On Wed, 31 Oct 2012, Bry8 Star wrote:
Why don't you just tell unbound to use TCP only, and not UDP?
Then specify the forwarders using unbound-control? Then you
can even route that through tor.
Paul
Date: Thu, 1 Nov 2012 02:46:58
From: Bry8 Star <[email protected]>
To: [email protected]
Subject: Re: [Unbound-users] From Unbound To DNS Via SOCKS, and Choices
Hi Paul,
Thanks, for the response. Was beginning to get
a sense that no one ever reads my posting at all.
I will contact him, if he had enough time to place
your patch with unbound source code, and if i can
get a hold on such for using from windows side.
Currently, in unbound config file, when a zone
is pointing toward a specific name-server, for
example, like below:
forward-zone: name: "sld.tld"
forward-addr: 62.141.58.13@110
# Then i have changed above lines like below:
forward-zone: name: "sld.tld"
forward-addr: 127.0.0.1@58001
Then, by using windows edition of "socat",
placed command-line(s) like below inside a
batch .cmd / .bat file, to start necessary
routing or forwarding:
@start "socat LH:58001 62.141.58.13 SP:1080"
/D"%ProgramFiles%\socat\" socat.exe
tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork
SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080
(in above, from "@" to "=1080" is a 1 single command line)
(a space character exist after these words:
start, SP:1080", socat\", .exe, fork)
Similarly (like above command-line), specified
unique port for each unique DNS-Server, and
i've executed around 50 socat instances (from
batch file), to forward all dns queries from
Unbound, inside different local SOCKS proxy
server(s), and sent DNS-queries toward different
(public & private) DNS-servers & name-servers.
Works fine, with complete DNSSEC support.
But need to combine these into one or lesser
amount of "socat" instances.
or, need a support inside Unbound.
or, need another tool which can efficiently
do these type of TCP-DNS-to-SOCKS traffic
routing.
And also want to connect with (public and
private) DNS-servers (or name-servers) which
supports TLS cert based/encrypted connections.
You may see below (in previous email) where
i've mentioned about these.
If anyone worked/working on these pls reply
on this posting,
Thanks in advance.
-- Bright Star (Bry8Star).
USERS: when you reply, make sure the "To:" field
has below email address:
[email protected]
Paul Wouters wrote:
Received on 2012-10-31 8:03 PM [GMT-08:00]:
On Wed, 31 Oct 2012, Bry8 Star wrote:
No one seems to be replying or understanding what i have
requested for, very strange !
In windows, no one found solution(s) ! ! ! for sending
DNS-queries (for specific dns-servers) from unbound toward a
socks-proxy-server ! ?
I gave Jake Applebaum a patch/configuration to test for using
unbond with tor using a SOCKS proxy. I never got feedback, but he
might still have the patch and config lying around for you.
Paul
trying to do this: [start] (1) local software --> (2) local
unbound --> --> (3) local socks-proxy/srvr --> (4)
socks-tunnel --> (5) Internet (My ISP) --> (6)
socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's ISP)
--> (8) name-server/DNS-server. [End]
-- Bright Star (Bry8Star).
Bry8 Star wrote: Received on 2012-10-25 8:13 PM [GMT-08:00]::
Hi,
My (side) Scenario (Pre-Conditions) :
MyNet = My Local Network computers & devices. SOCKS-Srvr =
origin SOCKS-server on remote servr. SOCKS-prxy =
SOCKS-proxy-server = is local SOCKS forwarding proxy server.
Socks-Tnl = SOCKS-Tunnel = connection between (local)
socks-proxy & (origin) socks-server. SOCKS = is a type of
gateway, a type of tunnel, a routing process between a client
& a server.
(start from right most side "MyNet")
Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V -->
SOCKS-Srvr <-> remote local-netwrk (DNS). A | V -->
SOCKS-Srvr <-> Internet <-> DNS-Servers.
I have multiple SOCKS proxy server, (SOCKS v4a, v5), Running
& listening on (a server computer): 10.0.1.10:1080 (ip:port)
10.0.1.10:1082 ... This gateway/server computer 10.0.1.10
has an instance of "Unbound" (01) DNS-Resolver running on
10.0.1.10:53 interface: 10.0.1.10 port: 53 access-control:
0.0.0.0/0 refuse access-control: ::0/0 refuse access-control:
10.0.1.10/8 allow
Different socks tunnel ending on (aka, routed to) different
destination locations (which has the origin-SOCKS-server
gateway software), and ending/origin gateway computer there,
is connected with different ISP.
Need to use this 10.0.1.10:53 DNSSEC supported DNS-Resolver,
from all clients, (under my local network).
This DNS-Resolver must connect with destination DNS-Server(s)
or nameservers(NS) via different ISPs, which are connected at
the end of SOCKS tunnel.
Those destination Nameserver(s) (NS-DNS-Srv) ( or Recursive
dns-server(s) (Rc-DNS-Srv) or Authoritative dns-server(s)
(A-DNS-Srv) ) are able to work with both TCP & UDP DNS, and
listening on multiple ports 53, 110, 443, etc.
"Unbound" (01) (10.0.1.10:53) has multiple Forward and Stub
zones. Each forward or stub zone/domain has at least 4, (in
some cases 10), specific nameservers (or specific Rc-DNS-Srv,
or specific A-DNS-Srv).
