No one seems to be replying or understanding what i have requested for, very strange !
In windows, no one found solution(s) ! ! ! for sending DNS-queries (for specific dns-servers) from unbound toward a socks-proxy-server ! ? trying to do this: [start] (1) local software --> (2) local unbound --> --> (3) local socks-proxy/srvr --> (4) socks-tunnel --> (5) Internet (My ISP) --> (6) socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's ISP) --> (8) name-server/DNS-server. [End] -- Bright Star (Bry8Star). Bry8 Star wrote: Received on 2012-10-25 8:13 PM [GMT-08:00]:: > Hi, > > My (side) Scenario (Pre-Conditions) : > > MyNet = My Local Network computers & devices. > SOCKS-Srvr = origin SOCKS-server on remote servr. > SOCKS-prxy = SOCKS-proxy-server = is local SOCKS > forwarding proxy server. > Socks-Tnl = SOCKS-Tunnel = connection between > (local) socks-proxy & (origin) socks-server. > SOCKS = is a type of gateway, a type of tunnel, > a routing process between a client & a server. > > (start from right most side "MyNet") > > Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. > A > | > V > --> SOCKS-Srvr <-> remote local-netwrk (DNS). > A > | > V > --> SOCKS-Srvr <-> Internet <-> DNS-Servers. > > > I have multiple SOCKS proxy server, > (SOCKS v4a, v5), > Running & listening on (a server computer): > 10.0.1.10:1080 (ip:port) > 10.0.1.10:1082 > ... > This gateway/server computer 10.0.1.10 has > an instance of "Unbound" (01) DNS-Resolver > running on 10.0.1.10:53 > interface: 10.0.1.10 > port: 53 > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: 10.0.1.10/8 allow > > Different socks tunnel ending on (aka, routed > to) different destination locations (which has > the origin-SOCKS-server gateway software), > and ending/origin gateway computer there, is > connected with different ISP. > > Need to use this 10.0.1.10:53 DNSSEC supported > DNS-Resolver, from all clients, (under my local > network). > > This DNS-Resolver must connect with destination > DNS-Server(s) or nameservers(NS) via different > ISPs, which are connected at the end of SOCKS > tunnel. > > Those destination Nameserver(s) (NS-DNS-Srv) > ( or Recursive dns-server(s) (Rc-DNS-Srv) > or Authoritative dns-server(s) (A-DNS-Srv) ) > are able to work with both TCP & UDP DNS, and > listening on multiple ports 53, 110, 443, etc. > > "Unbound" (01) (10.0.1.10:53) has multiple Forward > and Stub zones. Each forward or stub zone/domain > has at least 4, (in some cases 10), specific > nameservers (or specific Rc-DNS-Srv, or specific > A-DNS-Srv). > > I'm using at least 10 different set of > (custom/special) zones, where each zone > has from 4 to 10 (different) nameservers. > stub-zone: # 01 > name: "custom-domain1.org" > stub-host: ath-d1.namesrv-hostnam.org. > stub-host: ath-d2.namesrv-hostnam.org. > stub-host: ath-d3.namesrv-hostnam.org. > stub-host: ath-d4.namesrv-hostnam.org. > ... > forward-zone: # 10 > name: "custom-domain10.org" > forward-addr: ath-namesrvr.37.ip.adrs > forward-addr: ath-namesrvr.38.ip.adrs > forward-addr: ath-namesrvr.39.ip.adrs > forward-host: ath-namesrvr40-hostnam.org. > > And, when a DNS-query does not match any > of those custom/special zones, then standard > set of DNS-Servers are to be used, like: Root > DNS-Servers, TLD DNS-Servers, SLD (Second Level > Domain) DNS-Servers, HSP (Hosting Service > Providers) DNS-Servers, Public DNSSEC based > DNS-Servers, etc, via another SOCKS proxy: > forward-zone: > name: "." > forward-addr: 94.75.228.29 # GPF DNSSEC > forward-addr: 149.20.64.20 # OARC DNSSEC > forward-addr: 217.31.204.130 # CZ.NIC DNSSEC > forward-addr: 198.41.0.4 # ROOT a USC-ISI > forward-addr: 192.5.5.241 # ROOT f ICANN > forward-addr: 192.58.128.30 # ROOT j > forward-addr: 193.0.14.129 # ROOT k RIPE > forward-addr: 199.7.83.42 # ROOT l > forward-addr: 128.8.10.90 # ROOT d UniMaryland > forward-addr: 192.36.148.17 # ROOT i > forward-addr: 202.12.27.33 # ROOT m > forward-addr: 128.63.2.53 # ROOT