Using DNS over TLS on windows

Yuri yvoinov at gmail.com
Mon Jul 22 12:41:15 UTC 2019 

22.07.2019 18:38, rgsub1 at btinternet.com пишет:
>
> Hi Yuri,
>
>  
>
> Thanks for the config file very useful, but I still have the issue of:
>
>  
>
> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>
>  
>
> I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.
>
Sure. This is my system-specific. :)

In you case, you can download Mozilla's CA bundle from

https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

and use it on similar manner (just specify correct path-to-file) on your
setup.

>  
>
> So my original question was were do I get that or a suitable file from?
>
>  
>
> Regards
>
> Ray
>
>  
>
> *From:*Yuri <yvoinov at gmail.com>
> *Sent:* 21 July 2019 19:51
> *To:* unbound-users at nlnetlabs.nl
> *Subject:* Re: Using DNS over TLS on windows
>
>  
>
> Just an example from working Windows setup:
>
> # Unbound configuration file on windows.
> # See example.conf for more settings and syntax
>
> server:
>     # verbosity level 0-4 of logging
>     verbosity: 0
>
>     # if you want to log to a file use
>     # logfile: "C:\unbound.log"
>
>     # on Windows, this setting makes reports go into the Application log
>     # found in ControlPanels - System tasks - Logs
>     use-syslog: yes
>     log-time-ascii: yes
>     num-threads: 4
>     cache-max-ttl: 14400
>     cache-min-ttl: 900
>     cache-max-negative-ttl: 60
>     infra-host-ttl: 60
> #    root-hints: "C:\Program Files\Unbound\named.root"
>     hide-identity: yes
>     hide-version: yes
>     hide-trustanchor: yes
>
>     do-ip6: no
>
>     tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>     tls-win-cert: yes
>     tcp-upstream: yes
>
>     harden-short-bufsize: yes
>     harden-large-queries: yes
>     harden-below-nxdomain: yes
>     harden-algo-downgrade: yes
>     # 1.5.7 feature. Yes recommended.
>     # From 1.7.2 yes is default
>     #qname-minimisation: yes
>     aggressive-nsec: yes
>
>     # select from the fastest servers this many times out of 1000. 0 means
>     # the fast server select is disabled. prefetches are not sped up.
>     # fast-server-permil: 0
>     fast-server-permil: 100
>     # the number of servers that will be used in the fast server
> selection.
>     # fast-server-num: 3
>     fast-server-num: 4
>
>     unwanted-reply-threshold: 10000000
>     do-not-query-localhost: no
>     prefetch: yes
>     prefetch-key: yes
>     rrset-roundrobin: yes
>     minimal-responses: yes
>
>     access-control: 0.0.0.0/0 refuse
>     access-control: 127.0.0.0/8 allow_snoop
>     access-control: ::0/0 refuse
>     access-control: ::1 allow
>     access-control: ::ffff:127.0.0.1 allow
>
>     #include: "C:\Program Files\Unbound\unbound_local"
>     include: "C:\Program Files\Unbound\unbound_ad_servers"
>
> # Remote control config section.
> remote-control:
>     # Enable remote control with unbound-control(8) here.
>     # set up the keys and certificates with unbound-control-setup.
>     control-enable: yes
>         control-use-cert: no
>
> forward-zone:
>   name: "."
> #  forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53>
> #  forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53>
>   forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> <mailto:1.1.1.1 at 853#cloudflare-dns.com>
>   forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
> <mailto:1.0.0.1 at 853#cloudflare-dns.com>
>   forward-addr: 9.9.9.9 at 853#dns.quad9.net
> <mailto:9.9.9.9 at 853#dns.quad9.net>
>   forward-addr: 149.112.112.112 at 853#dns.quad9.net
> <mailto:149.112.112.112 at 853#dns.quad9.net>
>   forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com
> <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com>
>   forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com
> <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com>
>   forward-addr: 185.49.141.37 at 853#getdnsapi.net
> <mailto:185.49.141.37 at 853#getdnsapi.net>
>   forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk
> <mailto:89.233.43.71 at 853#unicast.censurfridns.dk>
>   forward-addr: 158.64.1.29 at 853#kaitain.restena.lu
> <mailto:158.64.1.29 at 853#kaitain.restena.lu>
>   forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com
> <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com>
>   forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com
> <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com>
>   forward-addr: 199.58.81.218 at 853#dns.cmrg.net
> <mailto:199.58.81.218 at 853#dns.cmrg.net>
>   forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at
> <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at>
>   forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at
> <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at>
>   forward-addr: 99.192.182.200 at 853#iana.tenta.io
> <mailto:99.192.182.200 at 853#iana.tenta.io>
>   forward-addr: 99.192.182.201 at 853#iana.tenta.io
> <mailto:99.192.182.201 at 853#iana.tenta.io>
>   forward-addr: 99.192.182.100 at 853#opennic.tenta.io
> <mailto:99.192.182.100 at 853#opennic.tenta.io>
>   forward-addr: 99.192.182.101 at 853#opennic.tenta.io
> <mailto:99.192.182.101 at 853#opennic.tenta.io>
>   forward-tls-upstream: yes
>
> # OpenDNS is NOT DNSSEC enabled
> server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
> ###
>
> 21.07.2019 21:37, RayG via Unbound-users пишет:
>
>     Hi,
>
>      
>
>     |I have configured things so far but I get these errors and I
>     think the reason is the “tls-cert-bundle” setting.|
>
>     | |
>
>     |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: ssl
>     handshake failed crypto error:1416F086:SSL
>     routines:tls_process_server_certificate:certificate verify failed|
>
>     |21/07/2019|
>
>     | |
>
>     |So to get this working I have to enable this setting:|
>
>     | |
>
>     |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt|
>
>     | |
>
>     |That example would seem OK for a UNIX install but where/how do I
>     configure this for windows?|
>
>     | |
>
>     |Can I use the windows certificate store? If so what would the
>     entry read.|
>
>     | |
>
>     |Thanks|
>
>      
>
>     Regards
>
>     Ray
>
>      
>
>     | |
>
>     | |
>
> -- 
> "C++ seems like a language suitable for firing other people's legs."
>  
> *****************************
> * C++20 : Bug to the future *
> *****************************

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/2061900f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/2061900f/attachment.bin>

More information about the Unbound-users mailing list