Using DNS over TLS on windows
Yuri
yvoinov at gmail.com
Mon Jul 22 15:54:02 UTC 2019
22.07.2019 20:21, rgsub1 at btinternet.com пишет:
>
> Hi Yuri,
>
>
>
> OK I see what was happening now. I can use either
>
>
>
> tls-cert-bundle: ”<file>”
>
> or
>
> tls-win-cert: yes
>
>
>
> or both
>
Either-or. I use first by historical reasons.
>
>
>
> So now I can see:
>
>
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1
> port 853 (len 16)
>
>
>
> So it looks like that bit is working OK but then when I go to:
>
> http://1.1.1.1/help
>
> to check that DNS over TLS is working it says “NO”
>
>
>
> Looking at the log file further I see this where things appear to be
> blacklisted (see below) I have attached the log file and it is from
> the start of the unbound service to the end of the query to
> http://1.1.1.1/help I then stopped the unbound server to flush the log.
>
>
>
> Any further insights would be helpful, thanks
>
>
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: resolving
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: request has dependency depth of 0
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode:
> NOERROR, id: 0
>
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
>
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> IN DS
>
>
>
> ;; ANSWER SECTION:
>
>
>
> ;; AUTHORITY SECTION:
>
> cloudflareresolve.com. 59 IN SOA
> cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0
>
> cloudflareresolve.com. 59 IN RRSIG SOA 13 2
> 3600 20190730125237 20190722095237 64088 cloudflareresolve.com.
> TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg==
> ;{id = 64088}
>
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> 60 IN NSEC
> \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com.
> A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
>
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> 60 IN RRSIG NSEC 13 4 3600 20190730135835
> 20190722105835 64088 cloudflareresolve.com.
> 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ==
> ;{id = 64088}
>
>
>
> ;; ADDITIONAL SECTION:
>
> ;; MSG SIZE rcvd: 462
>
>
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: msg ttl is 60, prefetch ttl 54
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: returning answer from cache.
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: iter_handle processing q with state FINISHED RESPONSE STATE
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: finishing processing for
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: mesh_run: iterator module exit state is module_finished
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: validator[module 0] operate: extstate:module_wait_module
> event:module_event_moddone
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: validator operate: query
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: validator: nextmodule returned
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: not validating response, is valrec(validation recursion lookup)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: mesh_run: validator module exit state is module_finished
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: validator: inform_super, sub is
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: super is
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: NSEC RRset for the referral proved not a delegation point
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: validator[module 0] operate: extstate:module_wait_subquery
> event:module_event_pass
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: validator operate: query
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: val handle processing q with state VAL_FINDKEY_STATE
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> info: validator: FindKey
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: Cannot retrieve DS for signature
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: val handle processing q with state VAL_FINISHED_STATE
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: validation failed, blacklist and retry to fetch data
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist ip4 1.1.1.1 port 853 (len 16)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist ip4 1.0.0.1 port 853 (len 16)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist cache
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist ip6 2606:4700:4700::1001 port 853 (len 28)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: pass back to next module
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: mesh_run: validator module exit state is module_restart_next
>
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0]
> debug: iterator[module 1] operate: extstate:module_finished
> event:module_event_pass
>
>
>
>
>
> *From:*Yuri <yvoinov at gmail.com>
> *Sent:* 22 July 2019 13:41
> *To:* rgsub1 at btinternet.com; unbound-users at nlnetlabs.nl
> *Subject:* Re: Using DNS over TLS on windows
>
>
>
>
>
> 22.07.2019 18:38, rgsub1 at btinternet.com <mailto:rgsub1 at btinternet.com>
> пишет:
>
> Hi Yuri,
>
>
>
> Thanks for the config file very useful, but I still have the issue of:
>
>
>
> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>
>
>
> I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my
> system.
>
> Sure. This is my system-specific. :)
>
> In you case, you can download Mozilla's CA bundle from
>
> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
>
> and use it on similar manner (just specify correct path-to-file) on
> your setup.
>
>
>
> So my original question was were do I get that or a suitable file
> from?
>
>
>
> Regards
>
> Ray
>
>
>
> *From:*Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
> *Sent:* 21 July 2019 19:51
> *To:* unbound-users at nlnetlabs.nl <mailto:unbound-users at nlnetlabs.nl>
> *Subject:* Re: Using DNS over TLS on windows
>
>
>
> Just an example from working Windows setup:
>
> # Unbound configuration file on windows.
