From Unbound To DNS Via SOCKS, and Choices

Hi,

My (side) Scenario (Pre-Conditions) :

MyNet = My Local Network computers & devices.
SOCKS-Srvr = origin SOCKS-server on remote servr.
SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
forwarding proxy server.
Socks-Tnl = SOCKS-Tunnel = connection between
(local) socks-proxy & (origin) socks-server.
SOCKS = is a type of gateway, a type of tunnel,
a routing process between a client & a server.

(start from right most side "MyNet")

Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
A

V
- --> SOCKS-Srvr <-> remote local-netwrk (DNS).
A

V
- --> SOCKS-Srvr <-> Internet <-> DNS-Servers.

I have multiple SOCKS proxy server,
(SOCKS v4a, v5),
Running & listening on (a server computer):
10.0.1.10:1080 (ip:port)
10.0.1.10:1082
...
This gateway/server computer 10.0.1.10 has
an instance of "Unbound" (01) DNS-Resolver
running on 10.0.1.10:53
interface: 10.0.1.10
port: 53
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 10.0.1.10/8 allow

Different socks tunnel ending on (aka, routed
to) different destination locations (which has
the origin-SOCKS-server gateway software),
and ending/origin gateway computer there, is
connected with different ISP.

Need to use this 10.0.1.10:53 DNSSEC supported
DNS-Resolver, from all clients, (under my local
network).

This DNS-Resolver must connect with destination
DNS-Server(s) or nameservers(NS) via different
ISPs, which are connected at the end of SOCKS
tunnel.

Those destination Nameserver(s) (NS-DNS-Srv)
( or Recursive dns-server(s) (Rc-DNS-Srv)
or Authoritative dns-server(s) (A-DNS-Srv) )
are able to work with both TCP & UDP DNS, and
listening on multiple ports 53, 110, 443, etc.

"Unbound" (01) (10.0.1.10:53) has multiple Forward
and Stub zones. Each forward or stub zone/domain
has at least 4, (in some cases 10), specific
nameservers (or specific Rc-DNS-Srv, or specific
A-DNS-Srv).

I'm using at least 10 different set of
(custom/special) zones, where each zone
has from 4 to 10 (different) nameservers.
stub-zone: # 01
name: "custom-domain1.org"
stub-host: ath-d1.namesrv-hostnam.org.
stub-host: ath-d2.namesrv-hostnam.org.
stub-host: ath-d3.namesrv-hostnam.org.
stub-host: ath-d4.namesrv-hostnam.org.
...
forward-zone: # 10
name: "custom-domain10.org"
forward-addr: ath-namesrvr.37.ip.adrs
forward-addr: ath-namesrvr.38.ip.adrs
forward-addr: ath-namesrvr.39.ip.adrs
forward-host: ath-namesrvr40-hostnam.org.

And, when a DNS-query does not match any
of those custom/special zones, then standard
set of DNS-Servers are to be used, like: Root
DNS-Servers, TLD DNS-Servers, SLD (Second Level
Domain) DNS-Servers, HSP (Hosting Service
Providers) DNS-Servers, Public DNSSEC based
DNS-Servers, etc, via another SOCKS proxy:
forward-zone:
name: "."
forward-addr: 94.75.228.29 # GPF DNSSEC
forward-addr: 149.20.64.20 # OARC DNSSEC
forward-addr: 217.31.204.130 # CZ.NIC DNSSEC
forward-addr: 198.41.0.4 # ROOT a USC-ISI
forward-addr: 192.5.5.241 # ROOT f ICANN
forward-addr: 192.58.128.30 # ROOT j
forward-addr: 193.0.14.129 # ROOT k RIPE
forward-addr: 199.7.83.42 # ROOT l
forward-addr: 128.8.10.90 # ROOT d UniMaryland
forward-addr: 192.36.148.17 # ROOT i
forward-addr: 202.12.27.33 # ROOT m
forward-addr: 128.63.2.53 # ROOT h
forward-addr: 192.203.230.10 # ROOT e NASA
forward-addr: 192.228.79.201 # ROOT
forward-addr: 192.33.4.12 # ROOT
forward-addr: 192.112.36.4 # ROOT

QUESTION(s):

Can i consider existing below command
outgoing-interface:
of Unbound, as it's outbound traffic
binding or forcing command/option ?

