<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div><br></div><div><br></div>
<div id="ydp4461ca6byahoo_quoted_7672822834" class="ydp4461ca6byahoo_quoted">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>----- Forwarded message -----</div>
<div><b>From:</b> peter.newey@yahoo.co.uk <peter.newey@yahoo.co.uk></div><div><b>To:</b> manu tman <chantr4@gmail.com></div><div><b>Sent:</b> Wednesday, 24 January 2018, 05:24:03 GMT</div><div><b>Subject:</b> Re: Unbound with DNSCrypt configuration</div><div><br></div>
<div><div id="ydp4461ca6byiv4239022792"><div><div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px;"><div id="ydp4461ca6byiv4239022792ydpa77823f3yiv1674042973"><div><div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px;"><div>Hello Manu</div><div><br clear="none"></div><div>thanks so much for your clear explanation, it has helped me understand now what is going on.</div><div><br clear="none"></div><div>I have in the past installed dnscrypt-proxy and tried to use it along with unbound. I think after your explanation that in the past I wrongly assumed they were not 'playing together nicely' when in fact they were.</div><div><br clear="none"></div><div>I have seen and tried dnscrypt-proxy2 and got that working ok.</div><div><br clear="none"></div><div>May I ask if you can help on the following questions :</div><div><br clear="none"></div><div>1. Is there an answer to the question - which is better for security dnscrypt-proxy or dnscrypt under unbound ?</div><div><br clear="none"></div><div>2. In the past I have seen comments from jedisct1 (Frank Denis) that it is not really advisable to mix running his programme dnscrypt-proxy and a VPN together. Is there an answer ?</div><div><br clear="none"></div><div>thanks again</div><div><br clear="none"></div><div>Peter<br clear="none"></div>
<div><br clear="none"></div><div><br clear="none"></div>
<div class="ydp4461ca6byiv4239022792ydpa77823f3yiv1674042973yahoo_quoted" id="ydp4461ca6byiv4239022792ydpa77823f3yiv1674042973yahoo_quoted_7724291048">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
</div></div></div></div></div><div class="ydp4461ca6byiv4239022792yqt1737400530" id="ydp4461ca6byiv4239022792yqtfd42432"><div class="ydp4461ca6byiv4239022792yqt0362319264" id="ydp4461ca6byiv4239022792yqtfd13470"><div>
On Tuesday, 23 January 2018, 22:11:46 GMT, manu tman <chantr4@gmail.com> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div id="ydp4461ca6byiv4239022792"><div><div dir="ltr">Hi Peter,<div><br clear="none"></div><div>I think you are mixing up how DNScrypt in unbound work. By using:</div><div>```</div><div><span>interface: 0.0.0.0@443</span><br clear="none"><span>interface: ::0@443</span><br clear="none"><span> </span><br clear="none"></div><div><span> ######DNSCRYPT############</span><br clear="none"><span> dnscrypt:</span><br clear="none"><span> dnscrypt-enable:yes</span><br clear="none"><span> dnscrypt-port:443</span><br clear="none"><span> dnscrypt-provider:</span><a shape="rect" href="http://2.dnscrypt-cert.cryptostorm.is/" rel="nofollow" target="_blank">2.dnscrypt- cert.cryptostorm.is</a><span>.</span><br clear="none"><span> dnscrypt-secret-key:/usr/</span><span>local/etc/unbound/1.key</span><br clear="none"><span> dnscrypt-provider-cert:/usr/</span><span>local/etc/unbound/1.cert</span><br clear="none"><br clear="none"><div> ############################# ##</div></div><div>```</div><div><br clear="none"></div><div>Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be <a shape="rect" href="http://2.dnscrypt-cert.cryptostorm.is/" rel="nofollow" target="_blank">2.dnscrypt- cert.cryptostorm.is</a>. and it will use cert/key /usr/ local/etc/unbound/1.{cert,key} .</div><div><br clear="none"></div><div>I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead.<br clear="none"><br clear="none">When you add:</div><div>```</div><div> forward-zone:<br clear="none"> name: "."<br clear="none"> forward-addr:5.101.137.251<br clear="none"></div><div>```</div><div>to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned.</div><div><br clear="none"></div><div>When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world.</div><div><br clear="none"></div><div>I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that <a shape="rect" href="http://cryptostorm.is" rel="nofollow" target="_blank">cryptostorm.is</a> would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit).</div><div><br clear="none"></div><div>TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: <a shape="rect" href="https://github.com/jedisct1/dnscrypt-proxy" rel="nofollow" target="_blank">https://github.com/jedisct1/dnscrypt-proxy</a> .</div><div><br clear="none"></div><div>Manu</div></div><div class="ydp4461ca6byiv4239022792yqt4825438400" id="ydp4461ca6byiv4239022792yqt46200"><div class="ydp4461ca6byiv4239022792gmail_extra"><br clear="none"><div class="ydp4461ca6byiv4239022792gmail_quote">On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <span dir="ltr"><<a shape="rect" href="mailto:unbound-users@unbound.net" rel="nofollow" target="_blank">unbound-users@unbound.net</a>></span> wrote:<br clear="none"><blockquote class="ydp4461ca6byiv4239022792gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div style="font-family: Helvetica, Arial, sans-serif; font-size: 16px;"><div>Hello</div><div><br clear="none"></div><div>I am using unbound from Git version: 1.6.9 and have compiled it with --enable-dnscrypt .</div><div>This is my unbound.conf setup;</div><div><br clear="none"></div><div># unbound.conf for a local subnet.#<br clear="none">server: <br clear="none"> interface: 0.0.0.0<br clear="none"> interface: ::0<br clear="none"> access-control: <a shape="rect" href="http://192.168.0.0/16" rel="nofollow" target="_blank">192.168.0.0/16</a> allow <br clear="none"> access-control: ::1 allow<br clear="none"> <br clear="none"> # DNSCRYPT server: #######<br clear="none"> interface: 0.0.0.0@443<br clear="none"> interface: ::0@443<br clear="none"> <br clear="none"> directory: "/usr/local/etc/unbound"<br clear="none"> chroot: "" <br clear="none"> username: ""<br clear="none"> verbosity:0 <br clear="none"> num-threads: 1<br clear="none"> prefetch:yes <br clear="none"> prefetch-key:yes<br clear="none"> use-syslog:no<br clear="none"> do-ip6: no <br clear="none"> so-reuseport: yes<br clear="none"> module-config: "validator iterator"<br clear="none"> <br clear="none"> do-not-query-localhost: no<br clear="none"> <br clear="none"> # file to read root hints from.<br clear="none"> #get one from <a shape="rect" href="ftp://FTP.INTERNIC.NET/domain/" rel="nofollow" target="_blank">ftp://FTP.INTERNIC.NET/domain/</a><br clear="none"> root-hints: "/usr/local/etc/unbound/named. cache"<br clear="none"> ############################# ############################## #<br clear="none"> include: "/usr/local/etc/unbound/ unbound_ad_servers" <br clear="none"> #update the above file by using below command as root :<br clear="none"> #curl -sS -L --compressed "<a shape="rect" href="http://pgl.yoyo.org/adservers/serverlist.php?hostformat=unbound&showintro=0&mimetype=plaintext" rel="nofollow" target="_blank">http://pgl.yoyo.org/ adservers/serverlist.php? hostformat=unbound&showintro= 0&mimetype=plaintext</a>" > /usr/local/etc/unbound/ unbound_ad_servers<br clear="none"> <br clear="none"> logfile: "/usr/local/etc/unbound/ unbound.log"<br clear="none"> <br clear="none"> log-time-ascii:yes<br clear="none"><br clear="none"> ############################## ######################<br clear="none"><br clear="none"> #auto-trust-anchor-file: "/usr/local/etc/unbound/root. key" #root key file, automatically updated##### remove # only for DNSSEC capable dns servers ##########<br clear="none"> ############################## ###################### <br clear="none"><br clear="none"> #Remote control config section. <br clear="none"> remote-control:<br clear="none"> # Enable remote control with unbound-control(8) here.<br clear="none"> # set up the keys and certificates with unbound-control-setup.