Using DNS over TLS on windows

rgsub1 at btinternet.com rgsub1 at btinternet.com
Mon Jul 22 14:21:00 UTC 2019 

Hi Yuri,

 

OK I see what was happening now. I can use either 

 

tls-cert-bundle: ”<file>”

or

tls-win-cert: yes

 

or both

 

So now I can see:

 

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1 port 853 (len 16)

 

So it looks like that bit is working OK but then when I go to:

http://1.1.1.1/help

to check that DNS over TLS is working it says “NO”

 

Looking at the log file further I see this where things appear to be blacklisted (see below) I have attached the log file and it is from the start of the unbound service to the end of the query to http://1.1.1.1/help I then stopped the unbound server to flush the log.

 

Any further insights would be helpful, thanks

 

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: resolving 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: request has dependency depth of 0

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0

;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 

;; QUESTION SECTION:

8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.    IN           DS

 

;; ANSWER SECTION:

 

;; AUTHORITY SECTION:

cloudflareresolve.com. 59           IN           SOA       cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0

cloudflareresolve.com. 59           IN           RRSIG    SOA 13 2 3600 20190730125237 20190722095237 64088 cloudflareresolve.com. TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg== ;{id = 64088}

8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.    60           IN           NSEC     \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com. A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF

8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.    60           IN           RRSIG    NSEC 13 4 3600 20190730135835 20190722105835 64088 cloudflareresolve.com. 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ== ;{id = 64088}

 

;; ADDITIONAL SECTION:

;; MSG SIZE  rcvd: 462

 

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: msg ttl is 60, prefetch ttl 54

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: returning answer from cache.

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: iter_handle processing q with state FINISHED RESPONSE STATE

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: finishing processing for 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: mesh_run: iterator module exit state is module_finished

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: validator operate: query 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: validator: nextmodule returned

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: not validating response, is valrec(validation recursion lookup)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: mesh_run: validator module exit state is module_finished

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: validator: inform_super, sub is 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: super is 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: NSEC RRset for the referral proved not a delegation point

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: validator operate: query 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: val handle processing q with state VAL_FINDKEY_STATE

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info: validator: FindKey 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: Cannot retrieve DS for signature

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: val handle processing q with state VAL_FINISHED_STATE

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: validation failed, blacklist and retry to fetch data

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist ip4 1.1.1.1 port 853 (len 16)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist ip4 1.0.0.1 port 853 (len 16)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist cache

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist ip6 2606:4700:4700::1001 port 853 (len 28)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: pass back to next module

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: mesh_run: validator module exit state is module_restart_next

22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug: iterator[module 1] operate: extstate:module_finished event:module_event_pass

 

 

From: Yuri <yvoinov at gmail.com> 
Sent: 22 July 2019 13:41
To: rgsub1 at btinternet.com; unbound-users at nlnetlabs.nl
Subject: Re: Using DNS over TLS on windows

 

 

22.07.2019 18:38, rgsub1 at btinternet.com <mailto:rgsub1 at btinternet.com>  пишет:

Hi Yuri,

 

Thanks for the config file very useful, but I still have the issue of:

 

tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"

 

I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.

Sure. This is my system-specific. :)

In you case, you can download Mozilla's CA bundle from

https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

and use it on similar manner (just specify correct path-to-file) on your setup.

 

So my original question was were do I get that or a suitable file from?

 

Regards

Ray

 

From: Yuri  <mailto:yvoinov at gmail.com> <yvoinov at gmail.com> 
Sent: 21 July 2019 19:51
To: unbound-users at nlnetlabs.nl <mailto:unbound-users at nlnetlabs.nl> 
Subject: Re: Using DNS over TLS on windows

 

Just an example from working Windows setup:

