31 8:03 PM
>> [GMT-08:00]:
>>> On Wed, 31 Oct 2012, Bry8 Star wrote:
>>> 
>>>> No one seems to be replying or understanding what i have 
>>>> requested for, very strange !
>>>> 
>>>> In windows, no one found solution(s) ! ! ! for sending 
>>>> DNS-queries (for specific dns-servers) from unbound toward
>>>> a socks-proxy-server ! ?
>>> 
>>> I gave Jake Applebaum a patch/configuration to test for
>>> using unbond with tor using a SOCKS proxy. I never got
>>> feedback, but he might still have the patch and config lying
>>> around for you.
>>> 
>>> Paul
>>> 
>>>> trying to do this: [start] (1) local software --> (2)
>>>> local unbound --> --> (3) local socks-proxy/srvr --> (4) 
>>>> socks-tunnel --> (5) Internet (My ISP) --> (6) 
>>>> socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's
>>>> ISP) --> (8) name-server/DNS-server. [End]
>>>> 
>>>> -- Bright Star (Bry8Star).
>>>> 
>>>> 
>>>> 
>>>> Bry8 Star wrote: Received on 2012-10-25 8:13 PM
>>>> [GMT-08:00]::
>>>>> Hi,
>>>>> 
>>>>> My (side) Scenario (Pre-Conditions) :
>>>>> 
>>>>> MyNet = My Local Network computers & devices. SOCKS-Srvr
>>>>> = origin SOCKS-server on remote servr. SOCKS-prxy = 
>>>>> SOCKS-proxy-server = is local SOCKS forwarding proxy
>>>>> server. Socks-Tnl = SOCKS-Tunnel = connection between
>>>>> (local) socks-proxy & (origin) socks-server. SOCKS = is a
>>>>> type of gateway, a type of tunnel, a routing process
>>>>> between a client & a server.
>>>>> 
>>>>> (start from right most side "MyNet")
>>>>> 
>>>>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V
>>>>> --> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V --> 
>>>>> SOCKS-Srvr <-> Internet <-> DNS-Servers.
>>>>> 
>>>>> 
>>>>> I have multiple SOCKS proxy server, (SOCKS v4a, v5),
>>>>> Running & listening on (a server computer):
>>>>> 10.0.1.10:1080 (ip:port) 10.0.1.10:1082 ... This
>>>>> gateway/server computer 10.0.1.10 has an instance of
>>>>> "Unbound" (01) DNS-Resolver running on 10.0.1.10:53
>>>>> interface: 10.0.1.10 port: 53 access-control: 0.0.0.0/0
>>>>> refuse access-control: ::0/0 refuse access-control: 
>>>>> 10.0.1.10/8 allow
>>>>> 
>>>>> Different socks tunnel ending on (aka, routed to)
>>>>> different destination locations (which has the
>>>>> origin-SOCKS-server gateway software), and ending/origin
>>>>> gateway computer there, is connected with different ISP.
>>>>> 
>>>>> Need to use this 10.0.1.10:53 DNSSEC supported
>>>>> DNS-Resolver, from all clients, (under my local
>>>>> network).
>>>>> 
>>>>> This DNS-Resolver must connect with destination
>>>>> DNS-Server(s) or nameservers(NS) via different ISPs,
>>>>> which are connected at the end of SOCKS tunnel.
>>>>> 
>>>>> Those destination Nameserver(s) (NS-DNS-Srv) ( or
>>>>> Recursive dns-server(s) (Rc-DNS-Srv) or Authoritative
>>>>> dns-server(s) (A-DNS-Srv) ) are able to work with both
>>>>> TCP & UDP DNS, and listening on multiple ports 53, 110,
>>>>> 443, etc.
>>>>> 
>>>>> "Unbound" (01) (10.0.1.10:53) has multiple Forward and
>>>>> Stub zones. Each forward or stub zone/domain has at least
>>>>> 4, (in some cases 10), specific nameservers (or specific
>>>>> Rc-DNS-Srv, or specific A-DNS-Srv).
