Hi, On 3/17/19 6:46 PM, Joe Abley via Unbound-users wrote: > On 17 Mar 2019, at 18:42, A. Schulze via Unbound-users > <[email protected]> wrote: > >> Am 17.03.19 um 01:10 schrieb rollingonchrome via Unbound-users: >> >>> I am new to Unbound and am using version 1.6.0 on a Raspberry Pi. >> 1.6.0 is > two years old. sure you can't use newer stuff? >> >>> I want to confirm that DNS over TLS to upstream servers is set up correctly. >> if you like to get your configuration reviewed, why do you post you /logs/ !? > > Another way of looking at this is that it might indeed be helpful for unbound > to log something to confirm how forwarded queries are being encrypted (or > not) if unbound is configured to forward queries. > > If I was processing logs and intended for my forwarded DNS traffic to be > encrypted, I'd certainly appreciate a log message triggering an alert if some > configuration got changed incorrectly and forwarded queries were suddenly > happening in the clear.
This is actually a good idea, and I added a log message. If encrypted it looks like this: debug: the query is using TLS encryption, for dns.quad9.net This is at verbosity level 4. If no hostname is set, it prints a message that there is no hostname authentication, or prints a message that libssl does not have the support for that. There is already debug, at level 4, it appeared in 1.7.0, that prints the peer certificate for the reply. That should be pretty obvious, an X509 certificate with all the credentials. That feature is newer than 1.6.0 where it printed "SSL DNS connection <for address>" for such replies. Best regards, Wouter > > > Joe >
signature.asc
Description: OpenPGP digital signature