How can i bind/force "Unbound" (01) (10.0.1.10:53)
to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port)
for resolving a 1st set of zones ? (so that
Unbound can connect with correct 1st set of
nameservers assigned for that 1st set of zones),
And how to resolve another/2nd set of zones
via using another/2nd SOCKS at 10.0.1.10:1081 ?
(and allowing Unbound to connect with another
/2nd set of pre-assigned nameservers for that
2nd set of zones).

if there is a one command-line in "Unbound"
to use/bind/force outbound traffic go-through
a SOCKS proxy that will be best.

if not, then can anyone please point-to/indicate
/discuss/suggest what tools can be used to
achieve such function. Unbound to socks proxy.

(NOT looking for a solution on Linux/Unix).
(Looking for a solution on Windows, the local
"Unbound" (01) (10.0.1.10:53) is running on
Windows based computer).

if i have to run 5 "Unbound", even that type
of solution is also ok. but reduced Unbound
instance will be better.

Is there a tool, which can accept all
(incoming) traffic coming (from Unbound)
toward a network interface adapter's
(different ports & single) IP address,
and can forward those ports toward a
(single ip:port based) SOCKS proxy
server ? what functions like TAP-to-SOCKS ?

if a tool can perform TUN-to-SOCKS function,
then can such tool be used for send all
queries via SOCKS from Unbound, by binding
Unbound with that TUN's ip-address ?

for example, can an OpenSSH instance be run
in L2/3 tun VPN mode & forward tun ip-adrs
traffic toward a SOCKS proxy ?

Can this below command/option
"outgoing-port-permit:" be set to
use only 4 ports ? like:
outgoing-port-permit: 53001-53004
or, even set to use only 1 port ?
outgoing-port-permit: 53001-53001
What tool can allow to forward such
traffic from Unbound to a SOCKS proxy ?

Can i run an instance of OpenSSH to listen a
range of ports, from 53001 to 53004 on ip-adrs
127.0.0.53 and forward those toward a single
SOCKS proxy at 10.0.1.10:1080 ? and, after
running OpenSSH, can i run & force Unbound to
use outbobund traffic via:
outgoing-interface: 127.0.0.53

Will these four commands work ? to
force using only 1 outgoing port:
outgoing-range: 1
num-queries-per-thread: 1
outgoing-port-permit: 53001
outgoing-port-avoid: "1-53000,53002-65535"
will those slow down dns-resolving process
very slow ?

or, is there a tool which can function
like DNS-to-SOCKS ? how can it be used
with Unbound ?

How can i specify in "Unbound" to use port
110 with a DNS-Server, instead of port 53 ?

Can i specify SSL cert (server cert or CA/Root cert)
for a DNS-Server in Unbound ?

REFERENCES:

https://en.wikipedia.org/wiki/SOCKS
http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
http://www.inet.no/dante/doc/ Dante.

SOCKet Secure (SOCKS) is an Internet Protocol that
routes network packets between a client and server
through a proxy server. It works in Layer 5
(Session) of OSI.

OpenSSH: An "ad hoc" SOCKS proxy server can be
created using OpenSSH, and allows more flexible
proxying than is possible with ordinary port
forwarding. http://www.openssh.com/
DynamicForward 10.0.1.10:1080 # will create a
SOCKS on that ip:port.
GatewayPorts option allows wildcard address
usage. And tun-based VPN tunnel allowing
applications to transparently access remote
network resources without "socksification"
is now possible via OpenSSH.

- --Bright Star (Bry8Star).

No one seems to be replying or understanding
what i have requested for, very strange !

In windows, no one found solution(s) ! ! !
for sending DNS-queries (for specific dns-servers)
from unbound toward a socks-proxy-server ! ?

trying to do this:
[start] (1) local software --> (2) local unbound -->
--> (3) local socks-proxy/srvr --> (4) socks-tunnel
--> (5) Internet (My ISP) --> (6) socks-(origin)-srvr
--> (7) Internet (socks-origin-srvr's ISP)
--> (8) name-server/DNS-server. [End]

-- Bright Star (Bry8Star).

Bry8 Star wrote:
Received on 2012-10-25 8:13 PM [GMT-08:00]::

No one seems to be replying or understanding
what i have requested for, very strange !

In windows, no one found solution(s) ! ! !
for sending DNS-queries (for specific dns-servers)
from unbound toward a socks-proxy-server ! ?

