Hi Paul, Thanks, for the response. Was beginning to get a sense that no one ever reads my posting at all.
I will contact him, if he had enough time to place your patch with unbound source code, and if i can get a hold on such for using from windows side. Currently, in unbound config file, when a zone is pointing toward a specific name-server, for example, like below: forward-zone: name: "sld.tld" forward-addr: 62.141.58.13@110 # Then i have changed above lines like below: forward-zone: name: "sld.tld" forward-addr: 127.0.0.1@58001 Then, by using windows edition of "socat", placed command-line(s) like below inside a batch .cmd / .bat file, to start necessary routing or forwarding: @start "socat LH:58001 62.141.58.13 SP:1080" /D"%ProgramFiles%\socat\" socat.exe tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080 (in above, from "@" to "=1080" is a 1 single command line) (a space character exist after these words: start, SP:1080", socat\", .exe, fork) Similarly (like above command-line), specified unique port for each unique DNS-Server, and i've executed around 50 socat instances (from batch file), to forward all dns queries from Unbound, inside different local SOCKS proxy server(s), and sent DNS-queries toward different (public & private) DNS-servers & name-servers. Works fine, with complete DNSSEC support. But need to combine these into one or lesser amount of "socat" instances. or, need a support inside Unbound. or, need another tool which can efficiently do these type of TCP-DNS-to-SOCKS traffic routing. And also want to connect with (public and private) DNS-servers (or name-servers) which supports TLS cert based/encrypted connections. You may see below (in previous email) where i've mentioned about these. If anyone worked/working on these pls reply on this posting, Thanks in advance. -- Bright Star (Bry8Star). USERS: when you reply, make sure the "To:" field has below email address: [email protected] Paul Wouters wrote: Received on 2012-10-31 8:03 PM [GMT-08:00]: > On Wed, 31 Oct 2012, Bry8 Star wrote: > >> No one seems to be replying or understanding what i have >> requested for, very strange ! >> >> In windows, no one found solution(s) ! ! ! for sending >> DNS-queries (for specific dns-servers) from unbound toward a >> socks-proxy-server ! ? > > I gave Jake Applebaum a patch/configuration to test for using > unbond with tor using a SOCKS proxy. I never got feedback, but he > might still have the patch and config lying around for you. > > Paul > >> trying to do this: [start] (1) local software --> (2) local >> unbound --> --> (3) local socks-proxy/srvr --> (4) >> socks-tunnel --> (5) Internet (My ISP) --> (6) >> socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's ISP) >> --> (8) name-server/DNS-server. [End] >> >> -- Bright Star (Bry8Star). >> >> >> >> Bry8 Star wrote: Received on 2012-10-25 8:13 PM [GMT-08:00]:: >>> Hi, >>> >>> My (side) Scenario (Pre-Conditions) : >>> >>> MyNet = My Local Network computers & devices. SOCKS-Srvr = >>> origin SOCKS-server on remote servr. SOCKS-prxy = >>> SOCKS-proxy-server = is local SOCKS forwarding proxy server. >>> Socks-Tnl = SOCKS-Tunnel = connection between (local) >>> socks-proxy & (origin) socks-server. SOCKS = is a type of >>> gateway, a type of tunnel, a routing process between a client >>> & a server. >>> >>> (start from right most side "MyNet") >>> >>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V --> >>> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V --> >>> SOCKS-Srvr <-> Internet <-> DNS-Servers. >>> >>> >>> I have multiple SOCKS proxy server, (SOCKS v4a, v5), Running >>> & listening on (a server computer): 10.0.1.10:1080 (ip:port) >>> 10.0.1.10:1082 ... This gateway/server computer 10.0.1.10 >>> has an instance of "Unbound" (01) DNS-Resolver running on >>> 10.0.1.10:53 interface: 10.0.1.10 port: 53 access-control: >>> 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: >>> 10.0.1.10/8 allow >>> >>> Different socks tunnel ending on (aka, routed to) different >>> destination locations (which has the origin-SOCKS-server >>> gateway software), and ending/origin gateway computer there, >>> is connected with different ISP. >>> >>> Need to use this 10.0.1.10:53 DNSSEC supported DNS-Resolver, >>> from all clients, (under my local network). >>> >>> This DNS-Resolver must connect with destination DNS-Server(s) >>> or nameservers(NS) via different ISPs, which are connected at >>> the end of SOCKS tunnel. >>> >>> Those destination Nameserver(s) (NS-DNS-Srv) ( or Recursive >>> dns-server(s) (Rc-DNS-Srv) or Authoritative dns-server(s) >>> (A-DNS-Srv) ) are able to work with both TCP & UDP DNS, and >>> listening on multiple ports 53, 110, 443, etc. >>> >>> "Unbound" (01) (10.0.1.10:53) has multiple Forward and Stub >>> zones. Each forward or stub zone/domain has at least 4, (in >>> some cases 10), specific nameservers (or specific Rc-DNS-Srv, >>> or specific A-DNS-Srv). >>> >>> I'm using at least 10 different set of (custom/special) >>> zones, where each zone has from 4 to 10 (different) >>> nameservers. stub-zone: # 01 name: "custom-domain1.org" >>> stub-host: ath-d1.namesrv-hostnam.org. stub-host: >>> ath-d2.namesrv-hostnam.org. stub-host: >>> ath-d3.namesrv-hostnam.org. stub-host: >>> ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name: >>> "custom-domain10.org" forward-addr: ath-namesrvr.37.ip.adrs >>> forward-addr: ath-namesrvr.38.ip.adrs forward-addr: >>> ath-namesrvr.39.ip.adrs forward-host: >>> ath-namesrvr40-hostnam.org. >>> >>> And, when a DNS-query does not match any of those >>> custom/special zones, then standard set of DNS-Servers are to >>> be used, like: Root DNS-Servers, TLD DNS-Servers, SLD (Second >>> Level Domain) DNS-Servers, HSP (Hosting Service Providers) >>> DNS-Servers, Public DNSSEC based DNS-Servers, etc, via >>> another SOCKS proxy: forward-zone: name: "." forward-addr: >>> 94.75.228.29 # GPF DNSSEC forward-addr: 149.20.64.20 # OARC >>> DNSSEC forward-addr: 217.31.204.130 # CZ.NIC DNSSEC >>> forward-addr: 198.41.0.4 # ROOT a USC-ISI forward-addr: >>> 192.5.5.241 # ROOT f ICANN forward-addr: 192.58.128.30 # ROOT >>> j forward-addr: 193.0.14.129 # ROOT k RIPE forward-addr: >>> 199.7.83.42 # ROOT l forward-addr: 128.8.10.90 # ROOT d >>> UniMaryland forward-addr: 192.36.148.17 # ROOT i >>> forward-addr: 202.12.27.33 # ROOT m forward-addr: 128.63.2.53 >>> # ROOT h forward-addr: 192.203.230.10 # ROOT e NASA >>> forward-addr: 192.228.79.201 # ROOT forward-addr: 192.33.4.12 >>> # ROOT forward-addr: 192.112.36.4 # ROOT >>> >>> >>> QUESTION(s): >>> >>> Can i consider existing below command outgoing-interface: of >>> Unbound, as it's outbound traffic binding or forcing >>> command/option ? >>> >>> How can i bind/force "Unbound" (01) (10.0.1.10:53) to use the >>> 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for resolving a 1st >>> set of zones ? (so that Unbound can connect with correct 1st >>> set of nameservers assigned for that 1st set of zones), And >>> how to resolve another/2nd set of zones via using another/2nd >>> SOCKS at 10.0.1.10:1081 ? (and allowing Unbound to connect >>> with another /2nd set of pre-assigned nameservers for that >>> 2nd set of zones). >>> >>> if there is a one command-line in "Unbound" to use/bind/force >>> outbound traffic go-through a SOCKS proxy that will be best. >>> >>> if not, then can anyone please point-to/indicate >>> /discuss/suggest what tools can be used to achieve such >>> function. Unbound to socks proxy. >>> >>> (NOT looking for a solution on Linux/Unix). (Looking for a >>> solution on Windows, the local "Unbound" (01) (10.0.1.10:53) >>> is running on Windows based computer). >>> >>> if i have to run 5 "Unbound", even that type of solution is >>> also ok. but reduced Unbound instance will be better. >>> >>> Is there a tool, which can accept all (incoming) traffic >>> coming (from Unbound) toward a network interface adapter's >>> (different ports & single) IP address, and can forward those >>> ports toward a (single ip:port based) SOCKS proxy server ? >>> what functions like TAP-to-SOCKS ? >>> >>> if a tool can perform TUN-to-SOCKS function, then can such >>> tool be used for send all queries via SOCKS from Unbound, by >>> binding Unbound with that TUN's ip-address ? >>> >>> for example, can an OpenSSH instance be run in L2/3 tun VPN >>> mode & forward tun ip-adrs traffic toward a SOCKS proxy ? >>> >>> Can this below command/option "outgoing-port-permit:" be set >>> to use only 4 ports ? like: outgoing-port-permit: >>> 53001-53004 or, even set to use only 1 port ? >>> outgoing-port-permit: 53001-53001 What tool can allow to >>> forward such traffic from Unbound to a SOCKS proxy ? >>> >>> Can i run an instance of OpenSSH to listen a range of ports, >>> from 53001 to 53004 on ip-adrs 127.0.0.53 and forward those >>> toward a single SOCKS proxy at 10.0.1.10:1080 ? and, after >>> running OpenSSH, can i run & force Unbound to use outbobund >>> traffic via: outgoing-interface: 127.0.0.53 >>> >>> >>> Will these four commands work ? to force using only 1 >>> outgoing port: outgoing-range: 1 num-queries-per-thread: 1 >>> outgoing-port-permit: 53001 outgoing-port-avoid: >>> "1-53000,53002-65535" will those slow down dns-resolving >>> process very slow ? >>> >>> or, is there a tool which can function like DNS-to-SOCKS ? >>> how can it be used with Unbound ? >>> >>> How can i specify in "Unbound" to use port 110 with a >>> DNS-Server, instead of port 53 ? >>> >>> Can i specify SSL cert (server cert or CA/Root cert) for a >>> DNS-Server in Unbound ? >>> >>> >>> REFERENCES: >>> >>> https://en.wikipedia.org/wiki/SOCKS >>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. >>> http://www.inet.no/dante/doc/ Dante. >>> >>> SOCKet Secure (SOCKS) is an Internet Protocol that routes >>> network packets between a client and server through a proxy >>> server. It works in Layer 5 (Session) of OSI. >>> >>> OpenSSH: An "ad hoc" SOCKS proxy server can be created using >>> OpenSSH, and allows more flexible proxying than is possible >>> with ordinary port forwarding. http://www.openssh.com/ >>> DynamicForward 10.0.1.10:1080 # will create a SOCKS on that >>> ip:port. GatewayPorts option allows wildcard address usage. >>> And tun-based VPN tunnel allowing applications to >>> transparently access remote network resources without >>> "socksification" is now possible via OpenSSH. >>> >>> --Bright Star (Bry8Star). >>> >>> _______________________________________________ Unbound-users >>> mailing list [email protected] >>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>> >> >>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
