DNS over TLS not working

yvoinov · May 24, 2018, 12:25pm

Sure.

tls\-cert\-bundle: &quot;C:\\Squid\\etc\\squid\\ca\-bundle\.crt&quot;

Mozilla CA's bundle.

24.05.2018 17:17, W.C.A. Wijngaards пишет:

Wouter · May 24, 2018, 12:54pm

Hi Yuri,

Could you try this unbound.exe with extra debug printouts? So I can see
what SSL calls are called.

open.nlnetlabs.nl/~wouter/unbound_1.7.2rc45_debug.exe
rename it to unbound.exe and use it, it is rc45 with some debug
printouts about what part of the SSL sequence is enabled.

(slightly differently exe size due to 32bit compile).

Best regards, Wouter

Wouter · May 25, 2018, 6:05am

Hi Yuri,

From the logs, it looks like the connections to quad9 and cloudflare all
end, very quickly, with a tcperror. Some connections succeed, to quad9
at the 112. If you search for 'peer certificate' in the logs, you find
those cases, and also that it works and returns an answer.

It looks like the other addresses are somehow filtered? There might not
be a bug in the windows code of unbound too; by the way, thank you for
the logs.

Best regards, Wouter

Wouter · May 25, 2018, 6:30am

Hi Yuri,

And here is the same executable but with counting that will exclude
addresses for which the connection doesn't establish. That would
exclude all (except one), looking at the logs.

open.nlnetlabs.nl/~wouter/unbound_rc45_fixnonestablishedtcp.exe
(This is again unbound.exe, rename it to unbound.exe for use)

I made it because it will likely work better. The fix is also in the
public code repository. What it does is keep track of connection
failures and then when server selection happens, it should omit the
failing servers from the server selection.

This may not actually be the bug you originally tried to report, but it
should be an improvement.

Best regards, Wouter

yvoinov · May 25, 2018, 9:10am

Hmmmmmmm.

Same issue.

I do not think, this issue related to blocking somewhere, because of in
the same network UNIX Unbound with DoT works perfectly.
Also, simplest availability checks says ok:

root @ khorne / # ping 1.1.1.1
1.1.1.1 is alive
root @ khorne / # telnet 1.1.1.1 853
Trying 1.1.1.1...
Connected to 1.1.1.1.
Escape character is '^]'.
^CConnection to 1.1.1.1 closed by foreign host.

I.e., DNS servers available, sockets on 853 port opens.

Latest log for this version attached.

25.05.2018 12:30, W.C.A. Wijngaards пишет:

(attachments)

unbound_latest.log.zip (26.7 KB)

Wouter · May 25, 2018, 10:04am

Hi Yuri,

Yes in these traces, cloudflare and 9.9.9.9 work once, but not all the
time. Something must be wrong in the calls that unbound makes.

It seems that unbound does not reset the events for closed file
descriptors, this makes the first one work, but others try to write when
the fd is not connected yet and this causes a failure, which causes
libssl to close the file descriptor which fails the connection.

open.nlnetlabs.nl/~wouter/unbound_rc45_fixclose.exe
(replacements for unbound.exe, rename as unbound.exe for use).

Best regards, Wouter

yvoinov · May 25, 2018, 10:12am

Yesssssssss!!!

Now fixed! Wokring log attached.

Great work, Wouter!

25.05.2018 16:04, W.C.A. Wijngaards пишет:

(attachments)

unbound.zip (128 KB)