-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi,
My (side) Scenario (Pre-Conditions) : MyNet = My Local Network computers & devices. SOCKS-Srvr = origin SOCKS-server on remote servr. SOCKS-prxy = SOCKS-proxy-server = is local SOCKS forwarding proxy server. Socks-Tnl = SOCKS-Tunnel = connection between (local) socks-proxy & (origin) socks-server. SOCKS = is a type of gateway, a type of tunnel, a routing process between a client & a server. (start from right most side "MyNet") Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V - --> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V - --> SOCKS-Srvr <-> Internet <-> DNS-Servers. I have multiple SOCKS proxy server, (SOCKS v4a, v5), Running & listening on (a server computer): 10.0.1.10:1080 (ip:port) 10.0.1.10:1082 ... This gateway/server computer 10.0.1.10 has an instance of "Unbound" (01) DNS-Resolver running on 10.0.1.10:53 interface: 10.0.1.10 port: 53 access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: 10.0.1.10/8 allow Different socks tunnel ending on (aka, routed to) different destination locations (which has the origin-SOCKS-server gateway software), and ending/origin gateway computer there, is connected with different ISP. Need to use this 10.0.1.10:53 DNSSEC supported DNS-Resolver, from all clients, (under my local network). This DNS-Resolver must connect with destination DNS-Server(s) or nameservers(NS) via different ISPs, which are connected at the end of SOCKS tunnel. Those destination Nameserver(s) (NS-DNS-Srv) ( or Recursive dns-server(s) (Rc-DNS-Srv) or Authoritative dns-server(s) (A-DNS-Srv) ) are able to work with both TCP & UDP DNS, and listening on multiple ports 53, 110, 443, etc. "Unbound" (01) (10.0.1.10:53) has multiple Forward and Stub zones. Each forward or stub zone/domain has at least 4, (in some cases 10), specific nameservers (or specific Rc-DNS-Srv, or specific A-DNS-Srv). I'm using at least 10 different set of (custom/special) zones, where each zone has from 4 to 10 (different) nameservers. stub-zone: # 01 name: "custom-domain1.org" stub-host: ath-d1.namesrv-hostnam.org. stub-host: ath-d2.namesrv-hostnam.org. stub-host: ath-d3.namesrv-hostnam.org. stub-host: ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name: "custom-domain10.org" forward-addr: ath-namesrvr.37.ip.adrs forward-addr: ath-namesrvr.38.ip.adrs forward-addr: ath-namesrvr.39.ip.adrs forward-host: ath-namesrvr40-hostnam.org. And, when a DNS-query does not match any of those custom/special zones, then standard set of DNS-Servers are to be used, like: Root DNS-Servers, TLD DNS-Servers, SLD (Second Level Domain) DNS-Servers, HSP (Hosting Service Providers) DNS-Servers, Public DNSSEC based DNS-Servers, etc, via another SOCKS proxy: forward-zone: name: "." forward-addr: 94.75.228.29 # GPF DNSSEC forward-addr: 149.20.64.20 # OARC DNSSEC forward-addr: 217.31.204.130 # CZ.NIC DNSSEC forward-addr: 198.41.0.4 # ROOT a USC-ISI forward-addr: 192.5.5.241 # ROOT f ICANN forward-addr: 192.58.128.30 # ROOT j forward-addr: 193.0.14.129 # ROOT k RIPE forward-addr: 199.7.83.42 # ROOT l forward-addr: 128.8.10.90 # ROOT d UniMaryland forward-addr: 192.36.148.17 # ROOT i forward-addr: 202.12.27.33 # ROOT m forward-addr: 128.63.2.53 # ROOT h forward-addr: 192.203.230.10 # ROOT e NASA forward-addr: 192.228.79.201 # ROOT forward-addr: 192.33.4.12 # ROOT forward-addr: 192.112.36.4 # ROOT QUESTION(s): Can i consider existing below command outgoing-interface: of Unbound, as it's outbound traffic binding or forcing command/option ? How can i bind/force "Unbound" (01) (10.0.1.10:53) to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for resolving a 1st set of zones ? (so that Unbound can connect with correct 1st set of nameservers assigned for that 1st set of zones), And how to resolve another/2nd set of zones via using another/2nd SOCKS at 10.0.1.10:1081 ? (and allowing Unbound to connect with another /2nd set of pre-assigned nameservers for that 2nd set of zones). if there is a one command-line in "Unbound" to use/bind/force outbound traffic go-through a SOCKS proxy that will be best. if not, then can anyone please point-to/indicate /discuss/suggest what tools can be used to achieve such function. Unbound to socks proxy. (NOT looking for a solution on Linux/Unix). (Looking for a solution on Windows, the local "Unbound" (01) (10.0.1.10:53) is running on Windows based computer). if i have to run 5 "Unbound", even that type of solution is also ok. but reduced Unbound instance will be better. Is there a tool, which can accept all (incoming) traffic coming (from Unbound) toward a network interface adapter's (different ports & single) IP address, and can forward those ports toward a (single ip:port based) SOCKS proxy server ? what functions like TAP-to-SOCKS ? if a tool can perform TUN-to-SOCKS function, then can such tool be used for send all queries via SOCKS from Unbound, by binding Unbound with that TUN's ip-address ? for example, can an OpenSSH instance be run in L2/3 tun VPN mode & forward tun ip-adrs traffic toward a SOCKS proxy ? Can this below command/option "outgoing-port-permit:" be set to use only 4 ports ? like: outgoing-port-permit: 53001-53004 or, even set to use only 1 port ? outgoing-port-permit: 53001-53001 What tool can allow to forward such traffic from Unbound to a SOCKS proxy ? Can i run an instance of OpenSSH to listen a range of ports, from 53001 to 53004 on ip-adrs 127.0.0.53 and forward those toward a single SOCKS proxy at 10.0.1.10:1080 ? and, after running OpenSSH, can i run & force Unbound to use outbobund traffic via: outgoing-interface: 127.0.0.53 Will these four commands work ? to force using only 1 outgoing port: outgoing-range: 1 num-queries-per-thread: 1 outgoing-port-permit: 53001 outgoing-port-avoid: "1-53000,53002-65535" will those slow down dns-resolving process very slow ? or, is there a tool which can function like DNS-to-SOCKS ? how can it be used with Unbound ? How can i specify in "Unbound" to use port 110 with a DNS-Server, instead of port 53 ? Can i specify SSL cert (server cert or CA/Root cert) for a DNS-Server in Unbound ? REFERENCES: https://en.wikipedia.org/wiki/SOCKS http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. http://www.inet.no/dante/doc/ Dante. SOCKet Secure (SOCKS) is an Internet Protocol that routes network packets between a client and server through a proxy server. It works in Layer 5 (Session) of OSI. OpenSSH: An "ad hoc" SOCKS proxy server can be created using OpenSSH, and allows more flexible proxying than is possible with ordinary port forwarding. http://www.openssh.com/ DynamicForward 10.0.1.10:1080 # will create a SOCKS on that ip:port. GatewayPorts option allows wildcard address usage. And tun-based VPN tunnel allowing applications to transparently access remote network resources without "socksification" is now possible via OpenSSH. - --Bright Star (Bry8Star). -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlCJ/8wACgkQiDbboldsEOwo1AD+Pjmgk0LeILkVlvxxf6NhZ9fJ bkIcn2NJCWEYiFFRrywBAJdltYdU8sEYX6fDFT+45LOHp0aTCBIGUBVUuoj3p5M3 =8GNA -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
