Fw: Re: Unbound with DNSCrypt configuration
- Forwarded message - From: peter.ne...@yahoo.co.uk <peter.ne...@yahoo.co.uk>To: manu tman <chan...@gmail.com>Sent: Wednesday, 24 January 2018, 05:24:03 GMTSubject: Re: Unbound with DNSCrypt configuration Hello Manu thanks so much for your clear explanation, it has helped me understand now what is going on. I have in the past installed dnscrypt-proxy and tried to use it along with unbound. I think after your explanation that in the past I wrongly assumed they were not 'playing together nicely' when in fact they were. I have seen and tried dnscrypt-proxy2 and got that working ok. May I ask if you can help on the following questions : 1. Is there an answer to the question - which is better for security dnscrypt-proxy or dnscrypt under unbound ? 2. In the past I have seen comments from jedisct1 (Frank Denis) that it is not really advisable to mix running his programme dnscrypt-proxy and a VPN together. Is there an answer ? thanks again Peter On Tuesday, 23 January 2018, 22:11:46 GMT, manu tman <chan...@gmail.com> wrote: Hi Peter, I think you are mixing up how DNScrypt in unbound work. By using:```interface: 0.0.0.0@443 interface: ::0@443 ##DNSCRYPT dnscrypt: dnscrypt-enable:yes dnscrypt-port:443 dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is. dnscrypt-secret-key:/usr/local/etc/unbound/1.key dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert # ##``` Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt- cert.cryptostorm.is. and it will use cert/key /usr/ local/etc/unbound/1.{cert,key} . I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead. When you add:``` forward-zone: name: "." forward-addr:5.101.137.251 ```to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned. When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world. I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit). TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy . Manu On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <unbound-users@unbound.net> wrote: Hello I am using unbound from Git version: 1.6.9 and have compiled it with --enable-dnscrypt .This is my unbound.conf setup; # unbound.conf for a local subnet.# server: interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow # DNSCRYPT server: ### interface: 0.0.0.0@443 interface: ::0@443 directory: "/usr/local/etc/unbound" chroot: "" username: "" verbosity:0 num-threads: 1 prefetch:yes prefetch-key:yes use-syslog:no do-ip6: no so-reuseport: yes module-config: "validator iterator" do-not-query-localhost: no # file to read root hints from. #get one from ftp://FTP.INTERNIC.NET/domain/ root-hints: "/usr/local/etc/unbound/named. cache" # ## # include: "/usr/local/etc/unbound/ unbound_ad_servers" #update the above file by using below command as root : #curl -sS -L --compressed "http://pgl.yoyo.org/ adservers/serverlist.php? hostformat=unbound= 0=plaintext" > /usr/local/etc/unbound/ unbound_ad_servers logfile: "/usr/local/etc/unbound/ unbound.log" log-time-ascii:yes ## ## #auto-trust-anchor-file: "/usr/local/etc/unbound/root. key" #root key file, automatically updated# remove # only for DNSSEC capable dns servers ## ## ## #Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. control-enable:yes ##DNSCRYPT dnscrypt: dnscrypt-enable:yes dnscrypt-port:443 dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is. dnscrypt-secret-key:/usr/ local/etc/unbound/1
Re: Unbound with DNSCrypt configuration
Hi Peter, I think you are mixing up how DNScrypt in unbound work. By using: ``` interface: 0.0.0.0@443 interface: ::0@443 ##DNSCRYPT dnscrypt: dnscrypt-enable:yes dnscrypt-port:443 dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. dnscrypt-secret-key:/usr/local/etc/unbound/1.key dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert ### ``` Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt-cert.cryptostorm.is. and it will use cert/key /usr/local/etc/unbound/1.{cert,key} . I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead. When you add: ``` forward-zone: name: "." forward-addr:5.101.137.251 ``` to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned. When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world. I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit). TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy . Manu On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users < unbound-users@unbound.net> wrote: > Hello > > I am using unbound from Git version: 1.6.9 and have compiled it with > --enable-dnscrypt . > This is my unbound.conf setup; > > # unbound.conf for a local subnet.