>>>>> 
>>>>> I'm using at least 10 different set of (custom/special) 
>>>>> zones, where each zone has from 4 to 10 (different) 
>>>>> nameservers. stub-zone: # 01 name: "custom-domain1.org" 
>>>>> stub-host: ath-d1.namesrv-hostnam.org. stub-host: 
>>>>> ath-d2.namesrv-hostnam.org. stub-host: 
>>>>> ath-d3.namesrv-hostnam.org. stub-host: 
>>>>> ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name: 
>>>>> "custom-domain10.org" forward-addr:
>>>>> ath-namesrvr.37.ip.adrs forward-addr:
>>>>> ath-namesrvr.38.ip.adrs forward-addr: 
>>>>> ath-namesrvr.39.ip.adrs forward-host: 
>>>>> ath-namesrvr40-hostnam.org.
>>>>> 
>>>>> And, when a DNS-query does not match any of those 
>>>>> custom/special zones, then standard set of DNS-Servers
>>>>> are to be used, like: Root DNS-Servers, TLD DNS-Servers,
>>>>> SLD (Second Level Domain) DNS-Servers, HSP (Hosting
>>>>> Service Providers) DNS-Servers, Public DNSSEC based
>>>>> DNS-Servers, etc, via another SOCKS proxy: forward-zone:
>>>>> name: "." forward-addr: 94.75.228.29 # GPF DNSSEC
>>>>> forward-addr: 149.20.64.20 # OARC DNSSEC forward-addr:
>>>>> 217.31.204.130 # CZ.NIC DNSSEC forward-addr: 198.41.0.4 #
>>>>> ROOT a USC-ISI forward-addr: 192.5.5.241 # ROOT f ICANN
>>>>> forward-addr: 192.58.128.30 # ROOT j forward-addr:
>>>>> 193.0.14.129 # ROOT k RIPE forward-addr: 199.7.83.42 #
>>>>> ROOT l forward-addr: 128.8.10.90 # ROOT d UniMaryland
>>>>> forward-addr: 192.36.148.17 # ROOT i forward-addr:
>>>>> 202.12.27.33 # ROOT m forward-addr: 128.63.2.53 # ROOT h
>>>>> forward-addr: 192.203.230.10 # ROOT e NASA forward-addr:
>>>>> 192.228.79.201 # ROOT forward-addr: 192.33.4.12 # ROOT
>>>>> forward-addr: 192.112.36.4 # ROOT
>>>>> 
>>>>> 
>>>>> QUESTION(s):
>>>>> 
>>>>> Can i consider existing below command outgoing-interface:
>>>>> of Unbound, as it's outbound traffic binding or forcing 
>>>>> command/option ?
>>>>> 
>>>>> How can i bind/force "Unbound" (01) (10.0.1.10:53) to use
>>>>> the 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for
>>>>> resolving a 1st set of zones ? (so that Unbound can
>>>>> connect with correct 1st set of nameservers assigned for
>>>>> that 1st set of zones), And how to resolve another/2nd
>>>>> set of zones via using another/2nd SOCKS at
>>>>> 10.0.1.10:1081 ? (and allowing Unbound to connect with
>>>>> another /2nd set of pre-assigned nameservers for that 2nd
>>>>> set of zones).
>>>>> 
>>>>> if there is a one command-line in "Unbound" to
>>>>> use/bind/force outbound traffic go-through a SOCKS proxy
>>>>> that will be best.
>>>>> 
>>>>> if not, then can anyone please point-to/indicate 
>>>>> /discuss/suggest what tools can be used to achieve such 
>>>>> function. Unbound to socks proxy.
>>>>> 
>>>>> (NOT looking for a solution on Linux/Unix). (Looking for
>>>>> a solution on Windows, the local "Unbound" (01)
>>>>> (10.0.1.10:53) is running on Windows based computer).