<br clear="none"> control-enable:yes<br clear="none"> <br clear="none"> ######DNSCRYPT############<br clear="none"> dnscrypt:<br clear="none"> dnscrypt-enable:yes<br clear="none"> dnscrypt-port:443<br clear="none"> dnscrypt-provider:<a shape="rect" href="http://2.dnscrypt-cert.cryptostorm.is" rel="nofollow" target="_blank">2.dnscrypt- cert.cryptostorm.is</a>.<br clear="none"> dnscrypt-secret-key:/usr/ local/etc/unbound/1.key<br clear="none"> dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert<br clear="none"> <br clear="none"> forward-zone:<br clear="none"> name: "."<br clear="none"> forward-addr:5.101.137.251<br clear="none"> <br clear="none"><div> ############################# ##</div><div><br clear="none"></div><div>The only lines I see in my unbound.log where dnscrypt is mentioned is this line that is repeated occasionally :</div><div><br clear="none"></div><div>Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.</div><div><br clear="none"></div><div>If I use the above unbound.conf and look on website<a shape="rect" href="https://whoer.net/" rel="nofollow" target="_blank"> https://whoer.net/</a></div><div>it shows my own ISP i.p address correctly and DNS<span class="ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370cont ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370dns_br_ip ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370max_ip"> 5.101.137.251 correctly, which belongs to dnscrypt-provider:<a shape="rect" href="http://2.dnscrypt-cert.cryptostorm.is" rel="nofollow" target="_blank">2.dnscrypt- cert.cryptostorm.is</a>.</span></div><div><span class="ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370cont ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370dns_br_ip ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370max_ip"><br clear="none"></span></div><div><span class="ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370cont ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370dns_br_ip ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370max_ip">If I change it to :<br clear="none"></span></div><div><span class="ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370cont ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370dns_br_ip ydp4461ca6byiv4239022792m_3607368948624507122ydp6c21d370max_ip"></span><div>#forward-zone:<br clear="none"> # name: "."<br clear="none"><div> #forward-addr:5.101.137.251</div><div><br clear="none"></div><div>my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly.<br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div>If I change it to :</div><div><br clear="none"></div><div>#dnscrypt:<br clear="none"> # dnscrypt-enable:yes<br clear="none"> #dnscrypt-port:443<br clear="none"> #dnscrypt-provider:<a shape="rect" href="http://2.dnscrypt-cert.cryptostorm.is" rel="nofollow" target="_blank">2.dnscrypt- cert.cryptostorm.is</a>.<br clear="none"> #dnscrypt-secret-key:/usr/ local/etc/unbound/1.key<br clear="none"> #dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert<br clear="none"></div></div></div><div><div><br clear="none"></div><div>forward-zone:</div> name: "."<br clear="none"><div> forward-addr: my DNS address then shows </div><div><br clear="none"></div><div>my DNS address then shows again as 5.101.137.251 .</div><div><br clear="none"></div><div><br clear="none"></div><div>Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ?<br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div>thanks</div><span class="ydp4461ca6byiv4239022792HOEnZb"><font color="#888888"></font></span><div><br clear="none"></div><div>Peter<br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div></div></div></div></blockquote></div><br clear="none"></div></div></div></div></div>
</div></div><div class="ydp4461ca6byiv4239022792yqt0362319264" id="ydp4461ca6byiv4239022792yqtfd78939"><div class="ydp4461ca6byiv4239022792yqt1737400530" id="ydp4461ca6byiv4239022792yqtfd74103">
</div></div></div></div></div></div>
</div>
</div></div></body></html>