Unbound - Authoritative Recursive Caching DNS Server

[rgnldo]

That looks like it will work the only thing you may need to do is a firewall rule for tcp on port 853. And every body that decides to go this route has to make the directory and provide their own ssl cert for their setup.

I'm counting on you.

 

[rgnldo]

rule for tcp on port 853.

There are DoT servers on port 443 for easy access through the firewall.

stream {
    upstream dns-servers {
        server    127.0.1.1:53535;

I'm in doubt at upstream dns-servers

 

[Delusion]

cd /opt/etc/nginx/ssl
chown -R nobody /opt/etc/nginx/ssl
openssl genrsa -out dot-server.key 2048
openssl req -key ca.key -new -x509 -days 720 -sha256 -extensions v3_ca -out dot-server.crt -subj "/CN=Pixelserv CA"

Well... I made it run. It runs now but how do I check that it works as it suppose to?

 

[rgnldo]

The last command gives me an error... (I installed pixelserv)

openssl req -key dot-server.key -new -x509 -days 720 -sha256 -extensions v3_ca -out dot-server.crt -s
ubj "/CN=Nginx CA"

I just adapted from Pixelserv

 

[rgnldo]

@SomeWhereOverTheRainBow

stream {
    upstream dns-servers {
        server    127.0.0.1:53535;
 
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
 
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

iptables -I INPUT -p tcp --dport 853 -j ACCEPT

 

[rgnldo]

Well... I made it run. It runs now but how do I check that it works as it suppose to?

openssl req -key dot-server.key -new -x509 -days 720 -sha256 -extensions v3_ca -out dot-server.crt -s
ubj "/CN=Nginx CA"

 

[Delusion]

@SomeWhereOverTheRainBow

Spoiler

stream {
    upstream dns-servers {
        server    127.0.0.1:53535;
 
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
 
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

iptables -I INPUT -p tcp --dport 853 -j ACCEPT

Ngnix fails to start with this config (missing some things).


This works:

load_module /opt/lib/nginx/ngx_stream_module.so;
user  nobody;
events { }
stream {
    upstream dns-servers {
        server    127.0.0.1:53535;

    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

    ssl_certificate      /opt/etc/nginx/ssl/dot-server.crt;
    ssl_certificate_key  /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305>


        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

 

[dave14305]

Where would this all run? On the router? So who connects to it using DoT? Each client individually requiring a Stubby install? I’m trying to see how we solve the unencrypted Unbound recursive queries out to the internet from the router. This seems to be a solution for making Unbound a DoT listener for the LAN, but that’s about it, as best I understand from what’s been posted.

Opening port 853/tcp to the Internet seems like a bad idea.

 

[rgnldo]

Ngnix fails to start with this config (missing some things).


This works:

load_module /opt/lib/nginx/ngx_stream_module.so;
user  nobody;
events { }
stream {
    upstream dns-servers {
        server    127.0.0.1:53535;

    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

    ssl_certificate      /opt/etc/nginx/ssl/dot-server.crt;
    ssl_certificate_key  /opt/etc/nginx/ssl/dot-server.key;

        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305>


        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

nginx: [error] open() "/opt/var/run/nginx.pid" failed (2: No such file or directory)

 

[rgnldo]

Where would this all run? On the router? So who connects to it using DoT? Each client individually requiring a Stubby install? I’m trying to see how we solve the unencrypted Unbound recursive queries out to the internet from the router. This seems to be a solution for making Unbound a DoT listener for the LAN, but that’s about it, as best I understand from what’s been posted.

Opening port 853/tcp to the Internet seems like a bad idea.

We're buying the idea of a local DoT solution, a makeshift SNI.

 

[dave14305]

unbound.conf with better performance.

server:
# port to answer queries from
port: 53535
verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log"
log-queries: yes
log-replies: yes

do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
interface: 127.0.0.1
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.1.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow

# private networks:
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
so-reuseport: yes
outgoing-range: 8192
num-queries-per-thread: 4096
outgoing-num-tcp: 10
incoming-num-tcp: 10
infra-cache-numhosts: 15000
infra-cache-lame-size: 10k

# tiny memory cache
key-cache-size: 16m
msg-cache-size: 8m
rrset-cache-size: 8m
cache-min-ttl: 3600
cache-max-ttl: 86400
cache-max-negative-ttl: 0
infra-host-ttl: 60
infra-lame-ttl: 120
edns-buffer-size: 1472

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# DNSSEC and DNS-over-TLS
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
auto-trust-anchor-file: "/root.key"

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

Turn off log-queries and log-replies for better performance in non testing modes.

