Maintained by: NLnet Labs

[Unbound-users] unbound + tor

ml at ruggedinbox.com
Thu Aug 14 21:46:56 CEST 2014


On 2014-08-13 18:45, ml at ruggedinbox.com wrote:
> Hi we are trying to figure out the best way to handle DNS requests to
> both clearnet and Tor onionland,
> while still having MX lookups working, in order to correctly send
> emails to clearnet hosts.
> 
> Currently we are using just Tor, configured as transparent proxy and
> DNS resolver.
> This is nice because all DNS requests are done thru Tor
> but MX lookups will fail, and for an email provider service, this is a
> show stopper.
> 
> Various online resources suggest to use Tor only to resolve onion 
> addresses
> and Unbound for all the rest,
> but we are having difficulties in configuring Unbound.
> 
> This is Debian 7 (wheezy)
> and the configuration we are talking about should be something like 
> this:
> 
> 
> # cat /etc/unbound/unbound.conf
> 
> server:
>     # The following line will configure unbound to perform 
> cryptographic
>     # DNSSEC validation using the root trust anchor.
>     auto-trust-anchor-file: "/var/lib/unbound/root.key"
>     tcp-upstream: yes
>     do-udp: no
> 
> domain-insecure: "onion"
> private-domain: "onion"
> do-not-query-localhost: no
> 
> forward-zone:
>     name: "onion"
>     forward-addr: 127.0.0.1 at 54
> 
> 
> 
> 54 is Tor DNS resolver port.
> As you see, we are not Unbound experts, and this configuration does not 
> work.
> 
> Can you please supply a minimal Unbound configuration, that accepts
> DNS queries only from localhost
> and that routes .onion requests to Tor on port 54 ?
> 
> 
> Thanks for this great project and wish you great holidays!
> RuggedInbox team


Nevermind, fixed.
We found the unbound.conf.example file and worked on that.
When enabling "do-udp: no", unbound stops to work.
Same with "tcp-upstream: yes".
So basically we left everything as is and just enabled:

domain-insecure: "onion"
private-domain: "onion"
do-not-query-localhost: no

and added:

forward-zone:
  name: "onion"
  forward-addr: 127.0.0.1 at 54

at the end of the file.

54 is the Tor DNS port.

Now it looks like the server is able to resolve both clearnet and 
onionland addresses
and also correctly resolve MX records on the clearnet.

Comments are appreciated, wonder if this is the correct / best way.


Thanks for supporting
RuggedInbox team