Using DNS over TLS on windows

Yuri yvoinov at gmail.com
Mon Jul 22 16:24:56 UTC 2019


Yes, George,

probably you right. DNSSEC is separate issue.

22.07.2019 22:21, George Thessalonikefs via Unbound-users пишет:
> Hi Ray,
>
> It seems that cloudflare is using special subdomains (answered only from
> their 1.1.1.1 resolvers) for the online checks and they are not handling
> DNSSEC properly in regards to answers for these special subdomains.
> Unbound is complaining about not being able to build a trust chain
> because it can't get the DS information.
>
> I suspect that if you turn off DNSSEC validation on your unbound
>     module-config: "iterator"
> the online check should work. Although I would advise to turn it on
> again after you do the online check.
>
> And just to be clear, this does not mean that 1.1.1.1 cannot do DNSSEC.
> I am only talking about the subdomains used for this specific online check.
>
> -- George
>
> On 22/07/2019 16:21, RayG via Unbound-users wrote:
>> Hi Yuri,
>>
>>  
>>
>> OK I see what was happening now. I can use either
>>
>>  
>>
>> tls-cert-bundle: ”<file>”
>>
>> or
>>
>> tls-win-cert: yes
>>
>>  
>>
>> or both
>>
>>  
>>
>> So now I can see:
>>
>>  
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1 port 853
>> (len 16)
>>
>>  
>>
>> So it looks like that bit is working OK but then when I go to:
>>
>> http://1.1.1.1/help
>>
>> to check that DNS over TLS is working it says “NO”
>>
>>  
>>
>> Looking at the log file further I see this where things appear to be
>> blacklisted (see below) I have attached the log file and it is from the
>> start of the unbound service to the end of the query to
>> http://1.1.1.1/help I then stopped the unbound server to flush the log.
>>
>>  
>>
>> Any further insights would be helpful, thanks
>>
>>  
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> resolving
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> request has dependency depth of 0
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
>>
>> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>>
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.   
>> IN           DS
>>
>>  
>>
>> ;; ANSWER SECTION:
>>
>>  
>>
>> ;; AUTHORITY SECTION:
>>
>> cloudflareresolve.com. 59           IN           SOA      
>> cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0
>>
>> cloudflareresolve.com. 59           IN           RRSIG    SOA 13 2 3600
>> 20190730125237 20190722095237 64088 cloudflareresolve.com.
>> TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg==
>> ;{id = 64088}
>>
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.   
>> 60           IN           NSEC    
>> \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com. A
>> HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>>
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.   
>> 60           IN           RRSIG    NSEC 13 4 3600 20190730135835
>> 20190722105835 64088 cloudflareresolve.com.
>> 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ==
>> ;{id = 64088}
>>
>>  
>>
>> ;; ADDITIONAL SECTION:
>>
>> ;; MSG SIZE  rcvd: 462
>>
>>  
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> msg ttl is 60, prefetch ttl 54
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> returning answer from cache.
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> iter_handle processing q with state FINISHED RESPONSE STATE
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> finishing processing for
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> mesh_run: iterator module exit state is module_finished
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> validator[module 0] operate: extstate:module_wait_module
>> event:module_event_moddone
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> validator operate: query
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> validator: nextmodule returned
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> not validating response, is valrec(validation recursion lookup)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> mesh_run: validator module exit state is module_finished
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> validator: inform_super, sub is
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> super is
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> NSEC RRset for the referral proved not a delegation point
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> validator[module 0] operate: extstate:module_wait_subquery
>> event:module_event_pass
