Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Thu Nov 8 12:24:20 CET 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Found a good Choice,
For routing/forwarding dns query network packets
from any dns-server/resolver software toward
destination DNS-Server via using SOCKS
servers/proxies.

This tool "DNS2SOCKS" from:
http://sourceforge.net/projects/dns2socks/
Authored/developed by "ghostmaker".

It is executed like this:
DNS2SOCKS.exe [/q] [Socks5ServIP[:Port]] [DNSServIP[:Port]]
[ListenIP[:Port]]

ListenIP = localhost IP address 127.0.0.1
DNSServIP = destination DNS-Server's IP adrs.
Socks5ServIP = SOCKS 4a, 5 Server/proxy IP adrs.
the /q option is to hide the console window.
It can use local TCP & UDP both, uses TCP with
destination DNS-Servr via SOCKS tunnel.

Tested via regular SOCKS proxies and via Tor-proxy,
Works super great.

DNSSEC queries WORKS :) :-)
it can cache DNS answers and answer from cache.

I've applied it like this:

Flow Diagram: Local Unbound --> (unbound configured
to use specific local port(s) for each specific
destination DNS-Server(s) for each forward/stub zone)
- --> local DNS2SOCKS --> local SOCKS proxy (or
Tor-SOCKS proxy) --> Internet (socks-tunnel) --> SOCKS
origin server (or Tor exit-node) --> Internet
- --> destination DNS-Server (or name-server).

See my previous email/posting done on 2012-10-31
(y-m-d) where i've shown how i've used simple
"socat" tool for listening on certain localhost(LH)
ports, and routed/relayed received packets from
those LH ports inside SOCKS tunnels. And also see
unbound.conf or service.conf file's configuration
command-lines, which were configured to forward
DNS-queries toward a certain/specific local LH at port
DNS-Server, instead of forwarding DNS-queries directly
toward the actual destination DNS-Server.

Then DNS2SOCKS was configured to relay/forward/route
DNS-queries toward the actual destination DNS-Server.
Via SOCKS tunels/proxies.

I used a batch file (.cmd or .bat) placed around
fifty dns2socks command-lines, similar to below:

@start "dns2socks LH:1080 62.141.59.13:53 LH:58001"
/D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:1080
62.141.58.13:53 127.0.0.1:58001 /q
...
@start "dns2socks LH:9050 Other.DNS.Srvr.IP:53 LH:58050"
/D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:9050
Other.DNS.Srvr.IP:53 127.0.0.1:58050 /q

@rem each command starts with @start and ends with /q

So this (DNS2SOCKS) is another option/choice
other than the "socat" tool.

- -- Bright Star (Bry8Star).