I gave Jake Applebaum a patch/configuration to test for
using unbond with tor using a SOCKS proxy. I never got
feedback, but he might still have the patch and config
lying around for you.

Paul

Hi Paul,
Thanks, for the response. Was beginning to get
a sense that no one ever reads my posting at all.

I will contact him, if he had enough time to place
your patch with unbound source code, and if i can
get a hold on such for using from windows side.

Currently, in unbound config file, when a zone
is pointing toward a specific name-server, for
example, like below:
forward-zone: name: "sld.tld"
forward-addr: 62.141.58.13@110

# Then i have changed above lines like below:
forward-zone: name: "sld.tld"
forward-addr: 127.0.0.1@58001

Then, by using windows edition of "socat",
placed command-line(s) like below inside a
batch .cmd / .bat file, to start necessary
routing or forwarding:

@start "socat LH:58001 62.141.58.13 SP:1080"
/D"%ProgramFiles%\socat\" socat.exe
tcp4-listen:58001,bind=127.0.0.1,range=127.0.0.1/32,fork
SOCKS4A:10.0.1.10:62.141.58.13:110,socksport=1080

(in above, from "@" to "=1080" is a 1 single command line)
(a space character exist after these words:
start, SP:1080", socat\", .exe, fork)

Similarly (like above command-line), specified
unique port for each unique DNS-Server, and
i've executed around 50 socat instances (from
batch file), to forward all dns queries from
Unbound, inside different local SOCKS proxy
server(s), and sent DNS-queries toward different
(public & private) DNS-servers & name-servers.

Works fine, with complete DNSSEC support.

But need to combine these into one or lesser
amount of "socat" instances.
or, need a support inside Unbound.
or, need another tool which can efficiently
do these type of TCP-DNS-to-SOCKS traffic
routing.

And also want to connect with (public and
private) DNS-servers (or name-servers) which
supports TLS cert based/encrypted connections.
You may see below (in previous email) where
i've mentioned about these.

If anyone worked/working on these pls reply
on this posting,
Thanks in advance.

-- Bright Star (Bry8Star).

USERS: when you reply, make sure the "To:" field
has below email address:
unbound-users@unbound.net

Paul Wouters wrote:
Received on 2012-10-31 8:03 PM [GMT-08:00]:

Why don't you just tell unbound to use TCP only, and not UDP?

Then specify the forwarders using unbound-control? Then you
can even route that through tor.

Paul

(Paul, sorry i did not understand what
you indicated to).

unbound, was already configured to support
local UDP, and TCP DNS-queries, and use only
TCP DNS for upstream outbound queries with
Internet name-servers, DNS-Servers, private
remote name-servers, etc (which i have
mentioned previously).
Then i changed only name-server(s) & DNS-Server(s)
inside unbound.conf/service.conf file, with unique
local port, and placed "socat" port forwarder
& socksifier (toward actual name-server/DNS-server),
on each of those unique port.

since i've not enabled remote control
section/feature in local unbound, i guess
unbound-control will probably not work.

if remote control feature is turned on in unbound,
and then using unbound-control, can a SOCKS proxy
like 10.0.1.10:1080 be specified ? or, can a
Tor SOCKS proxy like 10.0.1.10:9050 be specified ?
(if a Tor SOCKS proxy is to be used, then i would
MUST need to use TLS encrypted tunnels (to the
destination name-server(s), DNS-server(s)), i think
that will require further modification in
interconnecting configurations of these components).

Does a feature exist in Unbound to specify
SSL/TLS cert for connecting with each/specific
DNS-Server(s) ? and then send DNS-queries ?
(pls assume these DNS-Servers supports DNS-queries
via TLS encrypted connections via their TCP port
443).
or, do i must need to use the SSL/TLS cert
(used by DNS-Server) with "socat" to use
encrypted tunnels ? (currently i have no
choice but to use such/socat for encrypted
tunnels).

-- Bright Star (Bry8Star).

Note to Users: when you reply, make sure
the "To:" field has below email address:
unbound-users@unbound.net

Paul Wouters wrote:
Received on 2012-11-01 6:39 AM [GMT-08:00]:

unbound, was already configured to support
local UDP, and TCP DNS-queries, and use only
TCP DNS for upstream outbound queries with
Internet name-servers, DNS-Servers, private
remote name-servers, etc (which i have
mentioned previously).
Then i changed only name-server(s) & DNS-Server(s)
inside unbound.conf/service.conf file, with unique
local port, and placed "socat" port forwarder
& socksifier (toward actual name-server/DNS-server),
on each of those unique port.

since i've not enabled remote control
section/feature in local unbound, i guess
unbound-control will probably not work.

