Fw: Re: Unbound with DNSCrypt configuration
peter.newey at yahoo.co.uk
peter.newey at yahoo.co.uk
Wed Jan 24 13:38:20 UTC 2018
----- Forwarded message ----- From: peter.newey at yahoo.co.uk <peter.newey at yahoo.co.uk>To: manu tman <chantr4 at gmail.com>Sent: Wednesday, 24 January 2018, 05:24:03 GMTSubject: Re: Unbound with DNSCrypt configuration
Hello Manu
thanks so much for your clear explanation, it has helped me understand now what is going on.
I have in the past installed dnscrypt-proxy and tried to use it along with unbound. I think after your explanation that in the past I wrongly assumed they were not 'playing together nicely' when in fact they were.
I have seen and tried dnscrypt-proxy2 and got that working ok.
May I ask if you can help on the following questions :
1. Is there an answer to the question - which is better for security dnscrypt-proxy or dnscrypt under unbound ?
2. In the past I have seen comments from jedisct1 (Frank Denis) that it is not really advisable to mix running his programme dnscrypt-proxy and a VPN together. Is there an answer ?
thanks again
Peter
On Tuesday, 23 January 2018, 22:11:46 GMT, manu tman <chantr4 at gmail.com> wrote:
Hi Peter,
I think you are mixing up how DNScrypt in unbound work. By using:```interface: 0.0.0.0 at 443
interface: ::0 at 443
######DNSCRYPT############
dnscrypt:
dnscrypt-enable:yes
dnscrypt-port:443
dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
dnscrypt-secret-key:/usr/local/etc/unbound/1.key
dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert
############################# ##```
Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt- cert.cryptostorm.is. and it will use cert/key /usr/ local/etc/unbound/1.{cert,key} .
I am under the impression that you think it will connect to `5.101.137.251` over DNSCrypt. this is the role of DNSCrypt proxy instead.
When you add:``` forward-zone:
name: "."
forward-addr:5.101.137.251
```to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned.
When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world.
I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit).
TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy .
Manu
On Tue, Jan 23, 2018 at 5:46 AM, peter.newey--- via Unbound-users <unbound-users at unbound.net> wrote:
Hello
I am using unbound from Git version: 1.6.9 and have compiled it with --enable-dnscrypt .This is my unbound.conf setup;
# unbound.conf for a local subnet.#
server:
interface: 0.0.0.0
interface: ::0
access-control: 192.168.0.0/16 allow
access-control: ::1 allow
# DNSCRYPT server: #######
interface: 0.0.0.0 at 443
interface: ::0 at 443
directory: "/usr/local/etc/unbound"
chroot: ""
username: ""
verbosity:0
num-threads: 1
prefetch:yes
prefetch-key:yes
use-syslog:no
do-ip6: no
so-reuseport: yes
module-config: "validator iterator"
do-not-query-localhost: no
# file to read root hints from.
#get one from ftp://FTP.INTERNIC.NET/domain/
root-hints: "/usr/local/etc/unbound/named. cache"
############################# ############################## #
include: "/usr/local/etc/unbound/ unbound_ad_servers"
#update the above file by using below command as root :
#curl -sS -L --compressed "http://pgl.yoyo.org/ adservers/serverlist.php? hostformat=unbound&showintro= 0&mimetype=plaintext" > /usr/local/etc/unbound/ unbound_ad_servers
logfile: "/usr/local/etc/unbound/ unbound.log"
log-time-ascii:yes
############################## ######################
#auto-trust-anchor-file: "/usr/local/etc/unbound/root. key" #root key file, automatically updated##### remove # only for DNSSEC capable dns servers ##########
############################## ######################
#Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable:yes
######DNSCRYPT############
dnscrypt:
dnscrypt-enable:yes
dnscrypt-port:443
dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
dnscrypt-secret-key:/usr/ local/etc/unbound/1.key
dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert
forward-zone:
name: "."
forward-addr:5.101.137.251
############################# ##
The only lines I see in my unbound.log where dnscrypt is mentioned is this line that is repeated occasionally :
Jan 23 05:35:12 unbound[32581:0] notice: DNSCrypt: Freeing environment.
If I use the above unbound.conf and look on website https://whoer.net/it shows my own ISP i.p address correctly and DNS 5.101.137.251 correctly, which belongs to dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
If I change it to :
#forward-zone:
# name: "."
#forward-addr:5.101.137.251
my DNS address then shows my own ISP DNS , but I presume it should show 5.101.137.251 if dnscrypt was working correctly.
If I change it to :
#dnscrypt:
# dnscrypt-enable:yes
#dnscrypt-port:443
#dnscrypt-provider:2.dnscrypt- cert.cryptostorm.is.
#dnscrypt-secret-key:/usr/ local/etc/unbound/1.key
#dnscrypt-provider-cert:/usr/ local/etc/unbound/1.cert
forward-zone: name: "."
forward-addr: my DNS address then shows
my DNS address then shows again as 5.101.137.251 .
Can I presume dnscrypt is not working correctly and is there any suggestions as to how I can get it to work please ?
thanks
Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180124/12e52c71/attachment.htm>
More information about the Unbound-users
mailing list