Maintained by: NLnet Labs

Unbound with DNSCrypt configuration

peter.newey at yahoo.co.uk
Tue Jan 23 14:46:45 CET 2018


Hello
I am using unbound from Git version: 1.6.9 and have compiled it  with  --enable-dnscrypt .This is my unbound.conf setup;
# unbound.conf for a local subnet.#
server: 
        interface: 0.0.0.0
    interface: ::0
    access-control: 192.168.0.0/16 allow 
    access-control: ::1 allow
    
    # DNSCRYPT server: #######
        interface: 0.0.0.0 at 443
        interface: ::0 at 443
    
    directory: "/usr/local/etc/unbound"
        chroot: "" 
        username: ""
    verbosity:0  
    num-threads: 1
        prefetch:yes 
    prefetch-key:yes
        use-syslog:no
        do-ip6: no  
    so-reuseport: yes
        module-config: "validator iterator"
       
        do-not-query-localhost: no
         
        # file to read root hints from.
        #get one from ftp://FTP.INTERNIC.NET/domain/
    root-hints: "/usr/local/etc/unbound/named.cache"
    ############################################################
        include: "/usr/local/etc/unbound/unbound_ad_servers" 
        #update the above file by using below command as root  :
        #curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" > /usr/local/etc/unbound/unbound_ad_servers
        
    logfile: "/usr/local/etc/unbound/unbound.log"
        
    log-time-ascii:yes

         ####################################################

         #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"  #root key file, automatically updated##### remove # only for DNSSEC capable dns servers ##########
         ####################################################        

        #Remote control config section. 
        remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
     control-enable:yes
 
    ######DNSCRYPT############
    dnscrypt:
        dnscrypt-enable:yes
        dnscrypt-port:443
        dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
        dnscrypt-secret-key:/usr/local/etc/unbound/1.key
        dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
    
        forward-zone:
        name: "."
        forward-addr:5.101.137.251
     
    ###############################
The only lines I see in my unbound.log  where dnscrypt is mentioned is this line that is repeated occasionally :
Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
If I use the above unbound.conf and look on website https://whoer.net/it shows my own ISP i.p address correctly and DNS 5.101.137.251 correctly, which belongs to  dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
If I change it to :
#forward-zone:
      # name: "."
        #forward-addr:5.101.137.251
my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly.


If I change it to :
#dnscrypt:
       # dnscrypt-enable:yes
        #dnscrypt-port:443
        #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
        #dnscrypt-secret-key:/usr/local/etc/unbound/1.key
        #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

forward-zone:        name: "."
        forward-addr: my DNS address then shows 
my DNS address then shows again as 5.101.137.251 .

Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ?


thanks
Peter
















-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20180123/873002e9/attachment.html>