Using DNS over TLS on windows
rgsub1 at btinternet.com
rgsub1 at btinternet.com
Mon Jul 22 12:38:35 UTC 2019
Hi Yuri,
Thanks for the config file very useful, but I still have the issue of:
tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.
So my original question was were do I get that or a suitable file from?
Regards
Ray
From: Yuri <yvoinov at gmail.com>
Sent: 21 July 2019 19:51
To: unbound-users at nlnetlabs.nl
Subject: Re: Using DNS over TLS on windows
Just an example from working Windows setup:
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
# verbosity level 0-4 of logging
verbosity: 0
# if you want to log to a file use
# logfile: "C:\unbound.log"
# on Windows, this setting makes reports go into the Application log
# found in ControlPanels - System tasks - Logs
use-syslog: yes
log-time-ascii: yes
num-threads: 4
cache-max-ttl: 14400
cache-min-ttl: 900
cache-max-negative-ttl: 60
infra-host-ttl: 60
# root-hints: "C:\Program Files\Unbound\named.root"
hide-identity: yes
hide-version: yes
hide-trustanchor: yes
do-ip6: no
tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
tls-win-cert: yes
tcp-upstream: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-below-nxdomain: yes
harden-algo-downgrade: yes
# 1.5.7 feature. Yes recommended.
# From 1.7.2 yes is default
#qname-minimisation: yes
aggressive-nsec: yes
# select from the fastest servers this many times out of 1000. 0 means
# the fast server select is disabled. prefetches are not sped up.
# fast-server-permil: 0
fast-server-permil: 100
# the number of servers that will be used in the fast server selection.
# fast-server-num: 3
fast-server-num: 4
unwanted-reply-threshold: 10000000
do-not-query-localhost: no
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow
#include: "C:\Program Files\Unbound\unbound_local"
include: "C:\Program Files\Unbound\unbound_ad_servers"
# Remote control config section.
remote-control:
# Enable remote control with unbound-control(8) here.
# set up the keys and certificates with unbound-control-setup.
control-enable: yes
control-use-cert: no
forward-zone:
name: "."
# forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53>
# forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53>
forward-addr: 1.1.1.1 at 853#cloudflare-dns.com <mailto:1.1.1.1 at 853#cloudflare-dns.com>
forward-addr: 1.0.0.1 at 853#cloudflare-dns.com <mailto:1.0.0.1 at 853#cloudflare-dns.com>
forward-addr: 9.9.9.9 at 853#dns.quad9.net <mailto:9.9.9.9 at 853#dns.quad9.net>
forward-addr: 149.112.112.112 at 853#dns.quad9.net <mailto:149.112.112.112 at 853#dns.quad9.net>
forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com>
forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com>
forward-addr: 185.49.141.37 at 853#getdnsapi.net <mailto:185.49.141.37 at 853#getdnsapi.net>
forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk <mailto:89.233.43.71 at 853#unicast.censurfridns.dk>
forward-addr: 158.64.1.29 at 853#kaitain.restena.lu <mailto:158.64.1.29 at 853#kaitain.restena.lu>
forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com>
forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com>
forward-addr: 199.58.81.218 at 853#dns.cmrg.net <mailto:199.58.81.218 at 853#dns.cmrg.net>
forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at>
forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at>
forward-addr: 99.192.182.200 at 853#iana.tenta.io <mailto:99.192.182.200 at 853#iana.tenta.io>
forward-addr: 99.192.182.201 at 853#iana.tenta.io <mailto:99.192.182.201 at 853#iana.tenta.io>
forward-addr: 99.192.182.100 at 853#opennic.tenta.io <mailto:99.192.182.100 at 853#opennic.tenta.io>
forward-addr: 99.192.182.101 at 853#opennic.tenta.io <mailto:99.192.182.101 at 853#opennic.tenta.io>
forward-tls-upstream: yes
# OpenDNS is NOT DNSSEC enabled
server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
###
21.07.2019 21:37, RayG via Unbound-users пишет:
Hi,
I have configured things so far but I get these errors and I think the reason is the “tls-cert-bundle” setting.
16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
21/07/2019
So to get this working I have to enable this setting:
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
That example would seem OK for a UNIX install but where/how do I configure this for windows?
Can I use the windows certificate store? If so what would the entry read.
Thanks
Regards
Ray
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/4d3f55e8/attachment.htm>
More information about the Unbound-users
mailing list