Confirming DNS over TLS on Unbound 1.6.0

[Wouter Wijngaards]

Hi,

On 3/17/19 6:46 PM, Joe Abley via Unbound-users wrote:
> On 17 Mar 2019, at 18:42, A. Schulze via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
> 
>> Am 17.03.19 um 01:10 schrieb rollingonchrome via Unbound-users:
>>
>>> I am new to Unbound and am using version 1.6.0 on a Raspberry Pi.
>> 1.6.0 is > two years old. sure you can't use newer stuff?
>>
>>> I want to confirm that DNS over TLS to upstream servers is set up correctly.
>> if you like to get your configuration reviewed, why do you post you /logs/ !?
> 
> Another way of looking at this is that it might indeed be helpful for unbound to log something to confirm how forwarded queries are being encrypted (or not) if unbound is configured to forward queries.
> 
> If I was processing logs and intended for my forwarded DNS traffic to be encrypted, I'd certainly appreciate a log message triggering an alert if some configuration got changed incorrectly and forwarded queries were suddenly happening in the clear.

This is actually a good idea, and I added a log message.  If encrypted
it looks like this:
debug: the query is using TLS encryption, for dns.quad9.net
This is at verbosity level 4.

If no hostname is set, it prints a message that there is no hostname
authentication, or prints a message that libssl does not have the
support for that.

There is already debug, at level 4, it appeared in 1.7.0, that prints
the peer certificate for the reply.  That should be pretty obvious, an
X509 certificate with all the credentials.  That feature is newer than
1.6.0 where it printed "SSL DNS connection <for address>" for such replies.

Best regards, Wouter

> 
> 
> Joe
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190318/5be5a744/attachment.bin>