(Paul, sorry i did not understand what you indicated to). unbound, was already configured to support local UDP, and TCP DNS-queries, and use only TCP DNS for upstream outbound queries with Internet name-servers, DNS-Servers, private remote name-servers, etc (which i have mentioned previously). Then i changed only name-server(s) & DNS-Server(s) inside unbound.conf/service.conf file, with unique local port, and placed "socat" port forwarder & socksifier (toward actual name-server/DNS-server), on each of those unique port.
since i've not enabled remote control section/feature in local unbound, i guess unbound-control will probably not work. if remote control feature is turned on in unbound, and then using unbound-control, can a SOCKS proxy like 10.0.1.10:1080 be specified ? or, can a Tor SOCKS proxy like 10.0.1.10:9050 be specified ? (if a Tor SOCKS proxy is to be used, then i would MUST need to use TLS encrypted tunnels (to the destination name-server(s), DNS-server(s)), i think that will require further modification in interconnecting configurations of these components). Does a feature exist in Unbound to specify SSL/TLS cert for connecting with each/specific DNS-Server(s) ? and then send DNS-queries ? (pls assume these DNS-Servers supports DNS-queries via TLS encrypted connections via their TCP port 443). or, do i must need to use the SSL/TLS cert (used by DNS-Server) with "socat" to use encrypted tunnels ? (currently i have no choice but to use such/socat for encrypted tunnels). -- Bright Star (Bry8Star). Note to Users: when you reply, make sure the "To:" field has below email address: [email protected] Paul Wouters wrote: Received on 2012-11-01 6:39 AM [GMT-08:00]: > On Wed, 31 Oct 2012, Bry8 Star wrote: > > Why don't you just tell unbound to use TCP only, and not UDP? > > Then specify the forwarders using unbound-control? Then you can > even route that through tor. > > Paul > >> Date: Thu, 1 Nov 2012 02:46:58 From: Bry8 Star >> <[email protected]> To: [email protected] Subject: Re: >> [Unbound-users] From Unbound To DNS Via SOCKS, and Choices >> >> Hi Paul, Thanks, for the response. Was beginning to get a sense >> that no one ever reads my posting at all. >> >> I will contact him, if he had enough time to place your patch >> with unbound source code, and if i can get a hold on such for >> using from windows side. >> >> Currently, in unbound config file, when a zone is pointing >> toward a specific name-server, for example, like below: >> forward-zone: name: "sld.tld" forward-addr: 62.141.58.13@110 >> >> # Then i have changed above lines like below: forward-zone: >> name: "sld.tld" forward-addr: 127.0.0.1@58001 >> >> Then, by using windows edition of "socat", placed >> command-line(s) like below inside a batch .cmd / .bat file, to >> start necessary routing or forwarding: >> >> @start "socat LH:58001 62.141.58.13 SP:1080" >> /D"%ProgramFiles%\socat\" socat.exe >> tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork >> SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080 >> >> (in above, from "@" to "=1080" is a 1 single command line) (a >> space character exist after these words: start, SP:1080", >> socat\", .exe, fork) >> >> Similarly (like above command-line), specified unique port for >> each unique DNS-Server, and i've executed around 50 socat >> instances (from batch file), to forward all dns queries from >> Unbound, inside different local SOCKS proxy server(s), and sent >> DNS-queries toward different (public & private) DNS-servers & >> name-servers. >> >> Works fine, with complete DNSSEC support. >> >> But need to combine these into one or lesser amount of "socat" >> instances. or, need a support inside Unbound. or, need another >> tool which can efficiently do these type of TCP-DNS-to-SOCKS >> traffic routing. >> >> And also want to connect with (public and private) DNS-servers >> (or name-servers) which supports TLS cert based/encrypted >> connections. You may see below (in previous email) where i've >> mentioned about these. >> >> If anyone worked/working on these pls reply on this posting, >> Thanks in advance. >> >> -- Bright Star (Bry8Star). >> >> USERS: when you reply, make sure the "To:" field has below >> email address: [email protected] >> >> >> >> Paul Wouters wrote: Received on 2012-10-31 8:03 PM >> [GMT-08:00]: >>> On Wed, 31 Oct 2012, Bry8 Star wrote: >>> >>>> No one seems to be replying or understanding what i have >>>> requested for, very strange ! >>>> >>>> In