 

[Delusion]

nginx: [error] open() "/opt/var/run/nginx.pid" failed (2: No such file or directory)

Try to kill nginx proccess (killall nginx ) and start it again

 

[rgnldo]

Nginx Verification Command

/opt/etc/init.d/S80nginx test
nginx: the configuration file /opt/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/etc/nginx/nginx.conf test is successful

load_module /opt/lib/nginx/ngx_stream_module.so;
user  nobody;
worker_processes  1;
events { }
stream {
    upstream dns-servers {
        server    127.0.0.1:53535;

    }

    server {
        listen 1.2.3.4:853 ssl;
        proxy_pass dns-servers;

        ssl_certificate      /opt/etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key  /opt/etc/nginx/ssl/dot-server.key;
     
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
        ssl_prefer_server_ciphers       on;

        ssl_session_timeout             1d;
        ssl_session_tickets             off;
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:DoT:10m;
    }
}

I need you to see if it's working. I don't know where to check.

 

[rgnldo]

openssl req -x509 -nodes -days 3650 -subj "/C=PT/CN=1.2.3.4" -sha512 -newkey rsa:4096 -keyout /opt/etc/nginx/ssl/dot-nginx.ke
y -out /opt/etc/nginx/ssl/dot-nginx.pem

 

[rgnldo]

ifconfig br0:nginx 1.2.3.4 up

 

[rgnldo]

Apparently, after version 1.6.7, unbound does its own DNS-over-TLS scenario
https://dnsprivacy.org/wiki/display/DP/Using+Unbound+as+a+DNS+Privacy+server

# listen on all interfaces on port 853, answer queries from the local subnet.
        interface: 0.0.0.0@853
        interface: ::0@853

        tls-service-key: "<path_to_private_key>"
        tls-service-pem: "<path_to_certifcate_file>"
        tls-port: 853
        incoming-num-tcp: 1000 # Number of simultaneous incoming TCP connections per thread to allow
        # Listen on UDP but still issues queries upstream over UDP.
        # Only available in 1.6.7 and later
        udp-upstream-without-downstream: yes
        qname-minimisation: yes

 

[rgnldo]

Has anyone tested on client terminals to verify that IPV6 is caching with unbound? I'm getting cache only with IPV4. I think we'll need to add

::1#53535

on dnsmasq.postconf

 

[rgnldo]

Yes, we will have to add in dnsmasq the local IPV6 address

netstat -tulpen | grep unbound
tcp        0      0 127.0.0.1:53535            0.0.0.0:*               LISTEN      0          7312680     27897/unbound
tcp6       0      0 ::1:53535                 :::*                    LISTEN      0          7312676     27897/unbound[CODE]

 

[DonnyJohnny]

Thanks for experimenting with this project.
Hope to see a final product soon.

question to ask. The FAQ was drifted for some time. Not sure if unbound has updates on that.

What is the difference between using Stubby and using Unbound as a local forwarding resolver?
ANSWER: Unbound can be configured as a local forwarder using DNS-over-TLS to forward queries. However at the moment Unbound does not have all the TCP/TLC features that Stubby has for example, it cannot support 'Strict' mode, it cannot pad queries to hide query size and it opens a separate connection for every DNS query (Stubby will re-use connections). However, Unbound is a mature and stable daemon and many people already use it as a local resolver. While there were some early issues the last few releases of Stubby have focussed on stability and security and have significantly improved the usability of Stubby. We also have plans to add a small cache to stubby! Note that some users choose to use the two together, unbound for caching and stubby for upstream TLS.
https://dnsprivacy.org/wiki/m/mobile.action#page/3145784

 

[rgnldo]

Unbound can be configured as a local forwarder using DNS-over-TLS to forward queries. However at the moment Unbound does not have all the TCP/TLC features that Stubby

The 1.7.1 release of unbound. Probably the article refers to older versions of unbound. Not currently applicable.
The general argument for using encrypted DNS is to hide the DNS traffic from an ISP. The weakness in this argument is that even if you do mask your DNS queries (the ISP doesn’t know you are looking for domain xyz), after the DNS resolver gives you the answer, you immediately ask the ISP for the IP address of domain xyz, so the ISP knows where your traffic is going anyway. The other argument for encrypted DNS is that the traffic goes in an encrypted tunnel and won’t be tampered with. With DNSSEC, unbound verifies that received IP addresses are as sent by the name servers.
Summary - Stubby encrypts your DNS traffic to an upstream provider. You have to trust both the upstream provider and your ISP. Unbound communicates directly with the authoritative name servers, eliminating the upstream DNS server. You only have to trust yourself and the ISP.
Unfortunately, I have no way to set up unbound fully functioning on an embedded device such as a router, where dnsmasq does almost everything.