Maintained by: NLnet Labs

Unbound with DNSCrypt configuration

manu tman
Tue Jan 23 23:11:43 CET 2018


Hi Peter,

I think you are mixing up how DNScrypt in unbound work. By using:
```
interface: 0.0.0.0 at 443
interface: ::0 at 443

    ######DNSCRYPT############
    dnscrypt:
        dnscrypt-enable:yes
        dnscrypt-port:443
        dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
        dnscrypt-secret-key:/usr/local/etc/unbound/1.key
        dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

    ###############################
```

Unbound will create a DNSCrypt server that will listen on port 443. Its
provider name will be 2.dnscrypt-cert.cryptostorm.is. and it will use
cert/key /usr/local/etc/unbound/1.{cert,key} .

I am under the impression that you think it will connect to `5.101.137.251`
over DNSCrypt. this is the role of DNSCrypt proxy instead.

When you add:
```
        forward-zone:
        name: "."
        forward-addr:5.101.137.251
```
to the config, unbound will forward request to 5.101.137.251 and will
behave as a caching server. Because 5.101.137.251 also handles clear text
DNS, this is working just fine and that IP is showing through the website
you mentioned.

When you remove the forward-zone, unbound will behave as a recursive
resolver and DNS queries will show up as coming from your DNS server to the
outside world.

I think you are mis-understanding what role Unbound has in DNSCrypt setup.
Essentially, the config you are providing is the one that cryptostorm.is
would use if they were going to set up a DNSCrypt server (aside from the
forward-zone bit).

TL;DR you want to install DNSCrypt proxy. The original author is working on
a new version: https://github.com/jedisct1/dnscrypt-proxy .

Manu

On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <
unbound-users at unbound.net> wrote:

> Hello
>
> I am using unbound from Git version: 1.6.9 and have compiled it  with
> --enable-dnscrypt .
> This is my unbound.conf setup;
>
> # unbound.conf for a local subnet.#
> server:
>         interface: 0.0.0.0
>     interface: ::0
>     access-control: 192.168.0.0/16 allow
>     access-control: ::1 allow
>
>     # DNSCRYPT server: #######
>         interface: 0.0.0.0 at 443
>         interface: ::0 at 443
>
>     directory: "/usr/local/etc/unbound"
>         chroot: ""
>         username: ""
>     verbosity:0
>     num-threads: 1
>         prefetch:yes
>     prefetch-key:yes
>         use-syslog:no
>         do-ip6: no
>     so-reuseport: yes
>         module-config: "validator iterator"
>
>         do-not-query-localhost: no
>
>         # file to read root hints from.
>         #get one from ftp://FTP.INTERNIC.NET/domain/
>     root-hints: "/usr/local/etc/unbound/named.cache"
>     ############################################################
>         include: "/usr/local/etc/unbound/unbound_ad_servers"
>         #update the above file by using below command as root  :
>         #curl -sS -L --compressed "http://pgl.yoyo.org/
> adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext"
> > /usr/local/etc/unbound/unbound_ad_servers
>
>     logfile: "/usr/local/etc/unbound/unbound.log"
>
>     log-time-ascii:yes
>
>          ####################################################
>
>          #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
> #root key file, automatically updated##### remove # only for DNSSEC capable
> dns servers ##########
>          ####################################################
>
>         #Remote control config section.
>         remote-control:
>     # Enable remote control with unbound-control(8) here.
>     # set up the keys and certificates with unbound-control-setup.
>      control-enable:yes
>
>     ######DNSCRYPT############
>     dnscrypt:
>         dnscrypt-enable:yes
>         dnscrypt-port:443
>         dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
>         dnscrypt-secret-key:/usr/local/etc/unbound/1.key
>         dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
>
>         forward-zone:
>         name: "."
>         forward-addr:5.101.137.251
>
>     ###############################
>
> The only lines I see in my unbound.log  where dnscrypt is mentioned is
> this line that is repeated occasionally :
>
> Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
>
> If I use the above unbound.conf and look on website https://whoer.net/
> it shows my own ISP i.p address correctly and DNS 5.101.137.251
> correctly, which belongs to  dnscrypt-provider:2.dnscrypt-
> cert.cryptostorm.is.
>
> If I change it to :
> #forward-zone:
>       # name: "."
>         #forward-addr:5.101.137.251
>
> my DNS address then shows my own ISP DNS , but I presume it should show
> 5.101.137.251 if dnscrypt was working correctly.
>
>
> If I change it to :
>
> #dnscrypt:
>        # dnscrypt-enable:yes
>         #dnscrypt-port:443
>         #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
>         #dnscrypt-secret-key:/usr/local/etc/unbound/1.key
>         #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
>
> forward-zone:
>         name: "."
>         forward-addr: my DNS address then shows
>
> my DNS address then shows again as 5.101.137.251 .
>
>
> Can I presume dnscrypt is not working correctly and is there any
> suggestions as to how I can get it to work please ?
>
>
> thanks
>
> Peter
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20180123/a1ff4b4b/attachment-0001.html>