h > forward-addr: 192.203.230.10 # ROOT e NASA > forward-addr: 192.228.79.201 # ROOT > forward-addr: 192.33.4.12 # ROOT > forward-addr: 192.112.36.4 # ROOT > > > QUESTION(s): > > Can i consider existing below command > outgoing-interface: > of Unbound, as it's outbound traffic > binding or forcing command/option ? > > How can i bind/force "Unbound" (01) (10.0.1.10:53) > to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port) > for resolving a 1st set of zones ? (so that > Unbound can connect with correct 1st set of > nameservers assigned for that 1st set of zones), > And how to resolve another/2nd set of zones > via using another/2nd SOCKS at 10.0.1.10:1081 ? > (and allowing Unbound to connect with another > /2nd set of pre-assigned nameservers for that > 2nd set of zones). > > if there is a one command-line in "Unbound" > to use/bind/force outbound traffic go-through > a SOCKS proxy that will be best. > > if not, then can anyone please point-to/indicate > /discuss/suggest what tools can be used to > achieve such function. Unbound to socks proxy. > > (NOT looking for a solution on Linux/Unix). > (Looking for a solution on Windows, the local > "Unbound" (01) (10.0.1.10:53) is running on > Windows based computer). > > if i have to run 5 "Unbound", even that type > of solution is also ok. but reduced Unbound > instance will be better. > > Is there a tool, which can accept all > (incoming) traffic coming (from Unbound) > toward a network interface adapter's > (different ports & single) IP address, > and can forward those ports toward a > (single ip:port based) SOCKS proxy > server ? what functions like TAP-to-SOCKS ? > > if a tool can perform TUN-to-SOCKS function, > then can such tool be used for send all > queries via SOCKS from Unbound, by binding > Unbound with that TUN's ip-address ? > > for example, can an OpenSSH instance be run > in L2/3 tun VPN mode & forward tun ip-adrs > traffic toward a SOCKS proxy ? > > Can this below command/option > "outgoing-port-permit:" be set to > use only 4 ports ? like: > outgoing-port-permit: 53001-53004 > or, even set to use only 1 port ? > outgoing-port-permit: 53001-53001 > What tool can allow to forward such > traffic from Unbound to a SOCKS proxy ? > > Can i run an instance of OpenSSH to listen a > range of ports, from 53001 to 53004 on ip-adrs > 127.0.0.53 and forward those toward a single > SOCKS proxy at 10.0.1.10:1080 ? and, after > running OpenSSH, can i run & force Unbound to > use outbobund traffic via: > outgoing-interface: 127.0.0.53 > > > Will these four commands work ? to > force using only 1 outgoing port: > outgoing-range: 1 > num-queries-per-thread: 1 > outgoing-port-permit: 53001 > outgoing-port-avoid: "1-53000,53002-65535" > will those slow down dns-resolving process > very slow ? > > or, is there a tool which can function > like DNS-to-SOCKS ? how can it be used > with Unbound ? > > How can i specify in "Unbound" to use port > 110 with a DNS-Server, instead of port 53 ? > > Can i specify SSL cert (server cert or CA/Root cert) > for a DNS-Server in Unbound ? > > > REFERENCES: > > https://en.wikipedia.org/wiki/SOCKS > http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. > http://www.inet.no/dante/doc/ Dante. > > SOCKet Secure (SOCKS) is an Internet Protocol that > routes network packets between a client and server > through a proxy server. It works in Layer 5 > (Session) of OSI. > > OpenSSH: An "ad hoc" SOCKS proxy server can be > created using OpenSSH, and allows more flexible > proxying than is possible with ordinary port > forwarding. http://www.openssh.com/ > DynamicForward 10.0.1.10:1080 # will create a > SOCKS on that ip:port. > GatewayPorts option allows wildcard address > usage. And tun-based VPN tunnel allowing > applications to transparently access remote > network resources without "socksification" > is now possible via OpenSSH. > > --Bright Star (Bry8Star). > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
