TLS certificate question about Unbound 1.9.2
Yuri
yvoinov at gmail.com
Tue Apr 2 16:58:18 UTC 2019
Make sure you can connect to DoT upstream:
https://i.imgur.com/Andpr9t.png
Note: It can be blocked by your ISP or youself on firewall.
02.04.2019 22:36, rollingonchrome via Unbound-users пишет:
> Thank you, Yuri.
>
> The certificate bundle does exist in the assumed path.
>
> Any other suggestions would be appreciated. Below is my config file.
> Also, here is the error from the log file:
>
> Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
> 'tls-cert-bundle'
> Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ':'
> Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
> Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
> '/etc/ssl/certs/ca-certificates.crt'
> Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
>
> Apologies for partially posting this message twice. I wasn't sure
> exactly how to edit the subject to properly thread my reply.
>
> server:
> # If no logfile is specified, syslog is used
> # logfile: "/var/log/unbound/unbound.log"
> verbosity: 0
>
> port: 5353
> do-ip4: yes
> do-udp: yes
> do-tcp: yes
>
> # May be set to yes if you have IPv6 connectivity
> do-ip6: no
>
> # Use this only when you downloaded the list of primary root servers!
> root-hints: "/var/lib/unbound/root.hints"
>
> # Trust glue only if it is within the servers authority
> harden-glue: yes
>
> # Require DNSSEC data for trust-anchored zones, if such data is
> absent, the zone becomes BOGUS
> harden-dnssec-stripped: yes
>
> # Don't use Capitalization randomization as it known to cause
> DNSSEC issues sometimes
> # see
> https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
> for further details
> use-caps-for-id: no
>
> # Reduce EDNS reassembly buffer size.
> # Suggested by the unbound man page to reduce fragmentation
> reassembly problems
> edns-buffer-size: 1472
>
> # TTL bounds for cache
> cache-min-ttl: 3600
> cache-max-ttl: 86400
>
> # Perform prefetching of close to expired message cache entries
> # This only applies to domains that have been frequently queried
> prefetch: yes
>
> # One thread should be sufficient, can be increased on beefy machines
> num-threads: 1
>
> # Ensure kernel buffer is large enough to not lose messages in
> traffic spikes
> so-rcvbuf: 1m
>
> # Ensure privacy of local IP ranges
> private-address: 192.168.0.0/16 <http://192.168.0.0/16>
> private-address: 169.254.0.0/16 <http://169.254.0.0/16>
> private-address: 172.16.0.0/12 <http://172.16.0.0/12>
> private-address: 10.0.0.0/8 <http://10.0.0.0/8>
> private-address: fd00::/8
> private-address: fe80::/10
>
> # New configuration items
> qname-minimisation: yes
> # fallback-enabled: yes
>
> # DNS over TLS:
> https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/
>
> access-control: 10.0.0.0/8 <http://10.0.0.0/8> allow
> access-control: 127.0.0.0/8 <http://127.0.0.0/8> allow
> access-control: 192.168.0.0/16 <http://192.168.0.0/16> allow
> hide-identity: yes
> hide-version: yes
> minimal-responses: yes
> rrset-roundrobin: yes
> ssl-upstream: yes
> forward-zone:
> name: "."
> # Quad9
> # forward-addr: 2620:fe::fe at 853#dns.quad9.net <http://dns.quad9.net>
> forward-addr: 9.9.9.9 at 853#dns.quad9.net <http://dns.quad9.net>
> # forward-addr: 2620:fe::9 at 853#dns.quad9.net <http://dns.quad9.net>
> forward-addr: 149.112.112.112 at 853#dns.quad9.net <http://dns.quad9.net>
> # Cloudflare DNS
> # forward-addr: 2606:4700:4700::1111 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> forward-addr: 1.1.1.1 at 853#cloudflare-dns.com <http://cloudflare-dns.com>
> # forward-addr: 2606:4700:4700::1001 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> forward-addr: 1.0.0.1 at 853#cloudflare-dns.com <http://cloudflare-dns.com>
> # Google Public DNS
> # forward-addr: 2001:4860:4860::8888 at 853#dns.google
> # forward-addr: 8.8.8.8 at 853#dns.google
> # forward-addr: 2001:4860:4860::8844 at 853#dns.google
> # forward-addr: 8.8.4.4 at 853#dns.google
> # Cleanbrowsing Security Filter
> # forward-addr:
> 2a0d:2a00:1::2 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
> forward-addr:
> 185.228.168.9 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
> # forward-addr:
> 2a0d:2a00:2::2 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
> forward-addr:
> 185.228.169.9 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
> # Tenta DNS
> # ICANN
> forward-addr: 99.192.182.200 at 853#iana.tenta.io <http://iana.tenta.io>
> forward-addr: 99.192.182.201 at 853#iana.tenta.io <http://iana.tenta.io>
> # OpenNIC
> forward-addr: 99.192.182.100 at 853#opennic.tenta.io
> <http://opennic.tenta.io>
> forward-addr: 99.192.182.101 at 853#opennic.tenta.io
> <http://opennic.tenta.io>
> tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
> # tls-cert-bundle feature not available until Unbound 1.7.1
> # Actually secure DNS over TLS in Unbound
> https://www.ctrl.blog/entry/unbound-tls-forwarding
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190402/3985c3a8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190402/3985c3a8/attachment.bin>
More information about the Unbound-users
mailing list