# > server: > interface: 0.0.0.0 > interface: ::0 > access-control: 192.168.0.0/16 allow > access-control: ::1 allow > > # DNSCRYPT server: ### > interface: 0.0.0.0@443 > interface: ::0@443 > > directory: "/usr/local/etc/unbound" > chroot: "" > username: "" > verbosity:0 > num-threads: 1 > prefetch:yes > prefetch-key:yes > use-syslog:no > do-ip6: no > so-reuseport: yes > module-config: "validator iterator" > > do-not-query-localhost: no > > # file to read root hints from. > #get one from ftp://FTP.INTERNIC.NET/domain/ > root-hints: "/usr/local/etc/unbound/named.cache" > > include: "/usr/local/etc/unbound/unbound_ad_servers" > #update the above file by using below command as root : > #curl -sS -L --compressed "http://pgl.yoyo.org/ > adservers/serverlist.php?hostformat=unbound=0=plaintext" > > /usr/local/etc/unbound/unbound_ad_servers > > logfile: "/usr/local/etc/unbound/unbound.log" > > log-time-ascii:yes > > > > #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" > #root key file, automatically updated# remove # only for DNSSEC capable > dns servers ## > > > #Remote control config section. > remote-control: > # Enable remote control with unbound-control(8) here. > # set up the keys and certificates with unbound-control-setup. > control-enable:yes > > ##DNSCRYPT > dnscrypt: > dnscrypt-enable:yes > dnscrypt-port:443 > dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. > dnscrypt-secret-key:/usr/local/etc/unbound/1.key > dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert > > forward-zone: > name: "." > forward-addr:5.101.137.251 > > ### > > The only lines I see in my unbound.log where dnscrypt is mentioned is > this line that is repeated occasionally : > > Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment. > > If I use the above unbound.conf and look on website https://whoer.net/ > it shows my own ISP i.p address correctly and DNS 5.101.137.251 > correctly, which belongs to dnscrypt-provider:2.dnscrypt- > cert.cryptostorm.is. > > If I change it to : > #forward-zone: > # name: "." > #forward-addr:5.101.137.251 > > my DNS address then shows my own ISP DNS , but I presume it should show > 5.101.137.251 if dnscrypt was working correctly. > > > If I change it to : > > #dnscrypt: ># dnscrypt-enable:yes > #dnscrypt-port:443 > #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. > #dnscrypt-secret-key:/usr/local/etc/unbound/1.key > #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert > > forward-zone: > name: "." >
Unbound with DNSCrypt configuration
Hello I am using unbound from Git version: 1.6.9 and have compiled it with --enable-dnscrypt .This is my unbound.conf setup; # unbound.conf for a local subnet.# server: interface: 0.0.0.0 interface: ::0 access-control: 192.168.0.0/16 allow access-control: ::1 allow # DNSCRYPT server: ### interface: 0.0.0.0@443 interface: ::0@443 directory: "/usr/local/etc/unbound" chroot: "" username: "" verbosity:0 num-threads: 1 prefetch:yes prefetch-key:yes use-syslog:no do-ip6: no so-reuseport: yes module-config: "validator iterator" do-not-query-localhost: no # file to read root hints from. #get one from ftp://FTP.INTERNIC.NET/domain/ root-hints: "/usr/local/etc/unbound/named.cache" include: "/usr/local/etc/unbound/unbound_ad_servers" #update the above file by using below command as root : #curl -sS -L --compressed "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound=0=plaintext; > /usr/local/etc/unbound/unbound_ad_servers logfile: "/usr/local/etc/unbound/unbound.log" log-time-ascii:yes #auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" #root key file, automatically updated# remove # only for DNSSEC capable dns servers ## #Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. control-enable:yes ##DNSCRYPT dnscrypt: dnscrypt-enable:yes dnscrypt-port:443 dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. dnscrypt-secret-key:/usr/local/etc/unbound/1.key dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert forward-zone: name: "." forward-addr:5.101.137.251 ### The only lines I see in my unbound.log where dnscrypt is mentioned is this line that is repeated occasionally : Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment. If I use the above unbound.conf and look on website https://whoer.net/it shows my own ISP i.p address correctly and DNS 5.101.137.251 correctly, which belongs to dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. If I change it to : #forward-zone: # name: "." #forward-addr:5.101.137.251 my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly. If I change it to : #dnscrypt: # dnscrypt-enable:yes #dnscrypt-port:443 #dnscrypt-provider:2.dnscrypt-cert.cryptostorm.is. #dnscrypt-secret-key:/usr/local/etc/unbound/1.key #dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert forward-zone: name: "." forward-addr: my DNS address then shows my DNS address then shows again as 5.101.137.251 . Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ? thanks Peter