Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Paul Wouters
Tue Nov 6 04:37:44 CET 2012


On Mon, 5 Nov 2012, Bry8 Star wrote:

>> No. There is no "DNS over TLS" standard, so you will not
>> be able to do that, unless you hide the TLS tunneling
>>
>> I still think you are looking for a problem to a built solution.
>
> I never asked for a "DNS over TLS" standard !

You ask for something that interoperates, without "hacking" with
wrapper solutions. I am telling you the only way that is possible
is if there is a standard, which there is not. You _are_ asking
why there is no "standard" way to do this with all kinds of
different equipment

> Paul, what are you talking about "problem to a built solution" ! !

You think that encrypting part of the way to some remote DNS server
gives you privacy. I've told you repeatedly that is not possible.

Let's say you do an encrypted DNS query/answer, and after that you
do port 443 traffic to 157.166.255.18. It's trivial to know where
you connected to and what that dns query was. If you then say, you
will hide traffic to 157.166.255.18, then I tell you that's where
you should hide your DNS traffic to as well. Some people told you
this months ago as well on the list, including me.

> - From the first email, i'm keep on asking for a solution to connect
> securely (encrypted) with a DNS-server, (so that someone in the
> middle does not know what exact domain my DNS-client/resolver is
> querying, primarily for privacy reasons & concerns).

someone in the middle is someone who routes your packets, and will
see you connect after your dns reply. You cannot hide from those
people. That is why I say this is a solution looking for a problem.

> Haven't you noticed the HTTPS-DNS feature(s) used by many public
> DNS-Servers ?
> http://www.privacyfoundation.de/projekte/https_dns/

Reading from that page, they were more looking to circumvent DNS
censorship and not providing privacy. If you want your DNS proof
against censorship, deploy DNSSEC. You will know when someone tried
to rewrite your DNS, and you will be able to tell you are under attack.
There is nothing you can do from being stopped, if they are on your
path.They can simply filter out the packets you need to connect.

> I thought "Unbound" alone, or with a assistant from simple tool, it
> will be able to use those HTTPS-DNS features (on windows platforms),
> to connect with those DNS-Servers.

I don't know how they implemented it. unbound implements TLS purely
as a wrapper for DNS over TCP, which is an RFC standard.

> Anyway, MORE QUESTIONS REMAINED UN-ANSWERED

The answers have been given before. You just don't like the answers you
are hearing.

> , as well as no-one cared
> to responed/answered even simple 'unbound' related questions which
> i'm placing in each email, since the first email !

You got various answers, and despite me telling you about your idea
being flawed, I kept answering on how to configure unbound to use
dns over tls, and how to force unbound to use tcp, not udp. In fact,
it is because I asked the unbound people to support listening on port
53 UDP, but resolving upstream using TCP 53, that scenarios like the
one you seem to want to build are even possible without special client
support. I requested the support so DNS could be forcerd over TCP, so
that it could be routed into the TOR network - for limited privacy, but
better then what I understand from your solution.

Instead, you insist on wanting to do SOCKS stuff and what not, which
is not a good solution, and does not provide generic support for
applications, and will always cause non-socks aware software from
sending udp dns queries that will leak out at the expense of the user's
privacy. That is why I again tell you, you are building the wrong
solution. But I won't keep repeating this over and over again. I've
helped you where I can, and in return you're just being rude and
unfriendly.

Paul