TLS certificate question about Unbound 1.9.2 (rollingonchrome)

rollingonchrome · April 2, 2019, 4:15pm

Thank you, Yuri.

The certificate bundle does exist in the assumed path.

Any other suggestions would be appreciated.

Best,

RoC

yvoinov · April 2, 2019, 4:20pm

The obvious thing: do you have sources for DoT? I.e.,

forward-zone:
name: "."
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-tls-upstream: yes

?

Your Unbound should forward queries to somewhere.

02.04.2019 22:15, rollingonchrome via Unbound-users пишет:

rollingonchrome · April 2, 2019, 4:36pm

Thank you, Yuri.

The certificate bundle does exist in the assumed path.

Any other suggestions would be appreciated. Below is my config file. Also, here is the error from the log file:

Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword ‘tls-cert-bundle’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘:’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘"’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword ‘/etc/ssl/certs/ca-certificates.crt’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘"’

Apologies for partially posting this message twice. I wasn’t sure exactly how to edit the subject to properly thread my reply.

server:

If no logfile is specified, syslog is used

logfile: “/var/log/unbound/unbound.log”

verbosity: 0

port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes

May be set to yes if you have IPv6 connectivity

do-ip6: no

Use this only when you downloaded the list of primary root servers!

root-hints: “/var/lib/unbound/root.hints”

Trust glue only if it is within the servers authority

harden-glue: yes

Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS

harden-dnssec-stripped: yes

Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes

see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details

use-caps-for-id: no

Reduce EDNS reassembly buffer size.

Suggested by the unbound man page to reduce fragmentation reassembly problems

edns-buffer-size: 1472

TTL bounds for cache

cache-min-ttl: 3600
cache-max-ttl: 86400

Perform prefetching of close to expired message cache entries

This only applies to domains that have been frequently queried

prefetch: yes

One thread should be sufficient, can be increased on beefy machines

num-threads: 1

Ensure kernel buffer is large enough to not lose messages in traffic spikes

so-rcvbuf: 1m

Ensure privacy of local IP ranges

private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

New configuration items

qname-minimisation: yes

fallback-enabled: yes

DNS over TLS: https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/

access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
hide-identity: yes
hide-version: yes
minimal-responses: yes
rrset-roundrobin: yes
ssl-upstream: yes
forward-zone:
name: “.”

Quad9

forward-addr: 2620:fe::fe@853#dns.quad9.net

forward-addr: 9.9.9.9@853#dns.quad9.net

forward-addr: 2620:fe::9@853#dns.quad9.net

forward-addr: 149.112.112.112@853#dns.quad9.net

Cloudflare DNS

forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com

forward-addr: 1.1.1.1@853#cloudflare-dns.com

forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

forward-addr: 1.0.0.1@853#cloudflare-dns.com

Google Public DNS

forward-addr: 2001:4860:4860::8888@853#dns.google

forward-addr: 8.8.8.8@853#dns.google

forward-addr: 2001:4860:4860::8844@853#dns.google

forward-addr: 8.8.4.4@853#dns.google

Cleanbrowsing Security Filter

forward-addr: 2a0d:2a00:1::2@853#security-filter-dns.cleanbrowsing.org

forward-addr: 185.228.168.9@853#security-filter-dns.cleanbrowsing.org

forward-addr: 2a0d:2a00:2::2@853#security-filter-dns.cleanbrowsing.org

forward-addr: 185.228.169.9@853#security-filter-dns.cleanbrowsing.org

Tenta DNS

ICANN

forward-addr: 99.192.182.200@853#iana.tenta.io
forward-addr: 99.192.182.201@853#iana.tenta.io

OpenNIC

forward-addr: 99.192.182.100@853#opennic.tenta.io
forward-addr: 99.192.182.101@853#opennic.tenta.io
tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”

tls-cert-bundle feature not available until Unbound 1.7.1

Actually secure DNS over TLS in Unbound https://www.ctrl.blog/entry/unbound-tls-forwarding

yvoinov · April 2, 2019, 4:55pm

request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no Non-required, but parameter error for 1.9.x Ok, do you have 853 port open to outside on firewall? Can you connect from device to any upstream using telnet via 853 port?

yvoinov · April 2, 2019, 4:58pm

Make sure you can connect to DoT upstream:

https://i.imgur.com/Andpr9t.png

Note: It can be blocked by your ISP or youself on firewall.

yvoinov · April 2, 2019, 5:00pm

BTW. You sure you using latest 1.9.x version of Unbound? Because of real 1.9.1 should not blame on this keywords.

rollingonchrome · April 2, 2019, 5:10pm

Hi Yuri,

Thank you for your help. Yes, 853 is open. I can see in the log files that Unbound is making SSL connections, though they are not authenticated.

I believe the problem is the tls-cert-bundle keyword or syntax:

tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”

I am getting the following errors when that line is included in my config file:

Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword ‘tls-cert-bundle’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘:’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘"’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword ‘/etc/ssl/certs/ca-certificates.crt’
Apr 2 09:25:13 raspberrypi_pi-hole unbound[6522]: /etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ‘"’

It looks like either my syntax is incorrect or Unbound is not recognizing the tls-cert-bundle keyword.