You can configure forwarders in unbound.conf as well.

With unbound only doing TCP sessions, you should be able to it all over
tor or SOCKS proxies.

Does a feature exist in Unbound to specify
SSL/TLS cert for connecting with each/specific
DNS-Server(s) ? and then send DNS-queries ?
(pls assume these DNS-Servers supports DNS-queries
via TLS encrypted connections via their TCP port
443).

Yes, unbound can talk to unbound servers using TLS/SSL, but it will not
perform any validation of the PKIX certificates. It assumes that
important data obtained this way is protected by DNSSEC.

For example, if you configure this in unbound running on a server:

         # service clients over SSL (on the TCP sockets), with plain DNS
         # inside
         # the SSL stream. Give the certificate to use and private key.
         # default is "" (disabled). requires restart to take effect.
         # ssl-service-key: "path/to/privatekeyfile.key"
         # ssl-service-pem: "path/to/publiccertfile.pem"
         # ssl-port: 443

Then you can configure this on the client:

         # request upstream over SSL (with plain DNS inside the SSL
         # stream).
         # Default is no. Can be turned on and off with unbound-control.
         # ssl-upstream: no

This is what "dnssec-trigger" configured using unbound-control when it
needs to use DNS over TLS via unbound. It uses one of these servers:

# Provided by fedoraproject.org, #fedora-admin
# It is provided on a best effort basis, with no service guarantee.
ssl443: 80.239.156.220 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 80.239.156.220 ssl443: 66.35.62.163 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 66.35.62.163 ssl443: 152.19.134.150 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2
tcp80: 152.19.134.150 ssl443: 2610:28:3090:3001:dead:beef:cafe:fed9 A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64: AA:87:E6:F2
tcp80: 2610:28:3090:3001:dead:beef:cafe:fed9

# provided by Paul Wouters (pwouters@redhat.com)
# It is provided on a best effort basis, with no service guarantee.
# tcp80: 193.110.157.123
# tcp80: 2001:888:2003:1004::123
# ssl443: 193.110.157.123
# 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7
# ssl443: 2001:888:2003:1004::123
# 16:41:49:E0:9D:62:CD:DB:79:A7:2B:71:58:C4:D5:E8:70:FA:BF:4D:6D:36:CC:07:35:33:C0:16:17:1B:61:E7

# provided by NLnetLabs (www.nlnetlabs.nl)
# It is provided on a best effort basis, with no service guarantee.
# tcp80: 213.154.224.3
# tcp80: 2001:7b8:206:1:bb::
# ssl443: 213.154.224.3
# DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F
# ssl443: 2001:7b8:206:1:bb::
# DC:22:7B:1C:00:1A:CE:C5:48:49:B1:E3:30:DE:61:93:61:12:4E:CB:5C:B4:33:C4:BC:75:8C:D6:16:9D:F0:9F

You can use those for testing as well, I believe you will need something
like:

unbound-control set_option ssl-upstream: yes
unbound-control forward_add . 193.110.157.123

Paul

Hi Paul, Thanks again.

unbound-control set_option ssl-upstream: yes unbound-control
forward_add . 193.110.157.123

So my understanding is, one "Unbound" can use only
one set of upstream / outbound TLS/SSL cert/keys to
connect with another unbound instance.

but more than one set of cert/keys cannot be specified
in one "Unbound".

whereas, i wanted to use different type of cert for
different type of DNS-Servers/name-servers (which are
using different DNS server software, which supports
TLS/SSL encrypted & secured connections).

Since i'm tryin to connect securely with different
dns-servers/name-servers, which are using different
DNS Server/Resolver software and different cert/keys,
one unbound will (most likely) not be able to connect
with all at the same time.

So alternatively, can these be done ?

if multiple instance of Unbounds are executed,
and if, each using only one set of cert/keys,
to connect with only one group of dns-server(s)
(from one service provider/location) which
supports that specific cert/keys, and then,
if all of these "secondary"/"slave" Unbound
instances are queried from another "master"
/"primary" Unbound,
then such design may work ?

