Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Fri Oct 26 05:13:18 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

My (side) Scenario (Pre-Conditions) :

MyNet = My Local Network computers & devices.
SOCKS-Srvr = origin SOCKS-server on remote servr.
SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
forwarding proxy server.
Socks-Tnl = SOCKS-Tunnel = connection between
(local) socks-proxy & (origin) socks-server.
SOCKS = is a type of gateway, a type of tunnel,
a routing process between a client & a server.

(start from right most side "MyNet")

Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
A
|
V
- --> SOCKS-Srvr <-> remote local-netwrk (DNS).
A
|
V
- --> SOCKS-Srvr <-> Internet <-> DNS-Servers.


I have multiple SOCKS proxy server,
(SOCKS v4a, v5),
Running & listening on (a server computer):
10.0.1.10:1080 (ip:port)
10.0.1.10:1082
...
This gateway/server computer 10.0.1.10 has
an instance of "Unbound" (01) DNS-Resolver
running on 10.0.1.10:53
interface: 10.0.1.10
port: 53
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 10.0.1.10/8 allow

Different socks tunnel ending on (aka, routed
to) different destination locations (which has
the origin-SOCKS-server gateway software),
and ending/origin gateway computer there, is
connected with different ISP.

Need to use this 10.0.1.10:53 DNSSEC supported
DNS-Resolver, from all clients, (under my local
network).

This DNS-Resolver must connect with destination
DNS-Server(s) or nameservers(NS) via different
ISPs, which are connected at the end of SOCKS
tunnel.

Those destination Nameserver(s) (NS-DNS-Srv)
( or Recursive dns-server(s) (Rc-DNS-Srv)
or Authoritative dns-server(s) (A-DNS-Srv) )
are able to work with both TCP & UDP DNS, and
listening on multiple ports 53, 110, 443, etc.

"Unbound" (01) (10.0.1.10:53) has multiple Forward
and Stub zones. Each forward or stub zone/domain
has at least 4, (in some cases 10), specific
nameservers (or specific Rc-DNS-Srv, or specific
A-DNS-Srv).

I'm using at least 10 different set of
(custom/special) zones, where each zone
has from 4 to 10 (different) nameservers.
stub-zone: # 01
name: "custom-domain1.org"
stub-host: ath-d1.namesrv-hostnam.org.
stub-host: ath-d2.namesrv-hostnam.org.
stub-host: ath-d3.namesrv-hostnam.org.
stub-host: ath-d4.namesrv-hostnam.org.
...
forward-zone: # 10
name: "custom-domain10.org"
forward-addr: ath-namesrvr.37.ip.adrs
forward-addr: ath-namesrvr.38.ip.adrs
forward-addr: ath-namesrvr.39.ip.adrs
forward-host: ath-namesrvr40-hostnam.org.

And, when a DNS-query does not match any
of those custom/special zones, then standard
set of DNS-Servers are to be used, like: Root
DNS-Servers, TLD DNS-Servers, SLD (Second Level
Domain) DNS-Servers, HSP (Hosting Service
Providers) DNS-Servers, Public DNSSEC based
DNS-Servers, etc, via another SOCKS proxy:
forward-zone:
name: "."
forward-addr: 94.75.228.29 # GPF DNSSEC
forward-addr: 149.20.64.20 # OARC DNSSEC
forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
forward-addr: 198.41.0.4 # ROOT a USC-ISI
forward-addr: 192.5.5.241 # ROOT f ICANN
forward-addr: 192.58.128.30 # ROOT j
forward-addr: 193.0.14.129 # ROOT k RIPE
forward-addr: 199.7.83.42 # ROOT l
forward-addr: 128.8.10.90 # ROOT d UniMaryland
forward-addr: 192.36.148.17 # ROOT i
forward-addr: 202.12.27.33 # ROOT m
forward-addr: 128.63.2.53 # ROOT h
forward-addr: 192.203.230.10 # ROOT e NASA
forward-addr: 192.228.79.201 # ROOT
forward-addr: 192.33.4.12 # ROOT
forward-addr: 192.112.36.4 # ROOT


QUESTION(s):

Can i consider existing below command
outgoing-interface:
of Unbound, as it's outbound traffic
binding or forcing command/option ?