windows, no one found solution(s) ! ! ! for sending >>>> DNS-queries (for specific dns-servers) from unbound toward >>>> a socks-proxy-server ! ? >>> >>> I gave Jake Applebaum a patch/configuration to test for >>> using unbond with tor using a SOCKS proxy. I never got >>> feedback, but he might still have the patch and config lying >>> around for you. >>> >>> Paul >>> >>>> trying to do this: [start] (1) local software --> (2) >>>> local unbound --> --> (3) local socks-proxy/srvr --> (4) >>>> socks-tunnel --> (5) Internet (My ISP) --> (6) >>>> socks-(origin)-srvr --> (7) Internet (socks-origin-srvr's >>>> ISP) --> (8) name-server/DNS-server. [End] >>>> >>>> -- Bright Star (Bry8Star). >>>> >>>> >>>> >>>> Bry8 Star wrote: Received on 2012-10-25 8:13 PM >>>> [GMT-08:00]:: >>>>> Hi, >>>>> >>>>> My (side) Scenario (Pre-Conditions) : >>>>> >>>>> MyNet = My Local Network computers & devices. SOCKS-Srvr >>>>> = origin SOCKS-server on remote servr. SOCKS-prxy = >>>>> SOCKS-proxy-server = is local SOCKS forwarding proxy >>>>> server. Socks-Tnl = SOCKS-Tunnel = connection between >>>>> (local) socks-proxy & (origin) socks-server. SOCKS = is a >>>>> type of gateway, a type of tunnel, a routing process >>>>> between a client & a server. >>>>> >>>>> (start from right most side "MyNet") >>>>> >>>>> Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet. A | V >>>>> --> SOCKS-Srvr <-> remote local-netwrk (DNS). A | V --> >>>>> SOCKS-Srvr <-> Internet <-> DNS-Servers. >>>>> >>>>> >>>>> I have multiple SOCKS proxy server, (SOCKS v4a, v5), >>>>> Running & listening on (a server computer): >>>>> 10.0.1.10:1080 (ip:port) 10.0.1.10:1082 ... This >>>>> gateway/server computer 10.0.1.10 has an instance of >>>>> "Unbound" (01) DNS-Resolver running on 10.0.1.10:53 >>>>> interface: 10.0.1.10 port: 53 access-control: 0.0.0.0/0 >>>>> refuse access-control: ::0/0 refuse access-control: >>>>> 10.0.1.10/8 allow >>>>> >>>>> Different socks tunnel ending on (aka, routed to) >>>>> different destination locations (which has the >>>>> origin-SOCKS-server gateway software), and ending/origin >>>>> gateway computer there, is connected with different ISP. >>>>> >>>>> Need to use this 10.0.1.10:53 DNSSEC supported >>>>> DNS-Resolver, from all clients, (under my local >>>>> network). >>>>> >>>>> This DNS-Resolver must connect with destination >>>>> DNS-Server(s) or nameservers(NS) via different ISPs, >>>>> which are connected at the end of SOCKS tunnel. >>>>> >>>>> Those destination Nameserver(s) (NS-DNS-Srv) ( or >>>>> Recursive dns-server(s) (Rc-DNS-Srv) or Authoritative >>>>> dns-server(s) (A-DNS-Srv) ) are able to work with both >>>>> TCP & UDP DNS, and listening on multiple ports 53, 110, >>>>> 443, etc. >>>>> >>>>> "Unbound" (01) (10.0.1.10:53) has multiple Forward and >>>>> Stub zones. Each forward or stub zone/domain has at least >>>>> 4, (in some cases 10), specific nameservers (or specific >>>>> Rc-DNS-Srv, or specific A-DNS-Srv). >>>>> >>>>> I'm using at least 10 different set of (custom/special) >>>>> zones, where each zone has from 4 to 10 (different) >>>>> nameservers. stub-zone: # 01 name: "custom-domain1.org" >>>>> stub-host: ath-d1.namesrv-hostnam.org. stub-host: >>>>> ath-d2.namesrv-hostnam.org. stub-host: >>>>> ath-d3.namesrv-hostnam.org. stub-host: >>>>> ath-d4.namesrv-hostnam.org. ... forward-zone: # 10 name: >>>>> "custom-domain10.org" forward-addr: >>>>> ath-namesrvr.37.ip.adrs forward-addr: >>>>> ath-namesrvr.38.ip.adrs forward-addr: >>>>> ath-namesrvr.39.ip.adrs forward-host: >>>>> ath-namesrvr40-hostnam.org. >>>>> >>>>> And, when a DNS-query does not match any of those >>>>> custom/special zones, then standard set of DNS-Servers >>>>> are to be used, like: Root DNS-Servers, TLD DNS-Servers, >>>>> SLD (Second Level Domain) DNS-Servers, HSP (Hosting >>>>> Service Providers) DNS-Servers, Public DNSSEC based >>>>> DNS-Servers, etc, via another SOCKS proxy: forward-zone: >>>>> name: "." forward-addr: 94.75.228.29 # GPF DNSSEC >>>>> forward-addr: 149.20.64.20 # OARC DNSSEC forward-addr: >>>>> 217.31.204.130 # CZ.NIC DNSSEC forward-addr: 198.41.0.4 # >>>>> ROOT a USC-ISI forward-addr: 192.5.5.241 # ROOT f ICANN >>>>> forward-addr: 192.58.128.30 # ROOT j forward-addr: >>>>> 193.0.14.129 # ROOT k RIPE forward-addr: 199.7.83.42 # >>>>> ROOT l forward-addr: 128.8.10.90 # ROOT d UniMaryland >>>>> forward-addr: 192.36.148.17 # ROOT i forward-addr: >>>>> 202.12.27.33 # ROOT m forward-addr: 128.63.2.53 # ROOT h >>>>> forward-addr: 192.203.230.10 # ROOT e NASA forward-addr: >>>>> 192.228.79.201 # ROOT forward-addr: 192.33.4.12 # ROOT >>>>> forward-addr: 192.112.36.4 # ROOT >>>>> >>>>> >>>>> QUESTION(s): >>>>> >>>>> Can i consider existing below command outgoing-interface: >>>>> of Unbound, as it's outbound traffic binding or forcing >>>>> command/option ? >>>>> >>>>> How can i bind/force "Unbound" (01) (10.0.1.10:53) to use >>>>> the 1st SOCKS proxy 10.0.1.10:1080 (IP:port) for >>>>> resolving a 1st set of zones ? (so that Unbound can >>>>> connect with correct 1st set of nameservers assigned for >>>>> that 1st set of zones), And how to resolve another/2nd >>>>> set of zones via using another/2nd SOCKS at >>>>> 10.0.1.10:1081 ? (and allowing Unbound to connect with >>>>> another /2nd set of pre-assigned nameservers for that 2nd >>>>> set of zones). >>>>> >>>>> if there is a one command-line in "Unbound" to >>>>> use/bind/force outbound traffic go-through a SOCKS proxy >>>>> that will be best. >>>>> >>>>> if not, then can anyone please point-to/indicate >>>>> /discuss/suggest what tools can be used to achieve such >>>>> function. Unbound to socks proxy. >>>>> >>>>> (NOT looking for a solution on Linux/Unix). (Looking for >>>>> a solution on Windows, the local "Unbound" (01) >>>>> (10.0.1.10:53) is running on Windows based computer). >>>>> >>>>> if i have to run 5 "Unbound", even that type of solution >>>>> is also ok. but reduced Unbound instance will be better. >>>>> >>>>> Is there a tool, which can accept all (incoming) traffic >>>>> coming (from Unbound) toward a network interface >>>>> adapter's (different ports & single) IP address, and can >>>>> forward those ports toward a (single ip:port based) SOCKS >>>>> proxy server ? what functions like TAP-to-SOCKS ? >>>>> >>>>> if a tool can perform TUN-to-SOCKS function, then can >>>>> such tool be used for send all queries via SOCKS from >>>>> Unbound, by binding Unbound with that TUN's ip-address ? >>>>> >>>>> for example, can an OpenSSH instance be run in L2/3 tun >>>>> VPN mode & forward tun ip-adrs traffic toward a SOCKS >>>>> proxy ? >>>>> >>>>> Can this below command/option "outgoing-port-permit:" be >>>>> set to use only 4 ports ? like: outgoing-port-permit: >>>>> 53001-53004 or, even set to use only 1 port ? >>>>> outgoing-port-permit: 53001-53001 What tool can allow to >>>>> forward such traffic from Unbound to a SOCKS proxy ? >>>>> >>>>> Can i run an instance of OpenSSH to listen a range of >>>>> ports, from 53001 to 53004 on ip-adrs 127.0.0.53 and >>>>> forward those toward a single SOCKS proxy at >>>>> 10.0.1.10:1080 ? and, after running OpenSSH, can i run & >>>>> force Unbound to use outbobund traffic via: >>>>> outgoing-interface: 127.0.0.53 >>>>> >>>>> >>>>> Will these four commands work ? to force using only 1 >>>>> outgoing port: outgoing-range: 1 num-queries-per-thread: >>>>> 1 outgoing-port-permit: 53001 outgoing-port-avoid: >>>>> "1-53000,53002-65535" will those slow down dns-resolving >>>>> process very slow ? >>>>> >>>>> or, is there a tool which can function like DNS-to-SOCKS >>>>> ? how can it be used with Unbound ? >>>>> >>>>> How can i specify in "Unbound" to use port 110 with a >>>>> DNS-Server, instead of port 53 ? >>>>> >>>>> Can i specify SSL cert (server cert or CA/Root cert) for >>>>> a DNS-Server in Unbound ? >>>>> >>>>> >>>>> REFERENCES: >>>>> >>>>> https://en.wikipedia.org/wiki/SOCKS >>>>> http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF. >>>>> http://www.inet.no/dante/doc/ Dante. >>>>> >>>>> SOCKet Secure (SOCKS) is an Internet Protocol that >>>>> routes network packets between a client and server >>>>> through a proxy server. It works in Layer 5 (Session) of >>>>> OSI. >>>>> >>>>> OpenSSH: An "ad hoc" SOCKS proxy server can be created >>>>> using OpenSSH, and allows more flexible proxying than is >>>>> possible with ordinary port forwarding. >>>>> http://www.openssh.com/ DynamicForward 10.0.1.10:1080 # >>>>> will create a SOCKS on that ip:port. GatewayPorts option >>>>> allows wildcard address usage. And tun-based VPN tunnel >>>>> allowing applications to transparently access remote >>>>> network resources without "socksification" is now >>>>> possible via OpenSSH. >>>>> >>>>> --Bright Star (Bry8Star). >>>>> >>>>> _______________________________________________ >>>>> Unbound-users mailing list [email protected] >>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>>>> >>>> >>>> >> >>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
