<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"Lucida Console";
panose-1:2 11 6 9 4 5 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Lucida Console";
color:#333333;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;
mso-fareast-language:EN-GB;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
color:black;
mso-fareast-language:EN-GB;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas",serif;
color:black;
mso-fareast-language:EN-US;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='color:windowtext'>Hi Yuri,<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext'>Thanks for the config file very useful, but I still have the issue of:<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal>tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>So my original question was were do I get that or a suitable file from?<o:p></o:p></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:windowtext;mso-fareast-language:EN-GB'>Regards<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext;mso-fareast-language:EN-GB'>Ray<o:p></o:p></span></p><p class=MsoNormal><span style='color:windowtext'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='color:windowtext;mso-fareast-language:EN-GB'>From:</span></b><span lang=EN-US style='color:windowtext;mso-fareast-language:EN-GB'> Yuri <yvoinov@gmail.com> <br><b>Sent:</b> 21 July 2019 19:51<br><b>To:</b> unbound-users@nlnetlabs.nl<br><b>Subject:</b> Re: Using DNS over TLS on windows<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p>Just an example from working Windows setup:<span style='mso-fareast-language:EN-GB'><o:p></o:p></span></p><p># Unbound configuration file on windows.<br># See example.conf for more settings and syntax<br><br>server:<br> # verbosity level 0-4 of logging<br> verbosity: 0<br><br> # if you want to log to a file use<br> # logfile: "C:\unbound.log"<br><br> # on Windows, this setting makes reports go into the Application log<br> # found in ControlPanels - System tasks - Logs <br> use-syslog: yes<br> log-time-ascii: yes<br> num-threads: 4<br> cache-max-ttl: 14400<br> cache-min-ttl: 900<br> cache-max-negative-ttl: 60<br> infra-host-ttl: 60<br># root-hints: "C:\Program Files\Unbound\named.root"<br> hide-identity: yes<br> hide-version: yes<br> hide-trustanchor: yes<br><br> do-ip6: no<br><br> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"<br> tls-win-cert: yes<br> tcp-upstream: yes<br><br> harden-short-bufsize: yes<br> harden-large-queries: yes<br> harden-below-nxdomain: yes<br> harden-algo-downgrade: yes<br> # 1.5.7 feature. Yes recommended.<br> # From 1.7.2 yes is default<br> #qname-minimisation: yes<br> aggressive-nsec: yes<br><br> # select from the fastest servers this many times out of 1000. 0 means<br> # the fast server select is disabled. prefetches are not sped up.<br> # fast-server-permil: 0<br> fast-server-permil: 100<br> # the number of servers that will be used in the fast server selection.<br> # fast-server-num: 3<br> fast-server-num: 4<br><br> unwanted-reply-threshold: 10000000<br> do-not-query-localhost: no<br> prefetch: yes<br> prefetch-key: yes<br> rrset-roundrobin: yes<br> minimal-responses: yes<br><br> access-control: 0.0.0.0/0 refuse<br> access-control: 127.0.0.0/8 allow_snoop<br> access-control: ::0/0 refuse<br> access-control: ::1 allow<br> access-control: ::ffff:127.0.0.1 allow<br><br> #include: "C:\Program Files\Unbound\unbound_local" <br> include: "C:\Program Files\Unbound\unbound_ad_servers" <br><br># Remote control config section. <br>remote-control:<br> # Enable remote control with unbound-control(8) here.<br> # set up the keys and certificates with unbound-control-setup.<br> control-enable: yes<br> control-use-cert: no<br><br>forward-zone:<br> name: "."<br># forward-addr: <a href="mailto:208.67.222.222@53">208.67.222.222@53</a><br># forward-addr: <a href="mailto:208.67.220.220@53">208.67.220.220@53</a><br> forward-addr: <a href="mailto:1.1.1.1@853#cloudflare-dns.com">1.1.1.1@853#cloudflare-dns.com</a><br> forward-addr: <a href="mailto:1.0.0.1@853#cloudflare-dns.com">1.0.0.1@853#cloudflare-dns.com</a><br> forward-addr: <a href="mailto:9.9.9.9@853#dns.quad9.net">9.9.9.9@853#dns.quad9.net</a><br> forward-addr: <a href="mailto:149.112.112.112@853#dns.quad9.net">149.112.112.112@853#dns.quad9.net</a><br> forward-addr: <a href="mailto:145.100.185.15@443#dnsovertls.sinodun.com">145.100.185.15@443#dnsovertls.sinodun.com</a><br> forward-addr: <a href="mailto:145.100.185.16@443#dnsovertls1.sinodun.com">145.100.185.16@443#dnsovertls1.sinodun.com</a><br> forward-addr: <a href="mailto:185.49.141.37@853#getdnsapi.net">185.49.141.37@853#getdnsapi.net</a><br> forward-addr: <a href="mailto:89.233.43.71@853#unicast.censurfridns.dk">89.233.43.71@853#unicast.censurfridns.dk</a><br> forward-addr: <a href="mailto:158.64.1.29@853#kaitain.restena.lu">158.64.1.29@853#kaitain.restena.lu</a><br> forward-addr: <a href="mailto:145.100.185.18@853#dnsovertls3.sinodun.com">145.100.185.18@853#dnsovertls3.sinodun.com</a><br> forward-addr: <a href="mailto:145.100.185.17@853#dnsovertls2.sinodun.com">145.100.185.17@853#dnsovertls2.sinodun.com</a><br> forward-addr: <a href="mailto:199.58.81.218@853#dns.cmrg.net">199.58.81.218@853#dns.cmrg.net</a><br> forward-addr: <a href="mailto:94.130.110.185@853#ns1.dnsprivacy.at">94.130.110.185@853#ns1.dnsprivacy.at</a><br> forward-addr: <a href="mailto:94.130.110.178@853#ns2.dnsprivacy.at">94.130.110.178@853#ns2.dnsprivacy.at</a><br> forward-addr: <a href="mailto:99.192.182.200@853#iana.tenta.io">99.192.182.200@853#iana.tenta.io</a><br> forward-addr: <a href="mailto:99.192.182.201@853#iana.tenta.io">99.192.182.201@853#iana.tenta.io</a><br> forward-addr: <a href="mailto:99.192.182.100@853#opennic.tenta.io">99.192.182.100@853#opennic.tenta.io</a><br> forward-addr: <a href="mailto:99.192.182.101@853#opennic.tenta.io">99.192.182.101@853#opennic.tenta.io</a> <br> forward-tls-upstream: yes<br><br># OpenDNS is NOT DNSSEC enabled<br>server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"<br>###<o:p></o:p></p><div><p class=MsoNormal>21.07.2019 21:37, RayG via Unbound-users пишет:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal>Hi,<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>I have configured things so far but I get these errors and I think the reason is the “tls-cert-bundle” setting.</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>21/07/2019</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>So to get this working I have to enable this setting:</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>That example would seem OK for a UNIX install but where/how do I configure this for windows?</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>Can I use the windows certificate store? If so what would the entry read.</span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'>Thanks</span></code><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-GB'>Regards</span><o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-GB'>Ray</span><o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p><p class=MsoNormal><code><span lang=EN style='font-size:10.0pt'> </span></code><o:p></o:p></p></blockquote><pre>-- <o:p></o:p></pre><pre>"C++ seems like a language suitable for firing other people's legs."<o:p></o:p></pre><pre><o:p> </o:p></pre><pre>*****************************<o:p></o:p></pre><pre>* C++20 : Bug to the future *<o:p></o:p></pre><pre>*****************************<o:p></o:p></pre></div></body></html>