22.07.2019 20:21, [email protected] пишет: > > Hi Yuri, > > > > OK I see what was happening now. I can use either > > > > tls-cert-bundle: ”<file>” > > or > > tls-win-cert: yes > > > > or both > Either-or. I use first by historical reasons. > > > > So now I can see: > > > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: SSL connection to cloudflare-dns.com authenticated ip4 1.0.0.1 > port 853 (len 16) > > > > So it looks like that bit is working OK but then when I go to: > > http://1.1.1.1/help > > to check that DNS over TLS is working it says “NO” > > > > Looking at the log file further I see this where things appear to be > blacklisted (see below) I have attached the log file and it is from > the start of the unbound service to the end of the query to > http://1.1.1.1/help I then stopped the unbound server to flush the log. > > > > Any further insights would be helpful, thanks > > > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: resolving > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: request has dependency depth of 0 > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: > NOERROR, id: 0 > > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0 > > ;; QUESTION SECTION: > > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. > IN DS > > > > ;; ANSWER SECTION: > > > > ;; AUTHORITY SECTION: > > cloudflareresolve.com. 59 IN SOA > cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0 > > cloudflareresolve.com. 59 IN RRSIG SOA 13 2 > 3600 20190730125237 20190722095237 64088 cloudflareresolve.com. > TQObnCdfCziZUkBWjUaAUFeU0iXbC7QK9tMC59qJqYZa8ntTdOHCmuWgUgRvVtaLK/l3GhNk65Jr+wHzs3Qnhg== > ;{id = 64088} > > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. > 60 IN NSEC > \000.8946ae4B-99eC-4925-A951-078129AE2Afe.IS-cF.CLouDFlArerEsoLvE.Com. > A HINFO TXT AAAA LOC SRV CERT SSHFP RRSIG NSEC TLSA HIP OPENPGPKEY SPF > > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. > 60 IN RRSIG NSEC 13 4 3600 20190730135835 > 20190722105835 64088 cloudflareresolve.com. > 1EhhluR/cdwni2q9HCdPmAazhlq/rwiOPAWytdeR8pPcNLjlpwphAoULC0tZ2BSZw2UC3P6vlgTHruBL+jpTRQ== > ;{id = 64088} > > > > ;; ADDITIONAL SECTION: > > ;; MSG SIZE rcvd: 462 > > > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: msg ttl is 60, prefetch ttl 54 > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: returning answer from cache. > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: iter_handle processing q with state FINISHED RESPONSE STATE > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: finishing processing for > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: mesh_run: iterator module exit state is module_finished > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: validator[module 0] operate: extstate:module_wait_module > event:module_event_moddone > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: validator operate: query > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: validator: nextmodule returned > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: not validating response, is valrec(validation recursion lookup) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: mesh_run: validator module exit state is module_finished > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: validator: inform_super, sub is > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. DS IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: super is > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: NSEC RRset for the referral proved not a delegation point > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: validator[module 0] operate: extstate:module_wait_subquery > event:module_event_pass > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: validator operate: query > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: val handle processing q with state VAL_FINDKEY_STATE > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > info: validator: FindKey > 8946ae4b-99ec-4925-a951-078129ae2afe.is-cf.cloudflareresolve.com. A IN > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: Cannot retrieve DS for signature > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: val handle processing q with state VAL_FINISHED_STATE > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: validation failed, blacklist and retry to fetch data > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist ip4 1.1.1.1 port 853 (len 16) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist ip4 1.0.0.1 port 853 (len 16) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist cache > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist ip6 2606:4700:4700::1001 port 853 (len 28) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: blacklist add ip6 2606:4700:4700::1111 port 853 (len 28) > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: pass back to next module > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: mesh_run: validator module exit state is module_restart_next > > 22/07/2019 14:58:35 C:\Program Files\Unbound\unbound.exe[13564:0] > debug: iterator[module 1] operate: extstate:module_finished > event:module_event_pass > > > > > > *From:*Yuri <[email protected]> > *Sent:* 22 July 2019 13:41 > *To:* [email protected]; [email protected] > *Subject:* Re: Using DNS over TLS on windows > > > > > > 22.07.2019 18:38, [email protected] <mailto:[email protected]> > пишет: > > Hi Yuri, > > > > Thanks for the config file very useful, but I still have the issue of: > > > > tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" > > > > I do not have the file: "C:\Squid\etc\squid\ca-bundle.crt" on my > system. > > Sure. This is my system-specific. :) > > In you case, you can download Mozilla's CA bundle from > > https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt > > and use it on similar manner (just specify correct path-to-file) on > your setup. > > > > So my original question was were do I get that or a suitable file > from? > > > > Regards > > Ray > > > > *From:*Yuri <[email protected]> <mailto:[email protected]> > *Sent:* 21 July 2019 19:51 > *To:* [email protected] <mailto:[email protected]> > *Subject:* Re: Using DNS over TLS on windows > > > > Just an example from working Windows setup: > > # Unbound configuration file on windows. > # See example.conf for more settings and syntax > > server: > # verbosity level 0-4 of logging > verbosity: 0 > > # if you want to log to a file use > # logfile: "C:\unbound.log" > > # on Windows, this setting makes reports go into the > Application log > # found in ControlPanels - System tasks - Logs > use-syslog: yes > log-time-ascii: yes > num-threads: 4 > cache-max-ttl: 14400 > cache-min-ttl: 900 > cache-max-negative-ttl: 60 > infra-host-ttl: 60 > # root-hints: "C:\Program Files\Unbound\named.root" > hide-identity: yes > hide-version: yes > hide-trustanchor: yes > > do-ip6: no > > tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt" > tls-win-cert: yes > tcp-upstream: yes > > harden-short-bufsize: yes > harden-large-queries: yes > harden-below-nxdomain: yes > harden-algo-downgrade: yes > # 1.5.7 feature. Yes recommended. > # From 1.7.2 yes is default > #qname-minimisation: yes > aggressive-nsec: yes > > # select from the fastest servers this many times out of 1000. > 0 means > # the fast server select is disabled. prefetches are not sped up. > # fast-server-permil: 0 > fast-server-permil: 100 > # the number of servers that will be used in the fast server > selection. > # fast-server-num: 3 > fast-server-num: 4 > > unwanted-reply-threshold: 10000000 > do-not-query-localhost: no > prefetch: yes > prefetch-key: yes > rrset-roundrobin: yes > minimal-responses: yes > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow_snoop > access-control: ::0/0 refuse > access-control: ::1 allow > access-control: ::ffff:127.0.0.1 allow > > #include: "C:\Program Files\Unbound\unbound_local" > include: "C:\Program Files\Unbound\unbound_ad_servers" > > # Remote control config section. > remote-control: > # Enable remote control with unbound-control(8) here. > # set up the keys and certificates with unbound-control-setup. > control-enable: yes > control-use-cert: no > > forward-zone: > name: "." > # forward-addr: 208.67.222.222@53 <mailto:208.67.222.222@53> > # forward-addr: 208.67.220.220@53 <mailto:208.67.220.220@53> > forward-addr: 1.1.1.1@853#cloudflare-dns.com > <mailto:1.1.1.1@853#cloudflare-dns.com> > forward-addr: 1.0.0.1@853#cloudflare-dns.com > <mailto:1.0.0.1@853#cloudflare-dns.com> > forward-addr: 9.9.9.9@853#dns.quad9.net > <mailto:9.9.9.9@853#dns.quad9.net> > forward-addr: 149.112.112.112@853#dns.quad9.net > <mailto:149.112.112.112@853#dns.quad9.net> > forward-addr: 145.100.185.15@443#dnsovertls.sinodun.com > <mailto:145.100.185.15@443#dnsovertls.sinodun.com> > forward-addr: 145.100.185.16@443#dnsovertls1.sinodun.com > <mailto:145.100.185.16@443#dnsovertls1.sinodun.com> > forward-addr: 185.49.141.37@853#getdnsapi.net > <mailto:185.49.141.37@853#getdnsapi.net> > forward-addr: 89.233.43.71@853#unicast.censurfridns.dk > <mailto:89.233.43.71@853#unicast.censurfridns.dk> > forward-addr: 158.64.1.29@853#kaitain.restena.lu > <mailto:158.64.1.29@853#kaitain.restena.lu> > forward-addr: 145.100.185.18@853#dnsovertls3.sinodun.com > <mailto:145.100.185.18@853#dnsovertls3.sinodun.com> > forward-addr: 145.100.185.17@853#dnsovertls2.sinodun.com > <mailto:145.100.185.17@853#dnsovertls2.sinodun.com> > forward-addr: 199.58.81.218@853#dns.cmrg.net > <mailto:199.58.81.218@853#dns.cmrg.net> > forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at > <mailto:94.130.110.185@853#ns1.dnsprivacy.at> > forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at > <mailto:94.130.110.178@853#ns2.dnsprivacy.at> > forward-addr: 99.192.182.200@853#iana.tenta.io > <mailto:99.192.182.200@853#iana.tenta.io> > forward-addr: 99.192.182.201@853#iana.tenta.io > <mailto:99.192.182.201@853#iana.tenta.io> > forward-addr: 99.192.182.100@853#opennic.tenta.io > <mailto:99.192.182.100@853#opennic.tenta.io> > forward-addr: 99.192.182.101@853#opennic.tenta.io > <mailto:99.192.182.101@853#opennic.tenta.io> > forward-tls-upstream: yes > > # OpenDNS is NOT DNSSEC enabled > server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key" > ### > > 21.07.2019 21:37, RayG via Unbound-users пишет: > > Hi, > > > > |I have configured things so far but I get these errors and I > think the reason is the “tls-cert-bundle” setting.| > > | | > > |16:10:16 C:\Program Files\Unbound\unbound.exe[1740:0] error: > ssl handshake failed crypto error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed| > > |21/07/2019| > > | | > > |So to get this working I have to enable this setting:| > > | | > > |tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt| > > | | > > |That example would seem OK for a UNIX install but where/how > do I configure this for windows?| > > | | > > |Can I use the windows certificate store? If so what would the > entry read.| > > | | > > |Thanks| > > > > Regards > > Ray > > > > | | > > | | > > -- > > "C++ seems like a language suitable for firing other people's legs." > > > > ***************************** > > * C++20 : Bug to the future * > > ***************************** > > -- > "C++ seems like a language suitable for firing other people's legs." > > ***************************** > * C++20 : Bug to the future * > *****************************
-- "C++ seems like a language suitable for firing other people's legs." ***************************** * C++20 : Bug to the future * *****************************
signature.asc
Description: OpenPGP digital signature