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> validator operate: query
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> val handle processing q with state VAL_FINDKEY_STATE
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
>> validator: FindKey
>> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> Cannot retrieve DS for signature
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> val handle processing q with state VAL_FINISHED_STATE
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> validation failed, blacklist and retry to fetch data
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist ip4 1.1.1.1 port 853 (len 16)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist ip4 1.0.0.1 port 853 (len 16)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist cache
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist ip6 2606:4700:4700::1001 port 853 (len 28)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> pass back to next module
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> mesh_run: validator module exit state is module_restart_next
>>
>> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
>> iterator[module 1] operate: extstate:module_finished event:module_event_pass
>>
>>  
>>
>>  
>>
>> *From:*Yuri <yvoinov at gmail.com>
>> *Sent:* 22 July 2019 13:41
>> *To:* rgsub1 at btinternet.com; unbound-users at nlnetlabs.nl
>> *Subject:* Re: Using DNS over TLS on windows
>>
>>  
>>
>>  
>>
>> 22.07.2019 18:38, rgsub1 at btinternet.com <mailto:rgsub1 at btinternet.com>
>> пишет:
>>
>>     Hi Yuri,
>>
>>      
>>
>>     Thanks for the config file very useful, but I still have the issue of:
>>
>>      
>>
>>     tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>>
>>      
>>
>>     I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.
>>
>> Sure. This is my system-specific. :)
>>
>> In you case, you can download Mozilla's CA bundle from
>>
>> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>>
>> and use it on similar manner (just specify correct path-to-file) on your
>> setup.
>>
>>      
>>
>>     So my original question was were do I get that or a suitable file from?
>>
>>      
>>
>>     Regards
>>
>>     Ray
>>
>>      
>>
>>     *From:*Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>>     *Sent:* 21 July 2019 19:51
>>     *To:* unbound-users at nlnetlabs.nl <mailto:unbound-users at nlnetlabs.nl>
>>     *Subject:* Re: Using DNS over TLS on windows
>>
>>      
>>
>>     Just an example from working Windows setup:
>>
>>     # Unbound configuration file on windows.
>>     # See example.conf for more settings and syntax
>>
>>     server:
>>         # verbosity level 0-4 of logging
>>         verbosity: 0
>>
>>         # if you want to log to a file use
>>         # logfile: "C:\unbound.log"
>>
>>         # on Windows, this setting makes reports go into the Application log
>>         # found in ControlPanels - System tasks - Logs
>>         use-syslog: yes
>>         log-time-ascii: yes
>>         num-threads: 4
>>         cache-max-ttl: 14400
>>         cache-min-ttl: 900
>>         cache-max-negative-ttl: 60
>>         infra-host-ttl: 60
>>     #    root-hints: "C:\Program Files\Unbound\named.root"
>>         hide-identity: yes
>>         hide-version: yes
>>         hide-trustanchor: yes
>>
>>         do-ip6: no
>>
>>         tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>>         tls-win-cert: yes
>>         tcp-upstream: yes
>>
>>         harden-short-bufsize: yes
>>         harden-large-queries: yes
>>         harden-below-nxdomain: yes
>>         harden-algo-downgrade: yes
>>         # 1.5.7 feature. Yes recommended.
>>         # From 1.7.2 yes is default
>>         #qname-minimisation: yes
>>         aggressive-nsec: yes
>>
>>         # select from the fastest servers this many times out of 1000. 0
>>     means
>>         # the fast server select is disabled. prefetches are not sped up.
>>         # fast-server-permil: 0
>>         fast-server-permil: 100
>>         # the number of servers that will be used in the fast server
>>     selection.
>>         # fast-server-num: 3
>>         fast-server-num: 4
>>
>>         unwanted-reply-threshold: 10000000
>>         do-not-query-localhost: no
>>         prefetch: yes
>>         prefetch-key: yes
>>         rrset-roundrobin: yes
>>         minimal-responses: yes
>>
>>         access-control: 0.0.0.0/0 refuse
>>         access-control: 127.0.0.0/8 allow_snoop
>>         access-control: ::0/0 refuse
>>         access-control: ::1 allow
>>         access-control: ::ffff:127.0.0.1 allow
