Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Paul Wouters
Fri Nov 2 02:31:12 CET 2012


On Thu, 1 Nov 2012, Bry8 Star wrote:

> unbound, was already configured to support
> local UDP, and TCP DNS-queries, and use only
> TCP DNS for upstream outbound queries with
> Internet name-servers, DNS-Servers, private
> remote name-servers, etc (which i have
> mentioned previously).
> Then i changed only name-server(s) & DNS-Server(s)
> inside unbound.conf/service.conf file, with unique
> local port, and placed "socat" port forwarder
> & socksifier (toward actual name-server/DNS-server),
> on each of those unique port.
>
> since i've not enabled remote control
> section/feature in local unbound, i guess
> unbound-control will probably not work.

You can configure forwarders in unbound.conf as well.

With unbound only doing TCP sessions, you should be able to it all over
tor or SOCKS proxies.

> Does a feature exist in Unbound to specify
> SSL/TLS cert for connecting with each/specific
> DNS-Server(s) ? and then send DNS-queries ?
> (pls assume these DNS-Servers supports DNS-queries
> via TLS encrypted connections via their TCP port
> 443).

Yes, unbound can talk to unbound servers using TLS/SSL, but it will not
perform any validation of the PKIX certificates. It assumes that
important data obtained this way is protected by DNSSEC.

For example, if you configure this in unbound running on a server:

         # service clients over SSL (on the TCP sockets), with plain DNS
         # inside
         # the SSL stream.  Give the certificate to use and private key.
         # default is "" (disabled).  requires restart to take effect.
         # ssl-service-key: "path/to/privatekeyfile.key"
         # ssl-service-pem: "path/to/publiccertfile.pem"
         # ssl-port: 443

Then you can configure this on the client:

         # request upstream over SSL (with plain DNS inside the SSL
         # stream).
         # Default is no.  Can be turned on and off with unbound-control.
         # ssl-upstream: no

This is what "dnssec-trigger" configured using unbound-control when it
needs to use DNS over TLS via unbound. It uses one of these servers:

# Provided by fedoraproject.org, #fedora-admin
# It is provided on a best effort basis, with no service guarantee.
ssl443: 80.239.156.220 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  80.239.156.220 
ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  66.35.62.163 
ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80:  152.19.134.150 
ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64: AA:87:E6:F2
tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9

# provided by Paul Wouters (pwouters at redhat.com)
# It is provided on a best effort basis, with no service guarantee.
# tcp80:  193.110.157.123
# tcp80:  2001:888:2003:1004::123
# ssl443: 193.110.157.123
# 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
# ssl443: 2001:888:2003:1004::123
# 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7

# provided by NLnetLabs (www.nlnetlabs.nl)
# It is provided on a best effort basis, with no service guarantee.
# tcp80: 213.154.224.3
# tcp80: 2001:7b8:206:1:bb::
# ssl443: 213.154.224.3
# DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
# ssl443: 2001:7b8:206:1:bb::
# DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F

You can use those for testing as well, I believe you will need something
like:

unbound-control set_option ssl-upstream: yes
unbound-control forward_add . 193.110.157.123

Paul