-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Found a good Choice, For routing/forwarding dns query network packets from any dns-server/resolver software toward destination DNS-Server via using SOCKS servers/proxies.
This tool "DNS2SOCKS" from: http://sourceforge.net/projects/dns2socks/ Authored/developed by "ghostmaker". It is executed like this: DNS2SOCKS.exe [/q] [Socks5ServIP[:Port]] [DNSServIP[:Port]] [ListenIP[:Port]] ListenIP = localhost IP address 127.0.0.1 DNSServIP = destination DNS-Server's IP adrs. Socks5ServIP = SOCKS 4a, 5 Server/proxy IP adrs. the /q option is to hide the console window. It can use local TCP & UDP both, uses TCP with destination DNS-Servr via SOCKS tunnel. Tested via regular SOCKS proxies and via Tor-proxy, Works super great. DNSSEC queries WORKS :) :-) it can cache DNS answers and answer from cache. I've applied it like this: Flow Diagram: Local Unbound --> (unbound configured to use specific local port(s) for each specific destination DNS-Server(s) for each forward/stub zone) - --> local DNS2SOCKS --> local SOCKS proxy (or Tor-SOCKS proxy) --> Internet (socks-tunnel) --> SOCKS origin server (or Tor exit-node) --> Internet - --> destination DNS-Server (or name-server). See my previous email/posting done on 2012-10-31 (y-m-d) where i've shown how i've used simple "socat" tool for listening on certain localhost(LH) ports, and routed/relayed received packets from those LH ports inside SOCKS tunnels. And also see unbound.conf or service.conf file's configuration command-lines, which were configured to forward DNS-queries toward a certain/specific local LH@port DNS-Server, instead of forwarding DNS-queries directly toward the actual destination DNS-Server. Then DNS2SOCKS was configured to relay/forward/route DNS-queries toward the actual destination DNS-Server. Via SOCKS tunels/proxies. I used a batch file (.cmd or .bat) placed around fifty dns2socks command-lines, similar to below: @start "dns2socks LH:1080 62.141.59.13:53 LH:58001" /D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:1080 62.141.58.13:53 127.0.0.1:58001 /q ... @start "dns2socks LH:9050 Other.DNS.Srvr.IP:53 LH:58050" /D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:9050 Other.DNS.Srvr.IP:53 127.0.0.1:58050 /q @rem each command starts with @start and ends with /q So this (DNS2SOCKS) is another option/choice other than the "socat" tool. - -- Bright Star (Bry8Star). Bry8 Star wrote: Received on 2012-11-02 5:17 PM [GMT-08:00]: > Hi Paul, Thanks again. > > >> unbound-control set_option ssl-upstream: yes unbound-control >> forward_add . 193.110.157.123 > > > So my understanding is, one "Unbound" can use only one set of > upstream / outbound TLS/SSL cert/keys to connect with another > unbound instance. > > but more than one set of cert/keys cannot be specified in one > "Unbound". > > whereas, i wanted to use different type of cert for different > type of DNS-Servers/name-servers (which are using different DNS > server software, which supports TLS/SSL encrypted & secured > connections). > > Since i'm tryin to connect securely with different > dns-servers/name-servers, which are using different DNS > Server/Resolver software and different cert/keys, one unbound > will (most likely) not be able to connect with all at the same > time. > > So alternatively, can these be done ? > > if multiple instance of Unbounds are executed, and if, each using > only one set of cert/keys, to connect with only one group of > dns-server(s) (from one service provider/location) which supports > that specific cert/keys, and then, if all of these > "secondary"/"slave" Unbound instances are queried from another > "master" /"primary" Unbound, then such design may work ? > > Flow Diagram: Primary-Unbound --> | V connecting toward multiple > local ports, where each local port is connected with a different > "secondary" Unbound --> | V --> secondary-Unbound (port 59001), > using TLS/SSL cert compatible with for specific DNS-Server [01] > (80.239.156.220) --> SOCKS-proxy --> socks tunnel --> Internet > --> Socks-servr --> Internet --> DNS-Server [01] (80.239.156.220) > --> | V --> secondary-Unbound (port 59002), using TLS/SSL cert > compatible with for specific DNS-Server [02] (213.154.224.3) --> > SOCKS-proxy --> socks tunnel --> Internet --> Socks-servr --> > Internet --> DNS-Server [02] (213.154.224.3) --> ... and so on. > > question is mentioned above. > > -- Bright Star (Bry8Star). > > Note For USERS: When You Reply, Pls Make Sure, the "To:" field > has below email-address: [email protected] > > > > Paul Wouters wrote: Received on 2012-11-01 6:31 PM [GMT-08:00]: >> On Thu, 1 Nov 2012, Bry8 Star wrote: > >>> unbound, was already configured to support local UDP, and >>> TCP DNS-queries, and use only TCP DNS for upstream outbound >>> queries with Internet name-servers, DNS-Servers, private >>> remote name-servers, etc (which i have mentioned previously). >>> Then i changed only name-server(s) & DNS-Server(s) inside >>> unbound.conf/service.conf file, with unique local port, and >>> placed "socat" port forwarder & socksifier (toward actual >>> name-server/DNS-server), on each of those unique port. >>> >>> since i've not enabled remote control section/feature in >>> local unbound, i guess unbound-control will probably not >>> work. > >> You can configure forwarders in unbound.conf as well. > >> With unbound only doing TCP sessions, you should be able to it >> all over tor or SOCKS proxies. > >>> Does a feature exist in Unbound to specify SSL/TLS cert for >>> connecting with each/specific DNS-Server(s) ? and then send >>> DNS-queries ? (pls assume these DNS-Servers supports >>> DNS-queries via TLS encrypted connections via their TCP port >>> 443). > >> Yes, unbound can talk to unbound servers using TLS/SSL, but it >> will not perform any validation of the PKIX certificates. It >> assumes that important data obtained this way is protected by >> DNSSEC. > >> For example, if you configure this in unbound running on a >> server: > >> # service clients over SSL (on the TCP sockets), with plain DNS >> # inside # the SSL stream. Give the certificate to use and >> private key. # default is "" (disabled). requires restart to >> take effect. # ssl-service-key: "path/to/privatekeyfile.key" # >> ssl-service-pem: "path/to/publiccertfile.pem" # ssl-port: 443 > >> Then you can configure this on the client: > >> # request upstream over SSL (with plain DNS inside the SSL # >> stream). # Default is no. Can be turned on and off with >> unbound-control. # ssl-upstream: no > >> This is what "dnssec-trigger" configured using unbound-control >> when it needs to use DNS over TLS via unbound. It uses one of >> these servers: > >> # Provided by fedoraproject.org, #fedora-admin # It is >> provided on a best effort basis, with no service guarantee. >> ssl443: 80.239.156.220 >> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 > >> tcp80: 80.239.156.220 ssl443: 66.35.62.163 >> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 > >> tcp80: 66.35.62.163 ssl443: 152.19.134.150 >> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2 > >> tcp80: 152.19.134.150 ssl443: >> 2610:28:3090:3001:dead:beef:cafe:fed9 >> A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64: > >> > > AA:87:E6:F2 >> tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9 > >> # provided by Paul Wouters ([email protected]) # It is >> provided on a best effort basis, with no service guarantee. # >> tcp80: 193.110.157.123 # tcp80: 2001:888:2003:1004::123 # >> ssl443: 193.110.157.123 # >> 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 > >> # ssl443: 2001:888:2003:1004::123 # >> 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7 > >> > > >> # provided by NLnetLabs (www.nlnetlabs.nl) # It is provided on >> a best effort basis, with no service guarantee. # tcp80: >> 213.154.224.3 # tcp80: 2001:7b8:206:1:bb:: # ssl443: >> 213.154.224.3 # >> DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F > >> # ssl443: 2001:7b8:206:1:bb:: # >> DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F > >> > > >> You can use those for testing as well, I believe you will need >> something like: > >> unbound-control set_option ssl-upstream: yes unbound-control >> forward_add . 193.110.157.123 > >> Paul > _______________________________________________ Unbound-users > mailing list [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAlCblmIACgkQiDbboldsEOxTLwEAtMcsJK2Fge/4WHj20aAr1PVC DDBnXjmqnSERw+0j+XMA/2RYjTb6ivfLPQs3VBb852lF5/n8GbnCQX5wz5fwZ9nS =XnIF -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