Flow Diagram:
Primary-Unbound -->

V
connecting toward multiple local ports,
where each local port is connected with
a different "secondary" Unbound -->

V
- --> secondary-Unbound (port 59001), using TLS/SSL
cert compatible with for specific DNS-Server [01]
(80.239.156.220) --> SOCKS-proxy --> socks tunnel
- --> Internet --> Socks-servr --> Internet -->
DNS-Server [01] (80.239.156.220) -->

V
- --> secondary-Unbound (port 59002), using TLS/SSL
cert compatible with for specific DNS-Server [02]
(213.154.224.3) --> SOCKS-proxy --> socks tunnel
- --> Internet --> Socks-servr --> Internet -->
DNS-Server [02] (213.154.224.3) -->
...
and so on.

question is mentioned above.

- -- Bright Star (Bry8Star).

Note For USERS: When You Reply, Pls Make Sure,
the "To:" field has below email-address:
unbound-users@unbound.net

Paul Wouters wrote:
Received on 2012-11-01 6:31 PM [GMT-08:00]:

unbound, was already configured to support local UDP, and TCP
DNS-queries, and use only TCP DNS for upstream outbound queries
with Internet name-servers, DNS-Servers, private remote
name-servers, etc (which i have mentioned previously). Then i
changed only name-server(s) & DNS-Server(s) inside
unbound.conf/service.conf file, with unique local port, and
placed "socat" port forwarder & socksifier (toward actual
name-server/DNS-server), on each of those unique port.

since i've not enabled remote control section/feature in local
unbound, i guess unbound-control will probably not work.

You can configure forwarders in unbound.conf as well.

With unbound only doing TCP sessions, you should be able to it
all over tor or SOCKS proxies.

Does a feature exist in Unbound to specify SSL/TLS cert for
connecting with each/specific DNS-Server(s) ? and then send
DNS-queries ? (pls assume these DNS-Servers supports
DNS-queries via TLS encrypted connections via their TCP port
443).

Yes, unbound can talk to unbound servers using TLS/SSL, but it
will not perform any validation of the PKIX certificates. It
assumes that important data obtained this way is protected by
DNSSEC.

For example, if you configure this in unbound running on a
server:

# service clients over SSL (on the TCP sockets), with plain DNS #
inside # the SSL stream. Give the certificate to use and private
key. # default is "" (disabled). requires restart to take
effect. # ssl-service-key: "path/to/privatekeyfile.key" #
ssl-service-pem: "path/to/publiccertfile.pem" # ssl-port: 443

Then you can configure this on the client:

# request upstream over SSL (with plain DNS inside the SSL #
stream). # Default is no. Can be turned on and off with
unbound-control. # ssl-upstream: no

This is what "dnssec-trigger" configured using unbound-control
when it needs to use DNS over TLS via unbound. It uses one of
these servers:

# Provided by fedoraproject.org, #fedora-admin # It is provided
on a best effort basis, with no service guarantee. ssl443:
80.239.156.220
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 80.239.156.220 ssl443: 66.35.62.163
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 66.35.62.163 ssl443: 152.19.134.150
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 152.19.134.150 ssl443:
2610:28:3090:3001:dead:beef:cafe:fed9
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:

AA:87:E6:F2

Hi Paul, Thanks again.

unbound-control set_option
ssl-upstream: yes unbound-control
forward_add . 193.110.157.123

So my understanding is, one "Unbound" can use only
one set of upstream / outbound TLS/SSL cert/keys to
connect with another unbound instance.

but more than one set of cert/keys cannot be specified
in one "Unbound".

whereas, i wanted to use different type of cert for
different type of DNS-Servers/name-servers (which are
using different DNS server software, which supports
TLS/SSL encrypted & secured connections).

Since i'm tryin to connect securely with different
dns-servers/name-servers, which are using different
DNS Server/Resolver software and different cert/keys,
one unbound will (most likely) not be able to connect
with all at the same time.

So alternatively, can these be done ?

if multiple instance of Unbounds are executed,
and if, each using only one set of cert/keys,
to connect with only one group of dns-server(s)
(from one service provider/location) which
supports that specific cert/keys, and then,
if all of these "secondary"/"slave" Unbound
instances are queried from another "master"
/"primary" Unbound,
then such design may work ?

