Hi Yuri,
Thanks for the config file very useful, but I still have the issue of: tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my system. So my original question was were do I get that or a suitable file from? Regards Ray From: Yuri <[email protected]> Sent: 21 July 2019 19:51 To: [email protected] Subject: Re: Using DNS over TLS on windows Just an example from working Windows setup: # Unbound configuration file on windows. # See example.conf for more settings and syntax server: # verbosity level 0-4 of logging verbosity: 0 # if you want to log to a file use # logfile: "C:\unbound.log" # on Windows, this setting makes reports go into the Application log # found in ControlPanels - System tasks - Logs use-syslog: yes log-time-ascii: yes num-threads: 4 cache-max-ttl: 14400 cache-min-ttl: 900 cache-max-negative-ttl: 60 infra-host-ttl: 60 # root-hints: "C:\Program Files\Unbound\named.root" hide-identity: yes hide-version: yes hide-trustanchor: yes do-ip6: no tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" tls-win-cert: yes tcp-upstream: yes harden-short-bufsize: yes harden-large-queries: yes harden-below-nxdomain: yes harden-algo-downgrade: yes # 1.5.7 feature. Yes recommended. # From 1.7.2 yes is default #qname-minimisation: yes aggressive-nsec: yes # select from the fastest servers this many times out of 1000. 0 means # the fast server select is disabled. prefetches are not sped up. # fast-server-permil: 0 fast-server-permil: 100 # the number of servers that will be used in the fast server selection. # fast-server-num: 3 fast-server-num: 4 unwanted-reply-threshold: 10000000 do-not-query-localhost: no prefetch: yes prefetch-key: yes rrset-roundrobin: yes minimal-responses: yes access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow_snoop access-control: ::0/0 refuse access-control: ::1 allow access-control: ::ffff:127.0.0.1 allow #include: "C:\Program Files\Unbound\unbound_local" include: "C:\Program Files\Unbound\unbound_ad_servers" # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. # set up the keys and certificates with unbound-control-setup. control-enable: yes control-use-cert: no forward-zone: name: "." # forward-addr: 208.67.222.222@53 <mailto:208.67.222.222@53> # forward-addr: 208.67.220.220@53 <mailto:208.67.220.220@53> forward-addr: 1.1.1.1@853#cloudflare-dns.com <mailto:1.1.1.1@853#cloudflare-dns.com> forward-addr: 1.0.0.1@853#cloudflare-dns.com <mailto:1.0.0.1@853#cloudflare-dns.com> forward-addr: 9.9.9.9@853#dns.quad9.net <mailto:9.9.9.9@853#dns.quad9.net> forward-addr: 149.112.112.112@853#dns.quad9.net <mailto:149.112.112.112@853#dns.quad9.net> forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com <mailto:145.100.185.15@443#dnsovertls.sinodun.com> forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com <mailto:145.100.185.16@443#dnsovertls1.sinodun.com> forward-addr: 185.49.141.37@853#getdnsapi.net <mailto:185.49.141.37@853#getdnsapi.net> forward-addr: 89.233.43.71@853#unicast.censurfridns.dk <mailto:89.233.43.71@853#unicast.censurfridns.dk> forward-addr: 158.64.1.29@853#kaitain.restena.lu <mailto:158.64.1.29@853#kaitain.restena.lu> forward-addr: 145.100.185.18@853#dnsovertls3.sinodun.com <mailto:145.100.185.18@853#dnsovertls3.sinodun.com> forward-addr: 145.100.185.17@853#dnsovertls2.sinodun.com <mailto:145.100.185.17@853#dnsovertls2.sinodun.com> forward-addr: 199.58.81.218@853#dns.cmrg.net <mailto:199.58.81.218@853#dns.cmrg.net> forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at <mailto:94.130.110.185@853#ns1.dnsprivacy.at> forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at <mailto:94.130.110.178@853#ns2.dnsprivacy.at> forward-addr: 99.192.182.200@853#iana.tenta.io <mailto:99.192.182.200@853#iana.tenta.io> forward-addr: 99.192.182.201@853#iana.tenta.io <mailto:99.192.182.201@853#iana.tenta.io> forward-addr: 99.192.182.100@853#opennic.tenta.io <mailto:99.192.182.100@853#opennic.tenta.io> forward-addr: 99.192.182.101@853#opennic.tenta.io <mailto:99.192.182.101@853#opennic.tenta.io> forward-tls-upstream: yes # OpenDNS is NOT DNSSEC enabled server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" ### 21.07.2019 21:37, RayG via Unbound-users пишет: Hi, I have configured things so far but I get these errors and I think the reason is the “tls-cert-bundle” setting. 16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 21/07/2019 So to get this working I have to enable this setting: tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt That example would seem OK for a UNIX install but where/how do I configure this for windows? Can I use the windows certificate store? If so what would the entry read. Thanks Regards Ray -- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
