date:20180123

Re: Unbound with DNSCrypt configuration

2018-01-23 Thread manu tman via Unbound-users

Hi Peter,

I think you are mixing up how DNScrypt in unbound work. By using:
```
interface: 0.0.0.0@443
interface: ::0@443

##DNSCRYPT
dnscrypt:
dnscrypt-enable:yes
dnscrypt-port:443
dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
dnscrypt-secret-key:/usr/local/etc/unbound/1.key
dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

###
```

Unbound will create a DNSCrypt server that will listen on port 443. Its
provider name will be 2.dnscrypt-cert.cryptostorm.is. and it will use
cert/key /usr/local/etc/unbound/1.{cert,key} .

I am under the impression that you think it will connect to `5.101.137.251`
over DNSCrypt. this is the role of DNSCrypt proxy instead.

When you add:
```
forward-zone:
name: "."
forward-addr:5.101.137.251
```
to the config, unbound will forward request to 5.101.137.251 and will
behave as a caching server. Because 5.101.137.251 also handles clear text
DNS, this is working just fine and that IP is showing through the website
you mentioned.

When you remove the forward-zone, unbound will behave as a recursive
resolver and DNS queries will show up as coming from your DNS server to the
outside world.

I think you are mis-understanding what role Unbound has in DNSCrypt setup.
Essentially, the config you are providing is the one that cryptostorm.is
would use if they were going to set up a DNSCrypt server (aside from the
forward-zone bit).

TL;DR you want to install DNSCrypt proxy. The original author is working on
a new version: https://github.com/jedisct1/dnscrypt-proxy .

Manu

On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <
unbound-users@unbound.net> wrote:

> Hello
>
> I am using unbound from Git version: 1.6.9 and have compiled it  with
> --enable-dnscrypt .
> This is my unbound.conf setup;
>
> # unbound.conf for a local subnet.#
> server:
> interface: 0.0.0.0
> interface: ::0
> access-control: 192.168.0.0/16 allow
> access-control: ::1 allow
>
> # DNSCRYPT server: ###
> interface: 0.0.0.0@443
> interface: ::0@443
>
> directory: "/usr/local/etc/unbound"
> chroot: ""
> username: ""
> verbosity:0
> num-threads: 1
> prefetch:yes
> prefetch-key:yes
> use-syslog:no
> do-ip6: no
> so-reuseport: yes
> module-config: "validator iterator"
>
> do-not-query-localhost: no
>
> # file to read root hints from.
> #get one from ftp://FTP.INTERNIC.NET/domain/
> root-hints: "/usr/local/etc/unbound/named.cache"
> 
> include: "/usr/local/etc/unbound/unbound_ad_servers"
> #update the above file by using below command as root  :
> #curl -sS -L --compressed "http://pgl.yoyo.org/
> adservers/serverlist.php?hostformat=unbound=0=plaintext"
> > /usr/local/etc/unbound/unbound_ad_servers
>
> logfile: "/usr/local/etc/unbound/unbound.log"
>
> log-time-ascii:yes
>
>  
>
>  #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
> #root key file, automatically updated# remove # only for DNSSEC capable
> dns servers ##
>  
>
> #Remote control config section.
> remote-control:
> # Enable remote control with unbound-control(8) here.
> # set up the keys and certificates with unbound-control-setup.
>  control-enable:yes
>
> ##DNSCRYPT
> dnscrypt:
> dnscrypt-enable:yes
> dnscrypt-port:443
> dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
> dnscrypt-secret-key:/usr/local/etc/unbound/1.key
> dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
>
> forward-zone:
> name: "."
> forward-addr:5.101.137.251
>
> ###
>
> The only lines I see in my unbound.log  where dnscrypt is mentioned is
> this line that is repeated occasionally :
>
> Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
>
> If I use the above unbound.conf and look on website https://whoer.net/
> it shows my own ISP i.p address correctly and DNS 5.101.137.251
> correctly, which belongs to  dnscrypt-provider:2.dnscrypt-
> cert.cryptostorm.is.
>
> If I change it to :
> #forward-zone:
>   # name: "."
> #forward-addr:5.101.137.251
>
> my DNS address then shows my own ISP DNS , but I presume it should show
> 5.101.137.251 if dnscrypt was working correctly.
>
>
> If I change it to :
>
> #dnscrypt:
># dnscrypt-enable:yes
> #dnscrypt-port:443
> #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
> #dnscrypt-secret-key:/usr/local/etc/unbound/1.key
> #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
>
> forward-zone:
> name: "."
>

Unbound with DNSCrypt configuration

2018-01-23 Thread peter.newey--- via Unbound-users

Hello
I am using unbound from Git version: 1.6.9 and have compiled it  with  
--enable-dnscrypt .This is my unbound.conf setup;
# unbound.conf for a local subnet.#
server: 
    interface: 0.0.0.0
    interface: ::0
    access-control: 192.168.0.0/16 allow 
    access-control: ::1 allow
    
    # DNSCRYPT server: ###
    interface: 0.0.0.0@443
    interface: ::0@443
    
    directory: "/usr/local/etc/unbound"
    chroot: "" 
    username: ""
    verbosity:0  
    num-threads: 1
    prefetch:yes 
    prefetch-key:yes
    use-syslog:no
    do-ip6: no  
    so-reuseport: yes
    module-config: "validator iterator"
   
    do-not-query-localhost: no
         
    # file to read root hints from.
    #get one from ftp://FTP.INTERNIC.NET/domain/
    root-hints: "/usr/local/etc/unbound/named.cache"
    
    include: "/usr/local/etc/unbound/unbound_ad_servers" 
    #update the above file by using below command as root  :
    #curl -sS -L --compressed 
"http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound=0=plaintext;
 > /usr/local/etc/unbound/unbound_ad_servers
    
    logfile: "/usr/local/etc/unbound/unbound.log"
    
    log-time-ascii:yes

 

 #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"  #root key 
file, automatically updated# remove # only for DNSSEC capable dns servers 
##
     

    #Remote control config section. 
    remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
     control-enable:yes
 
    ##DNSCRYPT
    dnscrypt:
    dnscrypt-enable:yes
    dnscrypt-port:443
    dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
    dnscrypt-secret-key:/usr/local/etc/unbound/1.key
    dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
    
    forward-zone:
    name: "."
    forward-addr:5.101.137.251
     
    ###
The only lines I see in my unbound.log  where dnscrypt is mentioned is this 
line that is repeated occasionally :
Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
If I use the above unbound.conf and look on website https://whoer.net/it shows 
my own ISP i.p address correctly and DNS 5.101.137.251 correctly, which belongs 
to  dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
If I change it to :
#forward-zone:
  # name: "."
    #forward-addr:5.101.137.251
my DNS address then shows my own ISP DNS , but I presume it should show 
5.101.137.251 if dnscrypt was working correctly.


If I change it to :
#dnscrypt:
   # dnscrypt-enable:yes
    #dnscrypt-port:443
    #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is.
    #dnscrypt-secret-key:/usr/local/etc/unbound/1.key
    #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

forward-zone:    name: "."
    forward-addr: my DNS address then shows 
my DNS address then shows again as 5.101.137.251 .

Can I presume dnscrypt is not working correctly and is there any suggestions as 
to how I can get it to work please ?


thanks
Peter

Re: Unbound with DNSCrypt configuration

Unbound with DNSCrypt configuration

2 matches

Site Navigation

Mail list logo

Footer information