Flow Diagram:
Primary-Unbound -->

V
connecting toward multiple local ports,
where each local port is connected with
a different "secondary" Unbound -->

V
- --> secondary-Unbound (port 59001), using TLS/SSL
cert compatible with for specific DNS-Server [01]
(80.239.156.220) --> SOCKS-proxy --> socks tunnel
- --> Internet --> Socks-servr --> Internet -->
DNS-Server [01] (80.239.156.220) -->

V
- --> secondary-Unbound (port 59002), using TLS/SSL
cert compatible with for specific DNS-Server [02]
(213.154.224.3) --> SOCKS-proxy --> socks tunnel
- --> Internet --> Socks-servr --> Internet -->
DNS-Server [02] (213.154.224.3) -->
...
and so on.

question is mentioned above.

- -- Bright Star (Bry8Star).

Note For USERS: When You Reply, Pls Make Sure,
the "To:" field has below email-address:
unbound-users@unbound.net

Paul Wouters wrote:
Received on 2012-11-01 6:31 PM [GMT-08:00]:

unbound, was already configured to support local UDP, and TCP
DNS-queries, and use only TCP DNS for upstream outbound queries
with Internet name-servers, DNS-Servers, private remote
name-servers, etc (which i have mentioned previously). Then i
changed only name-server(s) & DNS-Server(s) inside
unbound.conf/service.conf file, with unique local port, and
placed "socat" port forwarder & socksifier (toward actual
name-server/DNS-server), on each of those unique port.

since i've not enabled remote control section/feature in local
unbound, i guess unbound-control will probably not work.

You can configure forwarders in unbound.conf as well.

With unbound only doing TCP sessions, you should be able to it
all over tor or SOCKS proxies.

Does a feature exist in Unbound to specify SSL/TLS cert for
connecting with each/specific DNS-Server(s) ? and then send
DNS-queries ? (pls assume these DNS-Servers supports
DNS-queries via TLS encrypted connections via their TCP port
443).

Yes, unbound can talk to unbound servers using TLS/SSL, but it
will not perform any validation of the PKIX certificates. It
assumes that important data obtained this way is protected by
DNSSEC.

For example, if you configure this in unbound running on a
server:

# service clients over SSL (on the TCP sockets), with plain DNS #
inside # the SSL stream. Give the certificate to use and private
key. # default is "" (disabled). requires restart to take
effect. # ssl-service-key: "path/to/privatekeyfile.key" #
ssl-service-pem: "path/to/publiccertfile.pem" # ssl-port: 443

Then you can configure this on the client:

# request upstream over SSL (with plain DNS inside the SSL #
stream). # Default is no. Can be turned on and off with
unbound-control. # ssl-upstream: no

This is what "dnssec-trigger" configured using unbound-control
when it needs to use DNS over TLS via unbound. It uses one of
these servers:

# Provided by fedoraproject.org, #fedora-admin # It is provided
on a best effort basis, with no service guarantee. ssl443:
80.239.156.220
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 80.239.156.220 ssl443: 66.35.62.163
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 66.35.62.163 ssl443: 152.19.134.150
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:AA:87:E6:F2

tcp80: 152.19.134.150 ssl443:
2610:28:3090:3001:dead:beef:cafe:fed9
A8:3E:DA:F0:12:82:55:7E:60:B5:B5:56:F1:66:BB:13:A8:BD:FC:B4:51:41:C0:F2:E7:8E:7B:64:

AA:87:E6:F2

No. There is no "DNS over TLS" standard, so you will not
be able to do that, unless you hide the TLS tunneling

I still think you are looking for a problem to a built solution.

Paul

No. There is no "DNS over TLS" standard, so you will not
be able to do that, unless you hide the TLS tunneling

I still think you are looking for a problem to a built solution.

I never asked for a "DNS over TLS" standard !
Paul, what are you talking about "problem to a built solution" ! !

- From the first email, i'm keep on asking for a solution to connect
securely (encrypted) with a DNS-server, (so that someone in the
middle does not know what exact domain my DNS-client/resolver is
querying, primarily for privacy reasons & concerns).

Haven't you noticed the HTTPS-DNS feature(s) used by many public
DNS-Servers ?
http://www.privacyfoundation.de/projekte/https_dns/

I thought "Unbound" alone, or with a assistant from simple tool, it
will be able to use those HTTPS-DNS features (on windows platforms),
to connect with those DNS-Servers.

