TLS certificate question about Unbound 1.9.2

Yuri yvoinov at gmail.com
Tue Apr 2 16:58:18 UTC 2019


Make sure you can connect to DoT upstream:

https://i.imgur.com/Andpr9t.png

Note: It can be blocked by your ISP or youself on firewall.

02.04.2019 22:36, rollingonchrome via Unbound-users пишет:
> Thank you, Yuri.
>
> The certificate bundle does exist in the assumed path.
>
> Any other suggestions would be appreciated. Below is my config file.
> Also, here is the error from the log file:
>
> Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
> 'tls-cert-bundle'
> Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ':'
> Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
> Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
> '/etc/ssl/certs/ca-certificates.crt'
> Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
> /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
>
> Apologies for partially posting this message twice. I wasn't sure
> exactly how to edit the subject to properly thread my reply.
>
> server:
>     # If no logfile is specified, syslog is used
>     # logfile: "/var/log/unbound/unbound.log"
>     verbosity: 0
>
>     port: 5353
>     do-ip4: yes
>     do-udp: yes
>     do-tcp: yes
>
>     # May be set to yes if you have IPv6 connectivity
>     do-ip6: no
>
>     # Use this only when you downloaded the list of primary root servers!
>     root-hints: "/var/lib/unbound/root.hints"
>
>     # Trust glue only if it is within the servers authority
>     harden-glue: yes
>
>     # Require DNSSEC data for trust-anchored zones, if such data is
> absent, the zone becomes BOGUS
>     harden-dnssec-stripped: yes
>
>     # Don't use Capitalization randomization as it known to cause
> DNSSEC issues sometimes
>     # see
> https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
> for further details
>     use-caps-for-id: no
>
>     # Reduce EDNS reassembly buffer size.
>     # Suggested by the unbound man page to reduce fragmentation
> reassembly problems
>     edns-buffer-size: 1472
>
>     # TTL bounds for cache
>     cache-min-ttl: 3600
>     cache-max-ttl: 86400
>
>     # Perform prefetching of close to expired message cache entries
>     # This only applies to domains that have been frequently queried
>     prefetch: yes
>
>     # One thread should be sufficient, can be increased on beefy machines
>     num-threads: 1
>
>     # Ensure kernel buffer is large enough to not lose messages in
> traffic spikes
>     so-rcvbuf: 1m
>
>     # Ensure privacy of local IP ranges
>     private-address: 192.168.0.0/16 <http://192.168.0.0/16>
>     private-address: 169.254.0.0/16 <http://169.254.0.0/16>
>     private-address: 172.16.0.0/12 <http://172.16.0.0/12>
>     private-address: 10.0.0.0/8 <http://10.0.0.0/8>
>     private-address: fd00::/8
>     private-address: fe80::/10
>
> # New configuration items
> qname-minimisation: yes
> # fallback-enabled: yes
>
> # DNS over TLS:
> https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/
>
> access-control: 10.0.0.0/8 <http://10.0.0.0/8> allow
> access-control: 127.0.0.0/8 <http://127.0.0.0/8> allow
> access-control: 192.168.0.0/16 <http://192.168.0.0/16> allow
> hide-identity: yes
> hide-version: yes
> minimal-responses: yes
> rrset-roundrobin: yes
> ssl-upstream: yes
> forward-zone:
>   name: "."
>   # Quad9
>   # forward-addr: 2620:fe::fe at 853#dns.quad9.net <http://dns.quad9.net>
>   forward-addr: 9.9.9.9 at 853#dns.quad9.net <http://dns.quad9.net>
>   # forward-addr: 2620:fe::9 at 853#dns.quad9.net <http://dns.quad9.net>
>   forward-addr: 149.112.112.112 at 853#dns.quad9.net <http://dns.quad9.net>
>   # Cloudflare DNS
>   # forward-addr: 2606:4700:4700::1111 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>  
>   forward-addr: 1.1.1.1 at 853#cloudflare-dns.com <http://cloudflare-dns.com>
>   # forward-addr: 2606:4700:4700::1001 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>  
>   forward-addr: 1.0.0.1 at 853#cloudflare-dns.com <http://cloudflare-dns.com>
>   # Google Public DNS
>   # forward-addr: 2001:4860:4860::8888 at 853#dns.google  
>   # forward-addr: 8.8.8.8 at 853#dns.google
>   # forward-addr: 2001:4860:4860::8844 at 853#dns.google
>   # forward-addr: 8.8.4.4 at 853#dns.google
>   # Cleanbrowsing Security Filter
>   # forward-addr:
> 2a0d:2a00:1::2 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
>   forward-addr:
> 185.228.168.9 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
>   # forward-addr:
> 2a0d:2a00:2::2 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
>   forward-addr:
> 185.228.169.9 at 853#security-filter-dns.cleanbrowsing.org
> <http://security-filter-dns.cleanbrowsing.org>
>   # Tenta DNS
>   # ICANN
>   forward-addr: 99.192.182.200 at 853#iana.tenta.io <http://iana.tenta.io>
>   forward-addr: 99.192.182.201 at 853#iana.tenta.io <http://iana.tenta.io>
>   # OpenNIC 
>   forward-addr: 99.192.182.100 at 853#opennic.tenta.io
> <http://opennic.tenta.io>
>   forward-addr: 99.192.182.101 at 853#opennic.tenta.io
> <http://opennic.tenta.io> tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
> # tls-cert-bundle feature not available until Unbound 1.7.1
> # Actually secure DNS over TLS in Unbound
> https://www.ctrl.blog/entry/unbound-tls-forwarding

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190402/3985c3a8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190402/3985c3a8/attachment.bin>


More information about the Unbound-users mailing list