>>
>>         #include: "C:\Program Files\Unbound\unbound_local"
>>         include: "C:\Program Files\Unbound\unbound_ad_servers"
>>
>>     # Remote control config section.
>>     remote-control:
>>         # Enable remote control with unbound-control(8) here.
>>         # set up the keys and certificates with unbound-control-setup.
>>         control-enable: yes
>>             control-use-cert: no
>>
>>     forward-zone:
>>       name: "."
>>     #  forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53>
>>     #  forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53>
>>       forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
>>     <mailto:1.1.1.1 at 853#cloudflare-dns.com>
>>       forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
>>     <mailto:1.0.0.1 at 853#cloudflare-dns.com>
>>       forward-addr: 9.9.9.9 at 853#dns.quad9.net
>>     <mailto:9.9.9.9 at 853#dns.quad9.net>
>>       forward-addr: 149.112.112.112 at 853#dns.quad9.net
>>     <mailto:149.112.112.112 at 853#dns.quad9.net>
>>       forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com
>>     <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com>
>>       forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com
>>     <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com>
>>       forward-addr: 185.49.141.37 at 853#getdnsapi.net
>>     <mailto:185.49.141.37 at 853#getdnsapi.net>
>>       forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk
>>     <mailto:89.233.43.71 at 853#unicast.censurfridns.dk>
>>       forward-addr: 158.64.1.29 at 853#kaitain.restena.lu
>>     <mailto:158.64.1.29 at 853#kaitain.restena.lu>
>>       forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com
>>     <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com>
>>       forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com
>>     <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com>
>>       forward-addr: 199.58.81.218 at 853#dns.cmrg.net
>>     <mailto:199.58.81.218 at 853#dns.cmrg.net>
>>       forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at
>>     <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at>
>>       forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at
>>     <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at>
>>       forward-addr: 99.192.182.200 at 853#iana.tenta.io
>>     <mailto:99.192.182.200 at 853#iana.tenta.io>
>>       forward-addr: 99.192.182.201 at 853#iana.tenta.io
>>     <mailto:99.192.182.201 at 853#iana.tenta.io>
>>       forward-addr: 99.192.182.100 at 853#opennic.tenta.io
>>     <mailto:99.192.182.100 at 853#opennic.tenta.io>
>>       forward-addr: 99.192.182.101 at 853#opennic.tenta.io
>>     <mailto:99.192.182.101 at 853#opennic.tenta.io>
>>       forward-tls-upstream: yes
>>
>>     # OpenDNS is NOT DNSSEC enabled
>>     server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
>>     ###
>>
>>     21.07.2019 21:37, RayG via Unbound-users пишет:
>>
>>         Hi,
>>
>>          
>>
>>         |I have configured things so far but I get these errors and I
>>         think the reason is the “tls-cert-bundle” setting.|
>>
>>         | |
>>
>>         |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error:
>>         ssl handshake failed crypto error:1416F086:SSL
>>         routines:tls_process_server_certificate:certificate verify failed|
>>
>>         |21/07/2019|
>>
>>         | |
>>
>>         |So to get this working I have to enable this setting:|
>>
>>         | |
>>
>>         |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt|
>>
>>         | |
>>
>>         |That example would seem OK for a UNIX install but where/how do
>>         I configure this for windows?|
>>
>>         | |
>>
>>         |Can I use the windows certificate store? If so what would the
>>         entry read.|
>>
>>         | |
>>
>>         |Thanks|
>>
>>          
>>
>>         Regards
>>
>>         Ray
>>
>>          
>>
>>         | |
>>
>>         | |
>>
>>     -- 
>>
>>     "C++ seems like a language suitable for firing other people's legs."
>>
>>      
>>
>>     *****************************
>>
>>     * C++20 : Bug to the future *
>>
>>     *****************************
>>
>> -- 
>>
>> "C++ seems like a language suitable for firing other people's legs."
>>
>>  
>>
>> *****************************
>>
>> * C++20 : Bug to the future *
>>
>> *****************************
>>
-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/3a439e70/attachment.bin>


More information about the Unbound-users mailing list