Re: DNS via SSH

[Wouter Wijngaards via Unbound-users]

Hi August,

On 10/24/19 4:41 AM, August West via Unbound-users wrote:
I am running a local Unbound server on my laptop that is configured to provide
secure DNS service to just to my laptop using DoT.  To do so, I am using:
forward-zone:
         name: "."
         forward-tls-upstream: yes
         forward-addr: 1.1.1.1@853

This is working for me, but I occasionally I have to connect to a network that
it behind an corporate firewall that acts as a man-in-the-middle on all TLS
requests.  This causes Unbound to fail to resolve names.

To work around this problem, I have attempted to forward requests to a trusted
server that is available through an SSH tunnel.  SSH only carries TCP, so
I added some further settings:

You want the setting
server:
        tcp-upstream: yes

That moves all traffic upstream to use TCP.  Not TLS, but TCP.  This is 
the option to make unbound use TCP for upstream queries.

That said, I would think the TLS would also be a TCP stream and thus 
also move through the SSH tunnel, so I don't understand that part.

Best regards, Wouter


server:
         do-tcp: yes
         do-not-query-localhost: no

forward-zone:
         name: "."
         forward-tls-upstream: yes
         forward-addr: 127.0.0.1@11853

In this case port 11853 is being forwarded to port 853 on the remote server.
That did not work. I played with the verbosity and log options and could not get
any explanation for what is going wrong. It is possible that there is a problem
with the certificate being used by the upstream server that is being accessed
through SSH (it is self signed), so I also tried:

forward-zone:
         name: "."
         forward-tls-upstream: no
         forward-addr: 127.0.0.1@11053

In this case port 11053 is being forwarded to port 53 on the remote server.
I tested the connection to the remote server using drill:

     drill -t -p11053 @127.0.0.1 google.com

and that worked fine, so there seems like there is no issue with the upstream
server, and yet Unbound does not resolve names with this configuration.

I am currently stuck. Can anyone point out any issues with my configurations or
point me to a tutorial on how to configure Unbound to connect to an upstream
server using SSH.

Thanks,
-August