Maintained by: NLnet Labs

Fw: Re: Unbound with DNSCrypt configuration

peter.newey at yahoo.co.uk
Wed Jan 24 14:38:20 CET 2018


 

   ----- Forwarded message ----- From: peter.newey at yahoo.co.uk <peter.newey at yahoo.co.uk>To: manu tman <chantr4 at gmail.com>Sent: Wednesday, 24 January 2018, 05:24:03 GMTSubject: Re: Unbound with DNSCrypt configuration
 Hello Manu
thanks so much for your clear explanation, it has helped me understand now what is going on.
I have in the past installed dnscrypt-proxy and tried to use it along with unbound. I think after your explanation that in the past I wrongly assumed they were not 'playing together nicely'  when in fact they were.
I have seen  and tried dnscrypt-proxy2 and got that working ok.
May I ask if you can help on the following questions :
1.   Is there an answer to the question - which is better for security dnscrypt-proxy or dnscrypt under unbound ?
2. In the past I have seen comments from jedisct1 (Frank Denis) that it is not really advisable to mix running his programme  dnscrypt-proxy and a VPN together. Is there an answer ?
thanks again
Peter
 

    On Tuesday, 23 January 2018, 22:11:46 GMT, manu tman <chantr4 at gmail.com> wrote:  
 
 Hi Peter,
I think you are mixing up how DNScrypt in unbound work. By using:```interface: 0.0.0.0 at 443
interface: ::0 at 443
    
    ######DNSCRYPT############
    dnscrypt:
        dnscrypt-enable:yes
        dnscrypt-port:443
        dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
        dnscrypt-secret-key:/usr/local/etc/unbound/1.key
        dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

    ############################# ##```
Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt- cert.cryptostorm.is. and it will use cert/key /usr/ local/etc/unbound/1.{cert,key} .
I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead.

When you add:```        forward-zone:
        name: "."
        forward-addr:5.101.137.251
```to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned.
When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world.
I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit).
TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy .
Manu
On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <unbound-users at unbound.net> wrote:

Hello
I am using unbound from Git version: 1.6.9 and have compiled it  with  --enable-dnscrypt .This is my unbound.conf setup;
# unbound.conf for a local subnet.#
server: 
        interface: 0.0.0.0
    interface: ::0
    access-control: 192.168.0.0/16 allow 
    access-control: ::1 allow
    
    # DNSCRYPT server: #######
        interface: 0.0.0.0 at 443
        interface: ::0 at 443
    
    directory: "/usr/local/etc/unbound"
        chroot: "" 
        username: ""
    verbosity:0  
    num-threads: 1
        prefetch:yes 
    prefetch-key:yes
        use-syslog:no
        do-ip6: no  
    so-reuseport: yes
        module-config: "validator iterator"
       
        do-not-query-localhost: no
         
        # file to read root hints from.
        #get one from ftp://FTP.INTERNIC.NET/domain/
    root-hints: "/usr/local/etc/unbound/named. cache"
    ############################# ############################## #
        include: "/usr/local/etc/unbound/ unbound_ad_servers" 
        #update the above file by using below command as root  :
        #curl -sS -L --compressed "http://pgl.yoyo.org/ adservers/serverlist.php? hostformat=unbound&showintro= 0&mimetype=plaintext" > /usr/local/etc/unbound/ unbound_ad_servers
        
    logfile: "/usr/local/etc/unbound/ unbound.log"
        
    log-time-ascii:yes

         ############################## ######################

         #auto-trust-anchor-file: "/usr/local/etc/unbound/root. key"  #root key file, automatically updated##### remove # only for DNSSEC capable dns servers ##########
         ############################## ######################        

        #Remote control config section. 
        remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
     control-enable:yes
 
    ######DNSCRYPT############
    dnscrypt:
        dnscrypt-enable:yes
        dnscrypt-port:443
        dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
        dnscrypt-secret-key:/usr/ local/etc/unbound/1.key
        dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert
    
        forward-zone:
        name: "."
        forward-addr:5.101.137.251
     
    ############################# ##
The only lines I see in my unbound.log  where dnscrypt is mentioned is this line that is repeated occasionally :
Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
If I use the above unbound.conf and look on website https://whoer.net/it shows my own ISP i.p address correctly and DNS 5.101.137.251 correctly, which belongs to  dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
If I change it to :
#forward-zone:
      # name: "."
        #forward-addr:5.101.137.251
my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly.


If I change it to :
#dnscrypt:
       # dnscrypt-enable:yes
        #dnscrypt-port:443
        #dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
        #dnscrypt-secret-key:/usr/ local/etc/unbound/1.key
        #dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert

forward-zone:        name: "."
        forward-addr: my DNS address then shows 
my DNS address then shows again as 5.101.137.251 .

Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ?


thanks
Peter


















    
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20180124/12e52c71/attachment.html>