It seems I finally figured out using dnscrypt + unbound + DNSSEC: * Stop Unbound and specify the dnscrypt-proxy IP:port as "forward-addr" in unbound.conf * Start dnscrypt-proxy with below, where provider-key / provider-name is whatever you choose from http://dnscrypt.org. For example: dnscrypt_proxy_flags="-d -a <listen-ip>:port --provider-key 67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --provider-name=2.dnscrypt-cert.resolver1.dnscrypt.eu --resolver-address= 176.56.237.171:443" * Now re-run: # unbound-anchor -a "/var/unbound/root.key", which will refresh/reset the root.key to signature of forward-addr, which in turn is the dnscrypt-proxy signature given when we started dnscrypt. * Start Unbound and try your DNSSEC validation: drill -k var/unbound/root.key -TD com. SOA => comes back all "[T] trusted" * One question: Should "unbound-anchor" be re-run periodically or on unbound startup, or is the root.key self-refreshed by Unbound internals? * Final bonus: I have all of this running in a FreBSD jail, and pf redirects to the dns-jail all port 53 traffic from internal LAN(s) and other jails. Awesome!
Bright Star: Very interesting information. Thank you. For Tor, I did not realize what port 9053 setting was untill I got some IRC help fro the #tor channel. Apparently, 9053 listener just passes a regular DNS lookup to the Tor exit node and uses whatever that exit node has defined as DNS forward server. This is exactly the DNS leak problem (non-encrypted traffic) and should be completely avoided, not to mention the possibility of "malicious exit node" employing its own poisoned DNS server - Avoid Completely. However I have since become hesitant to use Tor-encryption for DNS, since as you stated there currently is no DNSSEC structure inside Tor. DNSSEC is not mandatory of course, but for non-dnssec, we at least know who the counter party is (google, opendns or whomever), whereas inside a Tor layer, you have absolutely no idea regarding the trust level of the DNS on the exit node. Considering that Tor was designed for relaying (not authenticating), Tor-encrypted DNS opens the user to a wide possibility of DNS compromise IMHO. The sanest article I have come accross re setup of Tor-encrypted DNS lookups describes using dsocks (rather than socks): https://trac.torproject.org/projects/tor/wiki/doc/PreventingDnsLeaksInTor Thanks to everyone for their help & Regards.
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
