Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Tue Nov 6 09:10:32 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Paul,

I really appreciate your generous help
& for your very very helpful discussions
/comments.

But you are adding/talking about "problem",
which are appearing to you or on your side,
it may not be problematic for others or other
side, you are thinking & assuming from your
point of view on these.

If i were to ask for, What is a good "privacy"
solution, or, what is not a problematic "secured"
DNS query solution, or, similar question, anyone
can give me their input, but i'm not asking for
those.

I'm asking about technical "solution"
(or discussion/comment), to achieve few
functionalities & features.

Not asking about what is "good" "bad" "problem"
"not-problem" "flawed" "not-flawed" ... etc !
(these are relative terms/words, something bad
for you may be good for me.)
(something easy for you, may be hard for me).
(something "problem" for you may not be "problem"
for me).
(something seems flawed in one type of function may not be flawed or
even welcome in another function).
If someone going to mention such, then they
should mention (at least try to mention)/analyze
other side(s) as well.

There are many other side, and those other sides
may be doing something extra which i'm not aware of.

You have assumed again, i'm doing both: a DNS query
and right after that i will do a connection to that
site over TLS/SSL.

How do you know, if i'm doing that ?

If you see a problem, then explain what is it that
seems to be problematic from your side. Then other
side (may) give you their input and clarify it
further.

If i'm concern about secured encrypted connection,
privacy, etc or such, i would obviously make sure
i'm using different SOCKS tunnels for different
function, or use other solutions.

- From the first email, i've showed diagrams of
multiple SOCKS ... am i not ? All going into
different locations, via different ISPs/HSPs.

Different protocol and software using different
SOCKS tunnels.
Even dns (and others) are distributed over
multiple SOCKS tunnel.

I use protocol analyzer inside a PC, and
another behind a network card, so i can
see what is leaking.

Your extra ordinary detail help on using TLS/SSL
cert with other Unbound(s), are superb. THANKS.

I'm very very grateful for your ALL HELP.

I'm very sure, you have been contributing in
these areas for very very long time, and have
done lots of contribution as well.

Just trying to discuss and understand
technical stuff.

Anyway, if anyone go back & start from first
email to answer at-least few "unbound" related
questions would have been great.

- -- Bright Star (Bry8Star).



Paul Wouters wrote:
Received on 2012-11-05 7:37 PM [GMT-08:00]:
> On Mon, 5 Nov 2012, Bry8 Star wrote:
> 
>>> No. There is no "DNS over TLS" standard, so you will not be
>>> able to do that, unless you hide the TLS tunneling
>>> 
>>> I still think you are looking for a problem to a built
>>> solution.
>> 
>> I never asked for a "DNS over TLS" standard !
> 
> You ask for something that interoperates, without "hacking" with 
> wrapper solutions. I am telling you the only way that is
> possible is if there is a standard, which there is not. You _are_
> asking why there is no "standard" way to do this with all kinds
> of different equipment
> 
>> Paul, what are you talking about "problem to a built solution"
>> ! !
> 
> You think that encrypting part of the way to some remote DNS
> server gives you privacy. I've told you repeatedly that is not
> possible.
> 
> Let's say you do an encrypted DNS query/answer, and after that
> you do port 443 traffic to 157.166.255.18. It's trivial to know
> where you connected to and what that dns query was. If you then
> say, you will hide traffic to 157.166.255.18, then I tell you
> that's where you should hide your DNS traffic to as well. Some
> people told you this months ago as well on the list, including
> me.
> 
>> - From the first email, i'm keep on asking for a solution to
>> connect securely (encrypted) with a DNS-server, (so that
>> someone in the middle does not know what exact domain my
>> DNS-client/resolver is querying, primarily for privacy reasons
>> & concerns).
> 
> someone in the middle is someone who routes your packets, and
> will see you connect after your dns reply. You cannot hide from
> those people. That is why I say this is a solution looking for a
> problem.
> 
>> Haven't you noticed the HTTPS-DNS feature(s) used by many
>> public DNS-Servers ? 
>> http://www.privacyfoundation.de/projekte/https_dns/
> 
> Reading from that page, they were more looking to circumvent DNS 
> censorship and not providing privacy. If you want your DNS proof 
> against censorship, deploy DNSSEC. You will know when someone
> tried to rewrite your DNS, and you will be able to tell you are
> under attack. There is nothing you can do from being stopped, if
> they are on your path.They can simply filter out the packets you
> need to connect.
> 
>> I thought "Unbound" alone, or with a assistant from simple
>> tool, it will be able to use those HTTPS-DNS features (on
>> windows platforms), to connect with those DNS-Servers.
> 
> I don't know how they implemented it. unbound implements TLS
> purely as a wrapper for DNS over TCP, which is an RFC standard.
> 
>> Anyway, MORE QUESTIONS REMAINED UN-ANSWERED
> 
> The answers have been given before. You just don't like the
> answers you are hearing.
> 
>> , as well as no-one cared to responed/answered even simple
>> 'unbound' related questions which i'm placing in each email,
>> since the first email !
> 
> You got various answers, and despite me telling you about your
> idea being flawed, I kept answering on how to configure unbound
> to use dns over tls, and how to force unbound to use tcp, not
> udp. In fact, it is because I asked the unbound people to support
> listening on port 53 UDP, but resolving upstream using TCP 53,
> that scenarios like the one you seem to want to build are even
> possible without special client support. I requested the support
> so DNS could be forcerd over TCP, so that it could be routed into
> the TOR network - for limited privacy, but better then what I
> understand from your solution.
> 
> Instead, you insist on wanting to do SOCKS stuff and what not,
> which is not a good solution, and does not provide generic
> support for applications, and will always cause non-socks aware
> software from sending udp dns queries that will leak out at the
> expense of the user's privacy. That is why I again tell you, you
> are building the wrong solution. But I won't keep repeating this
> over and over again. I've helped you where I can, and in return
> you're just being rude and unfriendly.
> 
> Paul
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAlCYxfYACgkQiDbboldsEOw+0QD/UBCqpG400cwiy+JvWBsG35Lr
lyHAYscSOtgBoe5C2LoA/ioJqYalUt1x8p/l9opIMfBXeyMwq7jT+9TePt4Oaaaf
=4hYj
-----END PGP SIGNATURE-----