>>>>> 
>>>>> if i have to run 5 "Unbound", even that type of solution
>>>>> is also ok. but reduced Unbound instance will be better.
>>>>> 
>>>>> Is there a tool, which can accept all (incoming) traffic 
>>>>> coming (from Unbound) toward a network interface
>>>>> adapter's (different ports & single) IP address, and can
>>>>> forward those ports toward a (single ip:port based) SOCKS
>>>>> proxy server ? what functions like TAP-to-SOCKS ?
>>>>> 
>>>>> if a tool can perform TUN-to-SOCKS function, then can
>>>>> such tool be used for send all queries via SOCKS from
>>>>> Unbound, by binding Unbound with that TUN's ip-address ?
>>>>> 
>>>>> for example, can an OpenSSH instance be run in L2/3 tun
>>>>> VPN mode & forward tun ip-adrs traffic toward a SOCKS
>>>>> proxy ?
>>>>> 
>>>>> Can this below command/option "outgoing-port-permit:" be
>>>>> set to use only 4 ports ? like: outgoing-port-permit: 
>>>>> 53001-53004 or, even set to use only 1 port ? 
>>>>> outgoing-port-permit: 53001-53001 What tool can allow to 
>>>>> forward such traffic from Unbound to a SOCKS proxy ?
>>>>> 
>>>>> Can i run an instance of OpenSSH to listen a range of
>>>>> ports, from 53001 to 53004 on ip-adrs 127.0.0.53 and
>>>>> forward those toward a single SOCKS proxy at
>>>>> 10.0.1.10:1080 ? and, after running OpenSSH, can i run &
>>>>> force Unbound to use outbobund traffic via:
>>>>> outgoing-interface: 127.0.0.53
>>>>> 
>>>>> 
>>>>> Will these four commands work ? to force using only 1 
>>>>> outgoing port: outgoing-range: 1 num-queries-per-thread:
>>>>> 1 outgoing-port-permit: 53001 outgoing-port-avoid: 
>>>>> "1-53000,53002-65535" will those slow down dns-resolving 
>>>>> process very slow ?
>>>>> 
>>>>> or, is there a tool which can function like DNS-to-SOCKS
>>>>> ? how can it be used with Unbound ?
>>>>> 
>>>>> How can i specify in "Unbound" to use port 110 with a 
>>>>> DNS-Server, instead of port 53 ?
>>>>> 
>>>>> Can i specify SSL cert (server cert or CA/Root cert) for
>>>>> a DNS-Server in Unbound ?
>>>>> 
>>>>> 
>>>>> REFERENCES:
>>>>> 
>>>>> https://en.wikipedia.org/wiki/SOCKS 
>>>>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. 
>>>>> http://www.inet.no/dante/doc/ Dante.
>>>>> 
>>>>> SOCKet Secure (SOCKS) is an Internet Protocol that
>>>>> routes network packets between a client and server
>>>>> through a proxy server. It works in Layer 5 (Session) of
>>>>> OSI.
>>>>> 
>>>>> OpenSSH: An "ad hoc" SOCKS proxy server can be created
>>>>> using OpenSSH, and allows more flexible proxying than is
>>>>> possible with ordinary port forwarding.
>>>>> http://www.openssh.com/ DynamicForward 10.0.1.10:1080 #
>>>>> will create a SOCKS on that ip:port. GatewayPorts option
>>>>> allows wildcard address usage. And tun-based VPN tunnel
>>>>> allowing applications to transparently access remote
>>>>> network resources without "socksification" is now
>>>>> possible via OpenSSH.
>>>>> 
>>>>> --Bright Star (Bry8Star).
>>>>> 
>>>>> _______________________________________________
>>>>> Unbound-users mailing list Unbound-users at unbound.net 
>>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>>>
>>>>
>>>>
>>
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20121101/89733b93/attachment-0001.pgp>