How can i bind/force "Unbound" (01) (10.0.1.10:53)
to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port)
for resolving a 1st set of zones ? (so that
Unbound can connect with correct 1st set of
nameservers assigned for that 1st set of zones),
And how to resolve another/2nd set of zones
via using another/2nd SOCKS at 10.0.1.10:1081 ?
(and allowing Unbound to connect with another
/2nd set of pre-assigned nameservers for that
2nd set of zones).

if there is a one command-line in "Unbound"
to use/bind/force outbound traffic go-through
a SOCKS proxy that will be best.

if not, then can anyone please point-to/indicate
/discuss/suggest what tools can be used to
achieve such function. Unbound to socks proxy.

(NOT looking for a solution on Linux/Unix).
(Looking for a solution on Windows, the local
"Unbound" (01) (10.0.1.10:53) is running on
Windows based computer).

if i have to run 5 "Unbound", even that type
of solution is also ok. but reduced Unbound
instance will be better.

Is there a tool, which can accept all
(incoming) traffic coming (from Unbound)
toward a network interface adapter's
(different ports & single) IP address,
and can forward those ports toward a
(single ip:port based) SOCKS proxy
server ? what functions like TAP-to-SOCKS ?

if a tool can perform TUN-to-SOCKS function,
then can such tool be used for send all
queries via SOCKS from Unbound, by binding
Unbound with that TUN's ip-address ?

for example, can an OpenSSH instance be run
in L2/3 tun VPN mode & forward tun ip-adrs
traffic toward a SOCKS proxy ?

Can this below command/option
"outgoing-port-permit:" be set to
use only 4 ports ? like:
outgoing-port-permit: 53001-53004
or, even set to use only 1 port ?
outgoing-port-permit: 53001-53001
What tool can allow to forward such
traffic from Unbound to a SOCKS proxy ?

Can i run an instance of OpenSSH to listen a
range of ports, from 53001 to 53004 on ip-adrs
127.0.0.53 and forward those toward a single
SOCKS proxy at 10.0.1.10:1080 ? and, after
running OpenSSH, can i run & force Unbound to
use outbobund traffic via:
outgoing-interface: 127.0.0.53


Will these four commands work ? to
force using only 1 outgoing port:
outgoing-range: 1
num-queries-per-thread: 1
outgoing-port-permit: 53001
outgoing-port-avoid: "1-53000,53002-65535"
will those slow down dns-resolving process
very slow ?

or, is there a tool which can function
like DNS-to-SOCKS ? how can it be used
with Unbound ?

How can i specify in "Unbound" to use port
110 with a DNS-Server, instead of port 53 ?

Can i specify SSL cert (server cert or CA/Root cert)
for a DNS-Server in Unbound ?


REFERENCES:

https://en.wikipedia.org/wiki/SOCKS
http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
http://www.inet.no/dante/doc/ Dante.

SOCKet Secure (SOCKS) is an Internet Protocol that
routes network packets between a client and server
through a proxy server. It works in Layer 5
(Session) of OSI.

OpenSSH: An "ad hoc" SOCKS proxy server can be
created using OpenSSH, and allows more flexible
proxying than is possible with ordinary port
forwarding. http://www.openssh.com/
DynamicForward 10.0.1.10:1080 # will create a
SOCKS on that ip:port.
GatewayPorts option allows wildcard address
usage. And tun-based VPN tunnel allowing
applications to transparently access remote
network resources without "socksification"
is now possible via OpenSSH.

- --Bright Star (Bry8Star).

-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAlCJ/8wACgkQiDbboldsEOwo1AD+Pjmgk0LeILkVlvxxf6NhZ9fJ
bkIcn2NJCWEYiFFRrywBAJdltYdU8sEYX6fDFT+45LOHp0aTCBIGUBVUuoj3p5M3
=8GNA
-----END PGP SIGNATURE-----