Using DNS over TLS on windows

rgsub1 at btinternet.com rgsub1 at btinternet.com
Mon Jul 22 17:15:01 UTC 2019


Hi George,

Thanks for that (I hope)

Having added that line into the configuration I see a different result. See the two attached images 

Not Active: 	# module-config: "iterator" - DNSSEC enabled

Active :	module-config: "iterator" - DNSSEC disabled

In the config file.

So if I leave DNSSEC enabled, whilst the test a https://1.1.1.1/help shows DOT is not enabled it is in fact all working OK as expected, is that correct?

I just wanted to make sure I was understanding what is happening.

So all in all I think I have it all working...

Just as an aside Firefox (if you use that) does DOH directly to the cloudflare servers and that also works OK.

Some other test servers that may be useful:

https://rootcanary.org/test.html
https://en.internet.nl/
https://www.dnsleaktest.com/


-----Original Message-----
From: George Thessalonikefs <george at nlnetlabs.nl> 
Sent: 22 July 2019 17:22
To: unbound-users at nlnetlabs.nl
Subject: Re: Using DNS over TLS on windows

Hi Ray,

It seems that cloudflare is using special subdomains (answered only from their 1.1.1.1 resolvers) for the online checks and they are not handling DNSSEC properly in regards to answers for these special subdomains.
Unbound is complaining about not being able to build a trust chain because it can't get the DS information.

I suspect that if you turn off DNSSEC validation on your unbound
    module-config: "iterator"
the online check should work. Although I would advise to turn it on again after you do the online check.

And just to be clear, this does not mean that 1.1.1.1 cannot do DNSSEC.
I am only talking about the subdomains used for this specific online check.

