I’ve spent several hours trying various permutations of the following config, but no matter what I do I can’t get unbound to forward a DNS request over TLS:
*** localhost can’t find google.com: Server failed
Following this request in wireshark, unbound is accurately requesting DNS to the cloudflare server on tcp port 853, but is attempting to do this without negotiating a TLS connection, which cloudflare appropriately rejects.
I've spent several hours trying various permutations of the following
config, but no matter what I do I can't get unbound to forward a DNS
request over TLS:
This config looks correct. It should be connecting with TLS. Unless
you have other options in unbound.conf that negate the lines you pasted
here. Perhaps enable verbosity: 4 and logfile: "C:\unbound.log" and
log-time-ascii: yes and then you have a logfile in plain text with
details about what unbound is doing.
SImplified config (OpenDNS, no DNSSEC etc.) - works.
I have made some fixes for DNS-over-TLS for unbound on windows, the are
in the patch below. I've also compiled a 64bit build for that snapshot.
Does the solve the problem?
The diff solves two problems. Sticky TCP flags causing TLS to use more
CPU that is probably needed, assuming openssl always reads all available
data. The other is that a combined result of data and tcp length would
not be handled correctly, also on Linux.
Just checked. Unfortunately, patch does not fix issue.
Same sympthom. Timeout, then no resolve.
[http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip](http://open.nlnetlabs.nl/%7Ewouter/unbound-1.7.2_20180507.zip) (16Mb)
[http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip.asc](http://open.nlnetlabs.nl/%7Ewouter/unbound-1.7.2_20180507.zip.asc) (pgp sig)
Just checked. Unfortunately, patch does not fix issue.
Same sympthom. Timeout, then no resolve.
From your previous logs, what unbound does is connect, then write. Then
it gets nothing to read. Until the timeout happens. The connection
closes, there was no data received.
Is there a firewall of some sort preventing data from leaving or
entering the system?
No idea what is going on anymore, here is two new sets of binaries.
These are made with openssl 1.0.2j. The code in unbound that does
tls-upstream:yes is basically almost the same as previous releases, and
with the same version of openssl, shouldn't that work like it did in the
previous release?
Note that the 1.0.2 openssl does not have the set verify name function
that is used to verify the tls authentication name, so it won't check that.
The 1.7.1 zipfile is the 1.7.1 release with the different openssl library.
The 1.7.2 has a different windows event handling for SSL upstream, that
should result in fewer cycles used to handle the SSL connection. It
should however, not otherwise change the SSL connection calls to OpenSSL.
09.05.2018 11:51, W.C.A. Wijngaards via Unbound-users пишет:
Hi,
No idea what is going on anymore, here is two new sets of binaries.
These are made with openssl 1.0.2j. The code in unbound that does
tls-upstream:yes is basically almost the same as previous releases, and
with the same version of openssl, shouldn't that work like it did in the
previous release?
Note that the 1.0.2 openssl does not have the set verify name function
that is used to verify the tls authentication name, so it won't check that.
09.05.2018 11:51, W.C.A. Wijngaards via Unbound-users пишет:
Hi,
No idea what is going on anymore, here is two new sets of binaries.
These are made with openssl 1.0.2j. The code in unbound that does
tls-upstream:yes is basically almost the same as previous releases, and
with the same version of openssl, shouldn't that work like it did in the
previous release?
Note that the 1.0.2 openssl does not have the set verify name function
that is used to verify the tls authentication name, so it won't check that.
I have a bugfix for windows DNS-over-TLS. There was missing
initialisation. The version with bugfixes is available here
open.nlnetlabs.nl/~wouter/unbound-1.7.2rc45.zip
and unbound_setup_1.7.2rc45.exe and .asc gpg sigs.