Anyway, MORE QUESTIONS REMAINED UN-ANSWERED, as well as no-one cared
to responed/answered even simple 'unbound' related questions which
i'm placing in each email, since the first email !

- -- Bright Star (Bry8Star).

Paul Wouters wrote:\nReceived on 2012-11-03 12:38 PM [GMT-08:00]::

No. There is no "DNS over TLS" standard, so you will not
be able to do that, unless you hide the TLS tunneling

I still think you are looking for a problem to a built solution.

I never asked for a "DNS over TLS" standard !

You ask for something that interoperates, without "hacking" with
wrapper solutions. I am telling you the only way that is possible
is if there is a standard, which there is not. You _are_ asking
why there is no "standard" way to do this with all kinds of
different equipment

Paul, what are you talking about "problem to a built solution" ! !

You think that encrypting part of the way to some remote DNS server
gives you privacy. I've told you repeatedly that is not possible.

Let's say you do an encrypted DNS query/answer, and after that you
do port 443 traffic to 157.166.255.18. It's trivial to know where
you connected to and what that dns query was. If you then say, you
will hide traffic to 157.166.255.18, then I tell you that's where
you should hide your DNS traffic to as well. Some people told you
this months ago as well on the list, including me.

- From the first email, i'm keep on asking for a solution to connect
securely (encrypted) with a DNS-server, (so that someone in the
middle does not know what exact domain my DNS-client/resolver is
querying, primarily for privacy reasons & concerns).

someone in the middle is someone who routes your packets, and will
see you connect after your dns reply. You cannot hide from those
people. That is why I say this is a solution looking for a problem.

Haven't you noticed the HTTPS-DNS feature(s) used by many public
DNS-Servers ?
http://www.privacyfoundation.de/projekte/https_dns/

Reading from that page, they were more looking to circumvent DNS
censorship and not providing privacy. If you want your DNS proof
against censorship, deploy DNSSEC. You will know when someone tried
to rewrite your DNS, and you will be able to tell you are under attack.
There is nothing you can do from being stopped, if they are on your
path.They can simply filter out the packets you need to connect.

I thought "Unbound" alone, or with a assistant from simple tool, it
will be able to use those HTTPS-DNS features (on windows platforms),
to connect with those DNS-Servers.

I don't know how they implemented it. unbound implements TLS purely
as a wrapper for DNS over TCP, which is an RFC standard.

Anyway, MORE QUESTIONS REMAINED UN-ANSWERED

The answers have been given before. You just don't like the answers you
are hearing.

, as well as no-one cared
to responed/answered even simple 'unbound' related questions which
i'm placing in each email, since the first email !

You got various answers, and despite me telling you about your idea
being flawed, I kept answering on how to configure unbound to use
dns over tls, and how to force unbound to use tcp, not udp. In fact,
it is because I asked the unbound people to support listening on port
53 UDP, but resolving upstream using TCP 53, that scenarios like the
one you seem to want to build are even possible without special client
support. I requested the support so DNS could be forcerd over TCP, so
that it could be routed into the TOR network - for limited privacy, but
better then what I understand from your solution.

Instead, you insist on wanting to do SOCKS stuff and what not, which
is not a good solution, and does not provide generic support for
applications, and will always cause non-socks aware software from
sending udp dns queries that will leak out at the expense of the user's
privacy. That is why I again tell you, you are building the wrong
solution. But I won't keep repeating this over and over again. I've
helped you where I can, and in return you're just being rude and
unfriendly.

Paul

Hi Paul,

I really appreciate your generous help
& for your very very helpful discussions
/comments.

But you are adding/talking about "problem",
which are appearing to you or on your side,
it may not be problematic for others or other
side, you are thinking & assuming from your
point of view on these.

If i were to ask for, What is a good "privacy"
solution, or, what is not a problematic "secured"
DNS query solution, or, similar question, anyone
can give me their input, but i'm not asking for
those.

I'm asking about technical "solution"
(or discussion/comment), to achieve few
functionalities & features.

Not asking about what is "good" "bad" "problem"
"not-problem" "flawed" "not-flawed" ... etc !
(these are relative terms/words, something bad
for you may be good for me.)
(something easy for you, may be hard for me).
(something "problem" for you may not be "problem"
for me).
(something seems flawed in one type of function may not be flawed or
even welcome in another function).
If someone going to mention such, then they
should mention (at least try to mention)/analyze
other side(s) as well.