-- George

On 22/07/2019 16:21, RayG via Unbound-users wrote:
> Hi Yuri,
> 
>  
> 
> OK I see what was happening now. I can use either
> 
>  
> 
> tls-cert-bundle: ”<file>”
> 
> or
> 
> tls-win-cert: yes
> 
>  
> 
> or both
> 
>  
> 
> So now I can see:
> 
>  
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1 port 
> 853 (len 16)
> 
>  
> 
> So it looks like that bit is working OK but then when I go to:
> 
> http://1.1.1.1/help
> 
> to check that DNS over TLS is working it says “NO”
> 
>  
> 
> Looking at the log file further I see this where things appear to be 
> blacklisted (see below) I have attached the log file and it is from 
> the start of the unbound service to the end of the query to 
> http://1.1.1.1/help I then stopped the unbound server to flush the log.
> 
>  
> 
> Any further insights would be helpful, thanks
> 
>  
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> resolving
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS 
> IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> request has dependency depth of 0
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, 
> id: 0
> 
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> 
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> IN           DS
> 
>  
> 
> ;; ANSWER SECTION:
> 
>  
> 
> ;; AUTHORITY SECTION:
> 
> cloudflareresolve.com. 59           IN           SOA 
> cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 
> 604800 0
> 
> cloudflareresolve.com. 59           IN           RRSIG    SOA 13 2 
> 3600
> 20190730125237 20190722095237 64088 cloudflareresolve.com.
> TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3Gh
> Nk65Jr+wHzs3Qnhg==
> ;{id = 64088}
> 
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> 60           IN           NSEC
> \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com. 
> A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF
> 
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com.
> 60           IN           RRSIG    NSEC 13 4 3600 20190730135835
> 20190722105835 64088 cloudflareresolve.com.
> 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P
> 6vlgTHruBL+jpTRQ==
> ;{id = 64088}
> 
>  
> 
> ;; ADDITIONAL SECTION:
> 
> ;; MSG SIZE  rcvd: 462
> 
>  
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> msg ttl is 60, prefetch ttl 54
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> returning answer from cache.
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> iter_handle processing q with state FINISHED RESPONSE STATE
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> finishing processing for
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS 
> IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> mesh_run: iterator module exit state is module_finished
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> validator[module 0] operate: extstate:module_wait_module 
> event:module_event_moddone
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> validator operate: query
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS 
> IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> validator: nextmodule returned
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> not validating response, is valrec(validation recursion lookup)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> mesh_run: validator module exit state is module_finished
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> validator: inform_super, sub is
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS 
> IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> super is
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> NSEC RRset for the referral proved not a delegation point
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> validator[module 0] operate: extstate:module_wait_subquery 
> event:module_event_pass
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> validator operate: query
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> val handle processing q with state VAL_FINDKEY_STATE
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] info:
> validator: FindKey
> 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> Cannot retrieve DS for signature
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> val handle processing q with state VAL_FINISHED_STATE
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> validation failed, blacklist and retry to fetch data
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist ip4 1.1.1.1 port 853 (len 16)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist ip4 1.0.0.1 port 853 (len 16)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist cache
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist ip6 2606:4700:4700::1001 port 853 (len 28)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> blacklist add ip6 2606:4700:4700::1111 port 853 (len 28)
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> pass back to next module
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> mesh_run: validator module exit state is module_restart_next
> 
> 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] debug:
> iterator[module 1] operate: extstate:module_finished 
> event:module_event_pass
> 
>  
> 
>  
> 
> *From:*Yuri <yvoinov at gmail.com>
> *Sent:* 22 July 2019 13:41
> *To:* rgsub1 at btinternet.com; unbound-users at nlnetlabs.nl
> *Subject:* Re: Using DNS over TLS on windows
> 
>  
> 
>  
> 
> 22.07.2019 18:38, rgsub1 at btinternet.com <mailto:rgsub1 at btinternet.com>
> пишет:
> 
>     Hi Yuri,
> 
>      
> 
>     Thanks for the config file very useful, but I still have the issue of:
> 
>      
> 
>     tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
> 
>      
> 
>     I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system.
> 
> Sure. This is my system-specific. :)
> 
> In you case, you can download Mozilla's CA bundle from
> 
> https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.cr
> t
> 
> and use it on similar manner (just specify correct path-to-file) on 
> your setup.
> 
>      
> 
>     So my original question was were do I get that or a suitable file from?
> 
>      
> 
>     Regards
> 
>     Ray
> 
>      
> 
>     *From:*Yuri <yvoinov at gmail.com> <mailto:yvoinov at gmail.com>
>     *Sent:* 21 July 2019 19:51
>     *To:* unbound-users at nlnetlabs.nl <mailto:unbound-users at nlnetlabs.nl>
>     *Subject:* Re: Using DNS over TLS on windows
> 
>      
> 
>     Just an example from working Windows setup:
> 
>     # Unbound configuration file on windows.
>     # See example.conf for more settings and syntax
> 
>     server:
>         # verbosity level 0-4 of logging
>         verbosity: 0
> 
>         # if you want to log to a file use
>         # logfile: "C:\unbound.log"
> 
>         # on Windows, this setting makes reports go into the Application log
>         # found in ControlPanels - System tasks - Logs
>         use-syslog: yes
>         log-time-ascii: yes
>         num-threads: 4
>         cache-max-ttl: 14400
>         cache-min-ttl: 900
>         cache-max-negative-ttl: 60
>         infra-host-ttl: 60
>     #    root-hints: "C:\Program Files\Unbound\named.root"
>         hide-identity: yes
>         hide-version: yes
>         hide-trustanchor: yes
> 
>         do-ip6: no
> 
>         tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
>         tls-win-cert: yes
>         tcp-upstream: yes
> 
>         harden-short-bufsize: yes
>         harden-large-queries: yes
>         harden-below-nxdomain: yes
>         harden-algo-downgrade: yes
>         # 1.5.7 feature. Yes recommended.
>         # From 1.7.2 yes is default
>         #qname-minimisation: yes
>         aggressive-nsec: yes
> 
>         # select from the fastest servers this many times out of 1000. 0
>     means
>         # the fast server select is disabled. prefetches are not sped up.
>         # fast-server-permil: 0
>         fast-server-permil: 100
>         # the number of servers that will be used in the fast server
>     selection.
>         # fast-server-num: 3
>         fast-server-num: 4
> 
>         unwanted-reply-threshold: 10000000
>         do-not-query-localhost: no
>         prefetch: yes
>         prefetch-key: yes
>         rrset-roundrobin: yes
>         minimal-responses: yes
> 
>         access-control: 0.0.0.0/0 refuse
>         access-control: 127.0.0.0/8 allow_snoop
>         access-control: ::0/0 refuse
>         access-control: ::1 allow
>         access-control: ::ffff:127.0.0.1 allow
> 
>         #include: "C:\Program Files\Unbound\unbound_local"
>         include: "C:\Program Files\Unbound\unbound_ad_servers"
> 
>     # Remote control config section.
>     remote-control:
>         # Enable remote control with unbound-control(8) here.
>         # set up the keys and certificates with unbound-control-setup.
>         control-enable: yes
>             control-use-cert: no
> 
>     forward-zone:
>       name: "."
>     #  forward-addr: 208.67.222.222 at 53 <mailto:208.67.222.222 at 53>
>     #  forward-addr: 208.67.220.220 at 53 <mailto:208.67.220.220 at 53>
>       forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
>     <mailto:1.1.1.1 at 853#cloudflare-dns.com>
>       forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
>     <mailto:1.0.0.1 at 853#cloudflare-dns.com>
>       forward-addr: 9.9.9.9 at 853#dns.quad9.net
>     <mailto:9.9.9.9 at 853#dns.quad9.net>
>       forward-addr: 149.112.112.112 at 853#dns.quad9.net
>     <mailto:149.112.112.112 at 853#dns.quad9.net>
>       forward-addr: 145.100.185.15 at 443#dnsovertls.sinodun.com
>     <mailto:145.100.185.15 at 443#dnsovertls.sinodun.com>
>       forward-addr: 145.100.185.16 at 443#dnsovertls1.sinodun.com
>     <mailto:145.100.185.16 at 443#dnsovertls1.sinodun.com>
>       forward-addr: 185.49.141.37 at 853#getdnsapi.net
>     <mailto:185.49.141.37 at 853#getdnsapi.net>
>       forward-addr: 89.233.43.71 at 853#unicast.censurfridns.dk
>     <mailto:89.233.43.71 at 853#unicast.censurfridns.dk>
>       forward-addr: 158.64.1.29 at 853#kaitain.restena.lu
>     <mailto:158.64.1.29 at 853#kaitain.restena.lu>
>       forward-addr: 145.100.185.18 at 853#dnsovertls3.sinodun.com
>     <mailto:145.100.185.18 at 853#dnsovertls3.sinodun.com>
>       forward-addr: 145.100.185.17 at 853#dnsovertls2.sinodun.com
>     <mailto:145.100.185.17 at 853#dnsovertls2.sinodun.com>
>       forward-addr: 199.58.81.218 at 853#dns.cmrg.net
>     <mailto:199.58.81.218 at 853#dns.cmrg.net>
>       forward-addr: 94.130.110.185 at 853#ns1.dnsprivacy.at
>     <mailto:94.130.110.185 at 853#ns1.dnsprivacy.at>
>       forward-addr: 94.130.110.178 at 853#ns2.dnsprivacy.at
>     <mailto:94.130.110.178 at 853#ns2.dnsprivacy.at>
>       forward-addr: 99.192.182.200 at 853#iana.tenta.io
>     <mailto:99.192.182.200 at 853#iana.tenta.io>
>       forward-addr: 99.192.182.201 at 853#iana.tenta.io
>     <mailto:99.192.182.201 at 853#iana.tenta.io>
>       forward-addr: 99.192.182.100 at 853#opennic.tenta.io
>     <mailto:99.192.182.100 at 853#opennic.tenta.io>
>       forward-addr: 99.192.182.101 at 853#opennic.tenta.io
>     <mailto:99.192.182.101 at 853#opennic.tenta.io>
>       forward-tls-upstream: yes
> 
>     # OpenDNS is NOT DNSSEC enabled
>     server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
>     ###
> 
>     21.07.2019 21:37, RayG via Unbound-users пишет:
> 
>         Hi,
> 
>          
> 
>         |I have configured things so far but I get these errors and I
>         think the reason is the “tls-cert-bundle” setting.|
> 
>         | |
> 
>         |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error:
>         ssl handshake failed crypto error:1416F086:SSL
>         routines:tls_process_server_certificate:certificate verify 
> failed|
> 
>         |21/07/2019|
> 
>         | |
> 
>         |So to get this working I have to enable this setting:|
> 
>         | |
> 
>         |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt|
> 
>         | |
> 
>         |That example would seem OK for a UNIX install but where/how do
>         I configure this for windows?|
> 
>         | |
> 
>         |Can I use the windows certificate store? If so what would the
>         entry read.|
> 
>         | |
> 
>         |Thanks|
> 
>          
> 
>         Regards
> 
>         Ray
> 
>          
> 
>         | |
> 
>         | |
> 
>     --
> 
>     "C++ seems like a language suitable for firing other people's legs."
> 
>      
> 
>     *****************************
> 
>     * C++20 : Bug to the future *
> 
>     *****************************
> 
> --
> 
> "C++ seems like a language suitable for firing other people's legs."
> 
>  
> 
> *****************************
> 
> * C++20 : Bug to the future *
> 
> *****************************
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ModuleConfigIteratorActive.png
Type: image/png
Size: 31630 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/d102eb4b/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ModuleConfigIteratorNotActive.png
Type: image/png
Size: 31371 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190722/d102eb4b/attachment-0001.png>


More information about the Unbound-users mailing list