Unbound with DNSCrypt configuration

user32 · January 23, 2018, 1:46pm

Hello

I am using unbound from Git version: 1.6.9 and have compiled it with --enable-dnscrypt .
This is my unbound.conf setup;

unbound.conf for a local subnet.#

server:
interface: 0.0.0.0
interface: ::0
access-control: 192.168.0.0/16 allow
access-control: ::1 allow

DNSCRYPT server:

interface: 0.0.0.0@443
interface: ::0@443

directory: “/usr/local/etc/unbound”
chroot: “”
username: “”
verbosity:0
num-threads: 1
prefetch:yes
prefetch-key:yes
use-syslog:no
do-ip6: no
so-reuseport: yes
module-config: “validator iterator”

do-not-query-localhost: no

file to read root hints from.

#get one from ftp://FTP.INTERNIC.NET/domain/
root-hints: “/usr/local/etc/unbound/named.cache”

chantra · January 23, 2018, 10:11pm

Hi Peter,

I think you are mixing up how DNScrypt in unbound work. By using:

interface: 0.0.0.0@443
interface: ::0@443

######DNSCRYPT############
dnscrypt:
dnscrypt-enable:yes
dnscrypt-port:443
dnscrypt-provider:[2.dnscrypt-cert.cryptostorm.is](http://2.dnscrypt-cert.cryptostorm.is/).
dnscrypt-secret-key:/usr/local/etc/unbound/1.key
dnscrypt-provider-cert:/usr/local/etc/unbound/1.cert

###############################

Unbound will create a DNSCrypt server that will listen on port 443. Its provider name will be 2.dnscrypt-cert.cryptostorm.is. and it will use cert/key /usr/local/etc/unbound/1.{cert,key} .

I am under the impression that you think it will connect to 5.101.137.251 over DNSCrypt. this is the role of DNSCrypt proxy instead.

When you add:

forward-zone:
name: "."
forward-addr:5.101.137.251

to the config, unbound will forward request to 5.101.137.251 and will behave as a caching server. Because 5.101.137.251 also handles clear text DNS, this is working just fine and that IP is showing through the website you mentioned.

When you remove the forward-zone, unbound will behave as a recursive resolver and DNS queries will show up as coming from your DNS server to the outside world.

I think you are mis-understanding what role Unbound has in DNSCrypt setup. Essentially, the config you are providing is the one that cryptostorm.is would use if they were going to set up a DNSCrypt server (aside from the forward-zone bit).

TL;DR you want to install DNSCrypt proxy. The original author is working on a new version: https://github.com/jedisct1/dnscrypt-proxy .

Manu

user32 · January 24, 2018, 1:38pm

Hello Manu

thanks so much for your clear explanation, it has helped me understand now what is going on.

I have in the past installed dnscrypt-proxy and tried to use it along with unbound. I think after your explanation that in the past I wrongly assumed they were not ‘playing together nicely’ when in fact they were.

I have seen and tried dnscrypt-proxy2 and got that working ok.

May I ask if you can help on the following questions :

Is there an answer to the question - which is better for security dnscrypt-proxy or dnscrypt under unbound ?
In the past I have seen comments from jedisct1 (Frank Denis) that it is not really advisable to mix running his programme dnscrypt-proxy and a VPN together. Is there an answer ?

thanks again

Peter