There are many other side, and those other sides
may be doing something extra which i'm not aware of.

You have assumed again, i'm doing both: a DNS query
and right after that i will do a connection to that
site over TLS/SSL.

How do you know, if i'm doing that ?

If you see a problem, then explain what is it that
seems to be problematic from your side. Then other
side (may) give you their input and clarify it
further.

If i'm concern about secured encrypted connection,
privacy, etc or such, i would obviously make sure
i'm using different SOCKS tunnels for different
function, or use other solutions.

- From the first email, i've showed diagrams of
multiple SOCKS ... am i not ? All going into
different locations, via different ISPs/HSPs.

Different protocol and software using different
SOCKS tunnels.
Even dns (and others) are distributed over
multiple SOCKS tunnel.

I use protocol analyzer inside a PC, and
another behind a network card, so i can
see what is leaking.

Your extra ordinary detail help on using TLS/SSL
cert with other Unbound(s), are superb. THANKS.

I'm very very grateful for your ALL HELP.

I'm very sure, you have been contributing in
these areas for very very long time, and have
done lots of contribution as well.

Just trying to discuss and understand
technical stuff.

Anyway, if anyone go back & start from first
email to answer at-least few "unbound" related
questions would have been great.

- -- Bright Star (Bry8Star).

Paul Wouters wrote:
Received on 2012-11-05 7:37 PM [GMT-08:00]:

Found a good Choice,
For routing/forwarding dns query network packets
from any dns-server/resolver software toward
destination DNS-Server via using SOCKS
servers/proxies.

This tool "DNS2SOCKS" from:
http://sourceforge.net/projects/dns2socks/
Authored/developed by "ghostmaker".

It is executed like this:
DNS2SOCKS.exe [/q] [Socks5ServIP[:Port]] [DNSServIP[:Port]]
[ListenIP[:Port]]

ListenIP = localhost IP address 127.0.0.1
DNSServIP = destination DNS-Server's IP adrs.
Socks5ServIP = SOCKS 4a, 5 Server/proxy IP adrs.
the /q option is to hide the console window.
It can use local TCP & UDP both, uses TCP with
destination DNS-Servr via SOCKS tunnel.

Tested via regular SOCKS proxies and via Tor-proxy,
Works super great.

DNSSEC queries WORKS
it can cache DNS answers and answer from cache.

I've applied it like this:

Flow Diagram: Local Unbound --> (unbound configured
to use specific local port(s) for each specific
destination DNS-Server(s) for each forward/stub zone)
- --> local DNS2SOCKS --> local SOCKS proxy (or
Tor-SOCKS proxy) --> Internet (socks-tunnel) --> SOCKS
origin server (or Tor exit-node) --> Internet
- --> destination DNS-Server (or name-server).

See my previous email/posting done on 2012-10-31
(y-m-d) where i've shown how i've used simple
"socat" tool for listening on certain localhost(LH)
ports, and routed/relayed received packets from
those LH ports inside SOCKS tunnels. And also see
unbound.conf or service.conf file's configuration
command-lines, which were configured to forward
DNS-queries toward a certain/specific local LH@port
DNS-Server, instead of forwarding DNS-queries directly
toward the actual destination DNS-Server.

Then DNS2SOCKS was configured to relay/forward/route
DNS-queries toward the actual destination DNS-Server.
Via SOCKS tunels/proxies.

I used a batch file (.cmd or .bat) placed around
fifty dns2socks command-lines, similar to below:

@start "dns2socks LH:1080 62.141.59.13:53 LH:58001"
/D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:1080
62.141.58.13:53 127.0.0.1:58001 /q
...
@start "dns2socks LH:9050 Other.DNS.Srvr.IP:53 LH:58050"
/D"%ProgramFiles%\dns2socks\" DNS2SOCKS.exe 127.0.0.1:9050
Other.DNS.Srvr.IP:53 127.0.0.1:58050 /q

@rem each command starts with @start and ends with /q

So this (DNS2SOCKS) is another option/choice
other than the "socat" tool.

- -- Bright Star (Bry8Star).

Bry8 Star wrote:
Received on 2012-11-02 5:17 PM [GMT-08:00]: