On Thu, 1 Nov 2012, Bry8 Star wrote:
unbound, was already configured to support
local UDP, and TCP DNS-queries, and use only
TCP DNS for upstream outbound queries with
Internet name-servers, DNS-Servers, private
remote name-servers, etc (which i have
mentioned previously).
Then i changed only name-server(s) & DNS-Server(s)
inside unbound.conf/service.conf file, with unique
local port, and placed "socat" port forwarder
& socksifier (toward actual name-server/DNS-server),
on each of those unique port.
since i've not enabled remote control
section/feature in local unbound, i guess
unbound-control will probably not work.
You can configure forwarders in unbound.conf as well.
With unbound only doing TCP sessions, you should be able to it all over
tor or SOCKS proxies.
Does a feature exist in Unbound to specify
SSL/TLS cert for connecting with each/specific
DNS-Server(s) ? and then send DNS-queries ?
(pls assume these DNS-Servers supports DNS-queries
via TLS encrypted connections via their TCP port
443).
Yes, unbound can talk to unbound servers using TLS/SSL, but it will not
perform any validation of the PKIX certificates. It assumes that
important data obtained this way is protected by DNSSEC.
For example, if you configure this in unbound running on a server:
# service clients over SSL (on the TCP sockets), with plain DNS
# inside
# the SSL stream. Give the certificate to use and private key.
# default is "" (disabled). requires restart to take effect.
# ssl-service-key: "path/to/privatekeyfile.key"
# ssl-service-pem: "path/to/publiccertfile.pem"
# ssl-port: 443
Then you can configure this on the client:
# request upstream over SSL (with plain DNS inside the SSL
# stream).
# Default is no. Can be turned on and off with unbound-control.
# ssl-upstream: no
This is what "dnssec-trigger" configured using unbound-control when it
needs to use DNS over TLS via unbound. It uses one of these servers:
# Provided by fedoraproject.org, #fedora-admin
# It is provided on a best effort basis, with no service guarantee.
ssl443: 80.239.156.220
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 80.239.156.220
ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 66.35.62.163
ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 152.19.134.150
ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64: AA:87:E6:F2
tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9
# provided by Paul Wouters ([email protected])
# It is provided on a best effort basis, with no service guarantee.
# tcp80: 193.110.157.123
# tcp80: 2001:888:2003:1004::123
# ssl443: 193.110.157.123
#
16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
# ssl443: 2001:888:2003:1004::123
#
16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
# provided by NLnetLabs (www.nlnetlabs.nl)
# It is provided on a best effort basis, with no service guarantee.
# tcp80: 213.154.224.3
# tcp80: 2001:7b8:206:1:bb::
# ssl443: 213.154.224.3
#
DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
# ssl443: 2001:7b8:206:1:bb::
#
DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
You can use those for testing as well, I believe you will need something
like:
unbound-control set_option ssl-upstream: yes
unbound-control forward_add . 193.110.157.123
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
