Maintained by: NLnet Labs

[Unbound-users] From Unbound To DNS Via SOCKS, and Choices

Bry8 Star
Fri Oct 26 05:13:18 CEST 2012

Hash: SHA512


My (side) Scenario (Pre-Conditions) :

MyNet = My Local Network computers & devices.
SOCKS-Srvr = origin SOCKS-server on remote servr.
SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
forwarding proxy server.
Socks-Tnl = SOCKS-Tunnel = connection between
(local) socks-proxy & (origin) socks-server.
SOCKS = is a type of gateway, a type of tunnel,
a routing process between a client & a server.

(start from right most side "MyNet")

Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
- --> SOCKS-Srvr <-> remote local-netwrk (DNS).
- --> SOCKS-Srvr <-> Internet <-> DNS-Servers.

I have multiple SOCKS proxy server,
(SOCKS v4a, v5),
Running & listening on (a server computer): (ip:port)
This gateway/server computer has
an instance of "Unbound" (01) DNS-Resolver
running on
port: 53
access-control: refuse
access-control: ::0/0 refuse
access-control: allow

Different socks tunnel ending on (aka, routed
to) different destination locations (which has
the origin-SOCKS-server gateway software),
and ending/origin gateway computer there, is
connected with different ISP.

Need to use this DNSSEC supported
DNS-Resolver, from all clients, (under my local

This DNS-Resolver must connect with destination
DNS-Server(s) or nameservers(NS) via different
ISPs, which are connected at the end of SOCKS

Those destination Nameserver(s) (NS-DNS-Srv)
( or Recursive dns-server(s) (Rc-DNS-Srv)
or Authoritative dns-server(s) (A-DNS-Srv) )
are able to work with both TCP & UDP DNS, and
listening on multiple ports 53, 110, 443, etc.

"Unbound" (01) ( has multiple Forward
and Stub zones. Each forward or stub zone/domain
has at least 4, (in some cases 10), specific
nameservers (or specific Rc-DNS-Srv, or specific

I'm using at least 10 different set of
(custom/special) zones, where each zone
has from 4 to 10 (different) nameservers.
stub-zone: # 01
name: ""
forward-zone: # 10
name: ""
forward-addr: ath-namesrvr.37.ip.adrs
forward-addr: ath-namesrvr.38.ip.adrs
forward-addr: ath-namesrvr.39.ip.adrs

And, when a DNS-query does not match any
of those custom/special zones, then standard
set of DNS-Servers are to be used, like: Root
DNS-Servers, TLD DNS-Servers, SLD (Second Level
Domain) DNS-Servers, HSP (Hosting Service
Providers) DNS-Servers, Public DNSSEC based
DNS-Servers, etc, via another SOCKS proxy:
name: "."
forward-addr: # GPF DNSSEC
forward-addr: # OARC DNSSEC
forward-addr: # CZ.NIC DNSSEC
forward-addr: # ROOT a USC-ISI
forward-addr: # ROOT f ICANN
forward-addr: # ROOT j
forward-addr: # ROOT k RIPE
forward-addr: # ROOT l
forward-addr: # ROOT d UniMaryland
forward-addr: # ROOT i
forward-addr: # ROOT m
forward-addr: # ROOT h
forward-addr: # ROOT e NASA
forward-addr: # ROOT
forward-addr: # ROOT
forward-addr: # ROOT


Can i consider existing below command
of Unbound, as it's outbound traffic
binding or forcing command/option ?

How can i bind/force "Unbound" (01) (
to use the 1st SOCKS proxy (IP:port)
for resolving a 1st set of zones ? (so that
Unbound can connect with correct 1st set of
nameservers assigned for that 1st set of zones),
And how to resolve another/2nd set of zones
via using another/2nd SOCKS at ?
(and allowing Unbound to connect with another
/2nd set of pre-assigned nameservers for that
2nd set of zones).

if there is a one command-line in "Unbound"
to use/bind/force outbound traffic go-through
a SOCKS proxy that will be best.

if not, then can anyone please point-to/indicate
/discuss/suggest what tools can be used to
achieve such function. Unbound to socks proxy.

(NOT looking for a solution on Linux/Unix).
(Looking for a solution on Windows, the local
"Unbound" (01) ( is running on
Windows based computer).

if i have to run 5 "Unbound", even that type
of solution is also ok. but reduced Unbound
instance will be better.

Is there a tool, which can accept all
(incoming) traffic coming (from Unbound)
toward a network interface adapter's
(different ports & single) IP address,
and can forward those ports toward a
(single ip:port based) SOCKS proxy
server ? what functions like TAP-to-SOCKS ?

if a tool can perform TUN-to-SOCKS function,
then can such tool be used for send all
queries via SOCKS from Unbound, by binding
Unbound with that TUN's ip-address ?

for example, can an OpenSSH instance be run
in L2/3 tun VPN mode & forward tun ip-adrs
traffic toward a SOCKS proxy ?

Can this below command/option
"outgoing-port-permit:" be set to
use only 4 ports ? like:
outgoing-port-permit: 53001-53004
or, even set to use only 1 port ?
outgoing-port-permit: 53001-53001
What tool can allow to forward such
traffic from Unbound to a SOCKS proxy ?

Can i run an instance of OpenSSH to listen a
range of ports, from 53001 to 53004 on ip-adrs and forward those toward a single
SOCKS proxy at ? and, after
running OpenSSH, can i run & force Unbound to
use outbobund traffic via:

Will these four commands work ? to
force using only 1 outgoing port:
outgoing-range: 1
num-queries-per-thread: 1
outgoing-port-permit: 53001
outgoing-port-avoid: "1-53000,53002-65535"
will those slow down dns-resolving process
very slow ?

or, is there a tool which can function
like DNS-to-SOCKS ? how can it be used
with Unbound ?

How can i specify in "Unbound" to use port
110 with a DNS-Server, instead of port 53 ?

Can i specify SSL cert (server cert or CA/Root cert)
for a DNS-Server in Unbound ?


SOCKet Secure (SOCKS) is an Internet Protocol that
routes network packets between a client and server
through a proxy server. It works in Layer 5
(Session) of OSI.

OpenSSH: An "ad hoc" SOCKS proxy server can be
created using OpenSSH, and allows more flexible
proxying than is possible with ordinary port
DynamicForward # will create a
SOCKS on that ip:port.
GatewayPorts option allows wildcard address
usage. And tun-based VPN tunnel allowing
applications to transparently access remote
network resources without "socksification"
is now possible via OpenSSH.

- --Bright Star (Bry8Star).