Bry8 Star wrote:
Received on 2012-11-02 5:17 PM [GMT-08:00]:
> Hi Paul, Thanks again.
> 
> 
>> unbound-control set_option ssl-upstream: yes unbound-control 
>> forward_add . 193.110.157.123
> 
> 
> So my understanding is, one "Unbound" can use only one set of
> upstream / outbound TLS/SSL cert/keys to connect with another
> unbound instance.
> 
> but more than one set of cert/keys cannot be specified in one
> "Unbound".
> 
> whereas, i wanted to use different type of cert for different
> type of DNS-Servers/name-servers (which are using different DNS
> server software, which supports TLS/SSL encrypted & secured
> connections).
> 
> Since i'm tryin to connect securely with different 
> dns-servers/name-servers, which are using different DNS
> Server/Resolver software and different cert/keys, one unbound
> will (most likely) not be able to connect with all at the same
> time.
> 
> So alternatively, can these be done ?
> 
> if multiple instance of Unbounds are executed, and if, each using
> only one set of cert/keys, to connect with only one group of
> dns-server(s) (from one service provider/location) which supports
> that specific cert/keys, and then, if all of these
> "secondary"/"slave" Unbound instances are queried from another
> "master" /"primary" Unbound, then such design may work ?
> 
> Flow Diagram: Primary-Unbound --> | V connecting toward multiple
> local ports, where each local port is connected with a different
> "secondary" Unbound --> | V --> secondary-Unbound (port 59001),
> using TLS/SSL cert compatible with for specific DNS-Server [01] 
> (80.239.156.220) --> SOCKS-proxy --> socks tunnel --> Internet
> --> Socks-servr --> Internet --> DNS-Server [01] (80.239.156.220)
> --> | V --> secondary-Unbound (port 59002), using TLS/SSL cert
> compatible with for specific DNS-Server [02] (213.154.224.3) -->
> SOCKS-proxy --> socks tunnel --> Internet --> Socks-servr -->
> Internet --> DNS-Server [02] (213.154.224.3) --> ... and so on.
> 
> question is mentioned above.
> 
> -- Bright Star (Bry8Star).
> 
> Note For USERS: When You Reply, Pls Make Sure, the "To:" field
> has below email-address: unbound-users at unbound.net
> 
> 
> 
> Paul Wouters wrote: Received on 2012-11-01 6:31 PM [GMT-08:00]:
>> On Thu, 1 Nov 2012, Bry8 Star wrote:
> 
>>> unbound, was already configured to support local UDP, and
>>> TCP DNS-queries, and use only TCP DNS for upstream outbound
>>> queries with Internet name-servers, DNS-Servers, private
>>> remote name-servers, etc (which i have mentioned previously).
>>> Then i changed only name-server(s) & DNS-Server(s) inside 
>>> unbound.conf/service.conf file, with unique local port, and 
>>> placed "socat" port forwarder & socksifier (toward actual 
>>> name-server/DNS-server), on each of those unique port.
>>> 
>>> since i've not enabled remote control section/feature in
>>> local unbound, i guess unbound-control will probably not
>>> work.
> 
>> You can configure forwarders in unbound.conf as well.
> 
>> With unbound only doing TCP sessions, you should be able to it 
>> all over tor or SOCKS proxies.
> 
>>> Does a feature exist in Unbound to specify SSL/TLS cert for 
>>> connecting with each/specific DNS-Server(s) ? and then send 
>>> DNS-queries ? (pls assume these DNS-Servers supports 
>>> DNS-queries via TLS encrypted connections via their TCP port
>>>  443).
> 
>> Yes, unbound can talk to unbound servers using TLS/SSL, but it 
>> will not perform any validation of the PKIX certificates. It 
>> assumes that important data obtained this way is protected by 
>> DNSSEC.
> 
>> For example, if you configure this in unbound running on a 
>> server:
> 
>> # service clients over SSL (on the TCP sockets), with plain DNS
>> # inside # the SSL stream.  Give the certificate to use and
>> private key. # default is "" (disabled).  requires restart to
>> take effect. # ssl-service-key: "path/to/privatekeyfile.key" # 
>> ssl-service-pem: "path/to/publiccertfile.pem" # ssl-port: 443
> 
>> Then you can configure this on the client:
> 
>> # request upstream over SSL (with plain DNS inside the SSL # 
>> stream). # Default is no.  Can be turned on and off with 
>> unbound-control. # ssl-upstream: no
> 
>> This is what "dnssec-trigger" configured using unbound-control 
>> when it needs to use DNS over TLS via unbound. It uses one of 
>> these servers:
> 
>> # Provided by fedoraproject.org, #fedora-admin # It is
>> provided on a best effort basis, with no service guarantee.
>> ssl443: 80.239.156.220 
>> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
>
>>  tcp80:  80.239.156.220 ssl443: 66.35.62.163 
>> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
>
>>  tcp80:  66.35.62.163 ssl443: 152.19.134.150 
>> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
>
>>  tcp80:  152.19.134.150 ssl443: 
>> 2610:28:3090:3001:dead:beef:cafe:fed9 
>> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:
>
>> 
> 
> AA:87:E6:F2
>> tcp80:  2610:28:3090:3001:dead:beef:cafe:fed9
> 
>> # provided by Paul Wouters (pwouters at redhat.com) # It is
>> provided on a best effort basis, with no service guarantee. #
>> tcp80: 193.110.157.123 # tcp80:  2001:888:2003:1004::123 #
>> ssl443: 193.110.157.123 # 
>> 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
>
>>  # ssl443: 2001:888:2003:1004::123 # 
>> 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
>
>> 
> 
> 
>> # provided by NLnetLabs (www.nlnetlabs.nl) # It is provided on
>> a best effort basis, with no service guarantee. # tcp80: 
>> 213.154.224.3 # tcp80: 2001:7b8:206:1:bb:: # ssl443: 
>> 213.154.224.3 # 
>> DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
>
>>  # ssl443: 2001:7b8:206:1:bb:: # 
>> DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
>
>> 
> 
> 
>> You can use those for testing as well, I believe you will need
>>  something like:
> 
>> unbound-control set_option ssl-upstream: yes unbound-control 
>> forward_add . 193.110.157.123
> 
>> Paul
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAlCblmIACgkQiDbboldsEOxTLwEAtMcsJK2Fge/4WHj20aAr1PVC
DDBnXjmqnSERw+0j+XMA/2RYjTb6ivfLPQs3VBb852lF5/n8GbnCQX5wz5fwZ9nS
=XnIF
-----END PGP SIGNATURE-----