> # See example.conf for more settings and syntax
>
> server:
> # verbosity level 0-4 of logging
> verbosity: 0
>
> # if you want to log to a file use
> # logfile: "C:\unbound.log"
>
> # on Windows, this setting makes reports go into the
> Application log
> # found in ControlPanels - System tasks - Logs
> use-syslog: yes
> log-time-ascii: yes
> num-threads: 4
> cache-max-ttl: 14400
> cache-min-ttl: 900
> cache-max-negative-ttl: 60
> infra-host-ttl: 60
> # root-hints: "C:\Program Files\Unbound\named.root"
> hide-identity: yes
> hide-version: yes
> hide-trustanchor: yes
>
> do-ip6: no
>
> tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
> tls-win-cert: yes
> tcp-upstream: yes
>
> harden-short-bufsize: yes
> harden-large-queries: yes
> harden-below-nxdomain: yes
> harden-algo-downgrade: yes
> # 1.5.7 feature. Yes recommended.
> # From 1.7.2 yes is default
> #qname-minimisation: yes
> aggressive-nsec: yes
>
> # select from the fastest servers this many times out of 1000.
> 0 means
> # the fast server select is disabled. prefetches are not sped up.
> # fast-server-permil: 0
> fast-server-permil: 100
> # the number of servers that will be used in the fast server
> selection.
> # fast-server-num: 3
> fast-server-num: 4
>
> unwanted-reply-threshold: 10000000
> do-not-query-localhost: no
> prefetch: yes
> prefetch-key: yes
> rrset-roundrobin: yes
> minimal-responses: yes
>
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow_snoop
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: ::ffff:127.0.0.1 allow
>
> #include: "C:\Program Files\Unbound\unbound_local"
> include: "C:\Program Files\Unbound\unbound_ad_servers"
>
> # Remote control config section.
> remote-control:
> # Enable remote control with unbound-control(8) here.
> # set up the keys and certificates with unbound-control-setup.
> control-enable: yes
> control-use-cert: no
>
> forward-zone:
> name: "."
> # forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53>
> # forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53>
> forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> <mailto:1.1.1.1 at 853#cloudflare-dns.com>
> forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
> <mailto:1.0.0.1 at 853#cloudflare-dns.com>
> forward-addr: 9.9.9.9 at 853#dns.quad9.net
> <mailto:9.9.9.9 at 853#dns.quad9.net>
> forward-addr: 149.112.112.112 at 853#dns.quad9.net
> <mailto:149.112.112.112 at 853#dns.quad9.net>
> forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com
> <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com>
> forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com
> <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com>
> forward-addr: 185.49.141.37 at 853#getdnsapi.net
> <mailto:185.49.141.37 at 853#getdnsapi.net>
> forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk
> <mailto:89.233.43.71 at 853#unicast.censurfridns.dk>
> forward-addr: 158.64.1.29 at 853#kaitain.restena.lu
> <mailto:158.64.1.29 at 853#kaitain.restena.lu>
> forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com
> <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com>
> forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com
> <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com>
> forward-addr: 199.58.81.218 at 853#dns.cmrg.net
> <mailto:199.58.81.218 at 853#dns.cmrg.net>
> forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at
> <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at>
> forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at
> <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at>
> forward-addr: 99.192.182.200 at 853#iana.tenta.io
> <mailto:99.192.182.200 at 853#iana.tenta.io>
> forward-addr: 99.192.182.201 at 853#iana.tenta.io
> <mailto:99.192.182.201 at 853#iana.tenta.io>
> forward-addr: 99.192.182.100 at 853#opennic.tenta.io
> <mailto:99.192.182.100 at 853#opennic.tenta.io>
> forward-addr: 99.192.182.101 at 853#opennic.tenta.io
> <mailto:99.192.182.101 at 853#opennic.tenta.io>
> forward-tls-upstream: yes
>
> # OpenDNS is NOT DNSSEC enabled
> server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
> ###
>
> 21.07.2019 21:37, RayG via Unbound-users пишет:
>
> Hi,
>
>
>
> |I have configured things so far but I get these errors and I
> think the reason is the “tls-cert-bundle” setting.|
>
> | |
>
> |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error:
> ssl handshake failed crypto error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed|
>
> |21/07/2019|
>
> | |
>
> |So to get this working I have to enable this setting:|
>
> | |
>
> |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt|
>
> | |
>
> |That example would seem OK for a UNIX install but where/how
> do I configure this for windows?|
>
> | |
>
> |Can I use the windows certificate store? If so what would the
> entry read.|
>
> | |
>
> |Thanks|
>
>
>
> Regards
>
> Ray
>
>
>
> | |
>
> | |
>
> --
>
> "C++ seems like a language suitable for firing other people's legs."
>
>
>
> *****************************
>
> * C++20 : Bug to the future *
>
> *****************************
>
> --
> "C++ seems like a language suitable for firing other people's legs."
>
> *****************************
> * C++20 : Bug to the future *
> *****************************
--
"C++ seems like a language suitable for firing other people's legs."
*****************************
* C++20 : Bug to the future *
*****************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/b35d8b7b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/b35d8b7b/attachment.bin>
More information about the Unbound-users
mailing list