I'm using at least 10 different set of (custom/special)
zones, where each zone has from 4 to 10 (different)
nameservers. stub-zone: # 01 name: "custom-domain1.org"
stub-host: ath-d1.namesrv-hostnam.org. stub-host:
ath-d2.namesrv-hostnam.org. stub-host:
ath-d3.namesrv-hostnam.org. stub-host:
ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name:
"custom-domain10.org" forward-addr: ath-namesrvr.37.ip.adrs
forward-addr: ath-namesrvr.38.ip.adrs forward-addr:
ath-namesrvr.39.ip.adrs forward-host:
ath-namesrvr40-hostnam.org.
And, when a DNS-query does not match any of those
custom/special zones, then standard set of DNS-Servers are to
be used, like: Root DNS-Servers, TLD DNS-Servers, SLD (Second
Level Domain) DNS-Servers, HSP (Hosting Service Providers)
DNS-Servers, Public DNSSEC based DNS-Servers, etc, via
another SOCKS proxy: forward-zone: name: "." forward-addr:
94.75.228.29 # GPF DNSSEC forward-addr: 149.20.64.20 # OARC
DNSSEC forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
forward-addr: 198.41.0.4 # ROOT a USC-ISI forward-addr:
192.5.5.241 # ROOT f ICANN forward-addr: 192.58.128.30 # ROOT
j forward-addr: 193.0.14.129 # ROOT k RIPE forward-addr:
199.7.83.42 # ROOT l forward-addr: 128.8.10.90 # ROOT d
UniMaryland forward-addr: 192.36.148.17 # ROOT i
forward-addr: 202.12.27.33 # ROOT m forward-addr: 128.63.2.53
# ROOT h forward-addr: 192.203.230.10 # ROOT e NASA
forward-addr: 192.228.79.201 # ROOT forward-addr: 192.33.4.12
# ROOT forward-addr: 192.112.36.4 # ROOT
QUESTION(s):
Can i consider existing below command outgoing-interface: of
Unbound, as it's outbound traffic binding or forcing
command/option ?
How can i bind/force "Unbound" (01) (10.0.1.10:53) to use the
1st SOCKS proxy 10.0.1.10:1080 (IP:port) for resolving a 1st
set of zones ? (so that Unbound can connect with correct 1st
set of nameservers assigned for that 1st set of zones), And
how to resolve another/2nd set of zones via using another/2nd
SOCKS at 10.0.1.10:1081 ? (and allowing Unbound to connect
with another /2nd set of pre-assigned nameservers for that
2nd set of zones).
if there is a one command-line in "Unbound" to use/bind/force
outbound traffic go-through a SOCKS proxy that will be best.
if not, then can anyone please point-to/indicate
/discuss/suggest what tools can be used to achieve such
function. Unbound to socks proxy.
(NOT looking for a solution on Linux/Unix). (Looking for a
solution on Windows, the local "Unbound" (01) (10.0.1.10:53)
is running on Windows based computer).
if i have to run 5 "Unbound", even that type of solution is
also ok. but reduced Unbound instance will be better.
Is there a tool, which can accept all (incoming) traffic
coming (from Unbound) toward a network interface adapter's
(different ports & single) IP address, and can forward those
ports toward a (single ip:port based) SOCKS proxy server ?
what functions like TAP-to-SOCKS ?
if a tool can perform TUN-to-SOCKS function, then can such
tool be used for send all queries via SOCKS from Unbound, by
binding Unbound with that TUN's ip-address ?
for example, can an OpenSSH instance be run in L2/3 tun VPN
mode & forward tun ip-adrs traffic toward a SOCKS proxy ?
Can this below command/option "outgoing-port-permit:" be set
to use only 4 ports ? like: outgoing-port-permit:
53001-53004 or, even set to use only 1 port ?
outgoing-port-permit: 53001-53001 What tool can allow to
forward such traffic from Unbound to a SOCKS proxy ?
Can i run an instance of OpenSSH to listen a range of ports,
from 53001 to 53004 on ip-adrs 127.0.0.53 and forward those
toward a single SOCKS proxy at 10.0.1.10:1080 ? and, after
running OpenSSH, can i run & force Unbound to use outbobund
traffic via: outgoing-interface: 127.0.0.53
Will these four commands work ? to force using only 1
outgoing port: outgoing-range: 1 num-queries-per-thread: 1
outgoing-port-permit: 53001 outgoing-port-avoid:
"1-53000,53002-65535" will those slow down dns-resolving
process very slow ?
or, is there a tool which can function like DNS-to-SOCKS ?
how can it be used with Unbound ?
How can i specify in "Unbound" to use port 110 with a
DNS-Server, instead of port 53 ?
Can i specify SSL cert (server cert or CA/Root cert) for a
DNS-Server in Unbound ?
REFERENCES:
https://en.wikipedia.org/wiki/SOCKS
http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
http://www.inet.no/dante/doc/ Dante.
SOCKet Secure (SOCKS) is an Internet Protocol that routes
network packets between a client and server through a proxy
server. It works in Layer 5 (Session) of OSI.
OpenSSH: An "ad hoc" SOCKS proxy server can be created using
OpenSSH, and allows more flexible proxying than is possible
with ordinary port forwarding. http://www.openssh.com/
DynamicForward 10.0.1.10:1080 # will create a SOCKS on that
ip:port. GatewayPorts option allows wildcard address usage.
And tun-based VPN tunnel allowing applications to
transparently access remote network resources without
"socksification" is now possible via OpenSSH.
--Bright Star (Bry8Star).
_______________________________________________ Unbound-users
mailing list [email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