# Unbound configuration file on windows.
# See example.conf for more settings and syntax

server:
    # verbosity level 0-4 of logging
    verbosity: 0

    # if you want to log to a file use
    # logfile: "C:\unbound.log"

    # on Windows, this setting makes reports go into the Application log
    # found in ControlPanels - System tasks - Logs 
    use-syslog: yes
    log-time-ascii: yes
    num-threads: 4
    cache-max-ttl: 14400
    cache-min-ttl: 900
    cache-max-negative-ttl: 60
    infra-host-ttl: 60
#    root-hints: "C:\Program Files\Unbound\named.root"
    hide-identity: yes
    hide-version: yes
    hide-trustanchor: yes

    do-ip6: no

    tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
    tls-win-cert: yes
    tcp-upstream: yes

    harden-short-bufsize: yes
    harden-large-queries: yes
    harden-below-nxdomain: yes
    harden-algo-downgrade: yes
    # 1.5.7 feature. Yes recommended.
    # From 1.7.2 yes is default
    #qname-minimisation: yes
    aggressive-nsec: yes

    # select from the fastest servers this many times out of 1000. 0 means
    # the fast server select is disabled. prefetches are not sped up.
    # fast-server-permil: 0
    fast-server-permil: 100
    # the number of servers that will be used in the fast server selection.
    # fast-server-num: 3
    fast-server-num: 4

    unwanted-reply-threshold: 10000000
    do-not-query-localhost: no
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    minimal-responses: yes

    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow_snoop
    access-control: ::0/0 refuse
    access-control: ::1 allow
    access-control: ::ffff:127.0.0.1 allow

    #include: "C:\Program Files\Unbound\unbound_local" 
    include: "C:\Program Files\Unbound\unbound_ad_servers" 

# Remote control config section. 
remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes
        control-use-cert: no

forward-zone:
  name: "."
#  forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53> 
#  forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53> 
  forward-addr: 1.1.1.1 at 853#cloudflare-dns.com <mailto:1.1.1.1 at 853#cloudflare-dns.com> 
  forward-addr: 1.0.0.1 at 853#cloudflare-dns.com <mailto:1.0.0.1 at 853#cloudflare-dns.com> 
  forward-addr: 9.9.9.9 at 853#dns.quad9.net <mailto:9.9.9.9 at 853#dns.quad9.net> 
  forward-addr: 149.112.112.112 at 853#dns.quad9.net
  forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com> 
  forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com> 
  forward-addr: 185.49.141.37 at 853#getdnsapi.net <mailto:185.49.141.37 at 853#getdnsapi.net> 
  forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk <mailto:89.233.43.71 at 853#unicast.censurfridns.dk> 
  forward-addr: 158.64.1.29 at 853#kaitain.restena.lu <mailto:158.64.1.29 at 853#kaitain.restena.lu> 
  forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com> 
  forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com> 
  forward-addr: 199.58.81.218 at 853#dns.cmrg.net <mailto:199.58.81.218 at 853#dns.cmrg.net> 
  forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at> 
  forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at> 
  forward-addr: 99.192.182.200 at 853#iana.tenta.io <mailto:99.192.182.200 at 853#iana.tenta.io> 
  forward-addr: 99.192.182.201 at 853#iana.tenta.io <mailto:99.192.182.201 at 853#iana.tenta.io> 
  forward-addr: 99.192.182.100 at 853#opennic.tenta.io <mailto:99.192.182.100 at 853#opennic.tenta.io> 
  forward-addr: 99.192.182.101 at 853#opennic.tenta.io <mailto:99.192.182.101 at 853#opennic.tenta.io>  
  forward-tls-upstream: yes

# OpenDNS is NOT DNSSEC enabled
server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
###

21.07.2019 21:37, RayG via Unbound-users пишет:

Hi,

 

I have configured things so far but I get these errors and I think the reason is the “tls-cert-bundle” setting.

 

16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

21/07/2019

 

So to get this working I have to enable this setting:

 

tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

 

That example would seem OK for a UNIX install but where/how do I configure this for windows?

 

Can I use the windows certificate store? If so what would the entry read.

 

Thanks

 

Regards

Ray

 

 

 

-- 
"C++ seems like a language suitable for firing other people's legs."
 
*****************************
* C++20 : Bug to the future *
*****************************

-- 
"C++ seems like a language suitable for firing other people's legs."
 
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/276e22df/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.zip
Type: application/x-zip-compressed
Size: 230517 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/276e22df/attachment.bin>

More information about the Unbound-users mailing list