Thank you,

RoC

yvoinov · April 2, 2019, 5:26pm

Wait. What openssl version you have?

rollingonchrome · April 2, 2019, 5:32pm

Hi Yuri,

I have OpenSSL version 1.1.0j 20 Nov 2018

Thanks,

RoC

Yuri yvoinov at gmail.com Tue Apr 2 19:26:33 CEST 2019

02.04.2019 23:10, rollingonchrome via Unbound-users пишет:

Hi Yuri,

Thank you for your help. Yes, 853 is open. I can see in the log files
that Unbound is making SSL connections, though they are not authenticated.

Wait. What openssl version you have?

yvoinov · April 2, 2019, 5:40pm

Hm. Seems ok.

Well. Finally, let’s check most obvious thing.

Show output for

unbound-control | grep Version

rollingonchrome · April 2, 2019, 6:07pm

Hi Yuri,

pi@raspberrypi_pi-hole:~ $ unbound-control | grep Version
Version 1.9.2

I compiled 1.9.2 over 1.6.0 and doing this did not replace my config files. So there could be an issue lurking in one of those files from the original 1.6.0 installation.

Yuri yvoinov at gmail.com
Tue Apr 2 19:40:28 CEST 2019
Previous message (by thread): TLS certificate question about Unbound 1.9.2

Hm. Seems ok.

Well. Finally, let’s check most obvious thing.

Show output for

unbound-control | grep Version

yvoinov · April 2, 2019, 6:11pm

BTW. Where you took 1.9.2, when latest stable is 1.9.1?

rollingonchrome · April 2, 2019, 6:28pm

We cloned from GitHub. It showed 1.9.1 as the latest but when it compiled it said 1.9.2.

https://github.com/NLnetLabs/unbound

yvoinov · April 2, 2019, 6:37pm

Ah. You risky Take stable. Im running stable 1.9.1 on 3 production servers exclusively with DoT, with openssl 1.0.2o and have no issues.

Also, of course, re-write unbound.conf. From 1.6.0 to 1.9.x eternity has passed.
Despite backward compatibility, the versions are still too different.
In any case, I advise you to get a stable latest released version 1.9.1.

PS. It is bad idea use unstable (when working in progress) from github and trying to use. This is very risky and usually for experienced programmers, who know what they are doing.

rollingonchrome · April 2, 2019, 6:45pm

My high-school aged son is the expert and he was more facile with GitHub than the SVN repository.

We will have to figure out how to compile the stable version.

Thank you for your help!

Yuri yvoinov at gmail.com
Tue Apr 2 20:37:03 CEST 2019
Previous message (by thread): TLS certificate question about Unbound 1.9.2

Ah. You risky Take stable. Im running stable 1.9.1 on 3 production
servers exclusively with DoT, with openssl 1.0.2o and have no issues.

Also, of course, re-write unbound.conf. From 1.6.0 to 1.9.x eternity has
passed.
Despite backward compatibility, the versions are still too different.
In any case, I advise you to get a stable latest released version 1.9.1.

PS. It is bad idea use unstable (when working in progress) from github
and trying to use. This is very risky and usually for experienced
programmers, who know what they are doing.

yvoinov · April 2, 2019, 7:43pm

You’re welcome

And make sure you really installed built binaries.

rollingonchrome · April 2, 2019, 10:25pm

Thanks again, Yuri.

I’m still having problems. As a reminder, I’m on Raspbian which only has a 1.6.0 stable package.

I downloaded and built the 1.9.1 source code from here: http://www.unbound.net/downloads/unbound-1.9.1.tar.gz

The build is verified as Version 1.9.1.

It works fine (exactly as on 1.6.0 and 1.9.2) WITHOUT the “tls-cert-bundle” keyword.

With the “tls-cert-bundle” keyword, I continue to get this error and nothing works. It appears that unbound doesn’t recognize the “tls-cert-bundle” keyword:

pr 2 15:06:51 raspberrypi_pi-hole systemd[1]: Started Unbound DNS server via resolvconf.
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown keyword ‘tls-cert-bundle’
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray ‘:’
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray ‘"’
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: unknown keyword ‘/etc/ssl/certs/ca-certificates.crt’
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: /etc/unbound/unbound.conf.d/tls-cert-bundle.conf:4: error: stray ‘"’
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: read /etc/unbound/unbound.conf failed: 5 errors in configuration file
Apr 2 15:06:51 raspberrypi_pi-hole unbound[27172]: [1554242811] unbound[27172:0] fatal error: Could not read config file: /etc/unbound/unbound.conf

Yuri yvoinov at gmail.com
Tue Apr 2 21:43:19 CEST 2019
Previous message (by thread): TLS certificate question about Unbound 1.9.2

You’re welcome

And make sure you really installed built binaries.

rollingonchrome · April 2, 2019, 10:44pm

Does anyone know what version of TLS Unbound 1.9.1 uses?

It looks like OpenSSL on Debian/Raspbian will only support TLS 1.2 until the next Debian/Raspbian release (Buster).

Unless Unbound uses TLS 1.2, I don’t think TLS will work properly on Debian/Raspian.

Tom_Hendrikx · April 3, 2019, 7:31am

Hi,

When I add some garbage to my config:

yvoinov · April 3, 2019, 10:09am

Yes, Tom, yesterday I had same question Probably you right.

03.04.2019 13:31, Tom Hendrikx via Unbound-users пишет: