DNS via SSH

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Oct 24 07:31:02 UTC 2019 

Hi August,

On 10/24/19 4:41 AM, August West via Unbound-users wrote:
> I am running a local Unbound server on my laptop that is configured to provide
> secure DNS service to just to my laptop using DoT.  To do so, I am using:
> 
> forward-zone:
>          name: "."
>          forward-tls-upstream: yes
>          forward-addr: 1.1.1.1 at 853
> 
> This is working for me, but I occasionally I have to connect to a network that
> it behind an corporate firewall that acts as a man-in-the-middle on all TLS
> requests.  This causes Unbound to fail to resolve names.
> 
> To work around this problem, I have attempted to forward requests to a trusted
> server that is available through an SSH tunnel.  SSH only carries TCP, so
> I added some further settings:

You want the setting
server:
	tcp-upstream: yes

That moves all traffic upstream to use TCP.  Not TLS, but TCP.  This is 
the option to make unbound use TCP for upstream queries.

That said, I would think the TLS would also be a TCP stream and thus 
also move through the SSH tunnel, so I don't understand that part.

Best regards, Wouter

> 
> server:
>          do-tcp: yes
>          do-not-query-localhost: no
> 
> forward-zone:
>          name: "."
>          forward-tls-upstream: yes
>          forward-addr: 127.0.0.1 at 11853
> 
> In this case port 11853 is being forwarded to port 853 on the remote server.
> That did not work. I played with the verbosity and log options and could not get
> any explanation for what is going wrong. It is possible that there is a problem
> with the certificate being used by the upstream server that is being accessed
> through SSH (it is self signed), so I also tried:
> 
> forward-zone:
>          name: "."
>          forward-tls-upstream: no
>          forward-addr: 127.0.0.1 at 11053
> 
> In this case port 11053 is being forwarded to port 53 on the remote server.
> I tested the connection to the remote server using drill:
> 
>      drill -t -p11053 @127.0.0.1 google.com
> 
> and that worked fine, so there seems like there is no issue with the upstream
> server, and yet Unbound does not resolve names with this configuration.
> 
> I am currently stuck. Can anyone point out any issues with my configurations or
> point me to a tutorial on how to configure Unbound to connect to an upstream
> server using SSH.
> 
> Thanks,
> -August
>

More information about the Unbound-users mailing list