Wiki

User Tools

Site Tools

Trace:
networking:dns:unbound:configure_encrypted_dns_with_caching

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
networking:dns:unbound:configure_encrypted_dns_with_caching [2020/12/06 11:09] – created peternetworking:dns:unbound:configure_encrypted_dns_with_caching [2020/12/06 11:33] (current) peter
Line 76: Line 76:
  
 Unbound distributes its requests evenly to all configured servers, so the more servers that are configured the fewer of your requests any one actually sees, making it more difficult to for them to get a complete picture of your activities even if they tried. Unbound distributes its requests evenly to all configured servers, so the more servers that are configured the fewer of your requests any one actually sees, making it more difficult to for them to get a complete picture of your activities even if they tried.
 +
 +----
 +
 +The **forward-addr** have following syntax:
 +
 +  * The first part, before the @, is the IP address.
 +  * The middle part, between @ and #, is the port.
 +  * The trailing part, after the #, is the hostname.  The host name should match the certificate being used by the server. This last part is optional, but not providing it allows you to connect to another DNS server as long as it has a valid certificate, which allows man-in-the-middle attacks.
  
 +</WRAP>
 +
 +----
 +
 +===== Handle Unresolved Responses =====
 +
 +In the above configuration, Unbound would not resolve the name if none of the configured resolvers responded; and if the name was not in the cache.
 +
 +To get Unbound to try to resolve the name itself in this case, you can add:
 +
 +<file bash /etc/unbound/unbound.conf>
 +....
 +forward-zone:
 +    forward-first: yes
 +</file>
 +
 +<WRAP important>
 +**WARNING:**  Be aware that in this case the servers you contact might not be as privacy oriented as the configured servers.
 +</WRAP>
 +
 +----
 +
 +===== Serve Names to Peers =====
 +
 +This configuration is designed to only serve names locally.
 +
 +If you want to want to serve names to peers, you would need to open the desired ports (53 and perhaps 853) in your firewall and change access-control as follows:
 +
 +<file bash /etc/unbound/unbound.conf>
 +...
 +# Only allow access from localhost.
 +access-control: 0.0.0.0/0 allow
 +access-control: 127.0.0.0/8 allow
 +access-control: ::0/0 allow
 +access-control: ::1 allow
 +</file>
 +
 +----
 +
 +===== Test that TLS is Working =====
 +
 +<code bash>
 +openssl s_client -connect localhost:853
 +</code>
 +
 +You can find the name suitable for an upstream server using:
 +
 +<code bash>
 +openssl s_client -connect 1.1.1.1:853
 +</code>
 +
 +The host name you append to your **forward-addr** should match that given as the CN name reported by openssl.
 +
 +----
 +
 +===== Workaround Man-In-The-Middle =====
 +
 +A corporate firewall that inserts itself as a man-in-the-middle in all connections may cause this setup to fail.
 +
 +If your TLS CA bundle does not have the corporate certificates, Unbound refuses to connect to the external resolvers in this case.
 +
 +This situation prevents you from resolving any names. In addition, in some extreme cases, corporate firewalls block access to the DNS ports completely.
 +
 +==== Resolution ====
 +
 +To work around this issue, access to a trusted resolver is provided using an SSH tunnel; assuming that SSH can be used, and the IP address of the secure server is known so that setting up the tunnel is not dependent on the resolver.
 +
 +If TLS is not required:
 +
 +<file bash /etc/unbound/unbound.conf>
 +...
 +server:
 +    tcp-upstream: yes
 +    do-not-query-localhost: no
 +
 +forward-zone:
 +    forward-tls-upstream: no
 +    forward-addr: 127.0.0.1@11053
 +...
 +</file>
 +
 +<WRAP info>
 +**NOTE:**  Here an SSH tunnel exists from localhost@11053 to the remote secure server’s port 53.
 +</WRAP>
 +
 +
 +If TLS will be used for all upstream resolvers:
 +
 +<file bash /etc/unbound/unbound.conf>
 +server:
 +    do-not-query-localhost: no
 +
 +forward-zone:
 +    forward-tls-upstream: yes
 +    forward-addr: 127.0.0.1@11853#server-name.tld
 +</file>
 +
 +<WRAP info>
 +**NOTE:**  If TLS is required for any resolver in a **forward-zone**, it is required for all resolvers.
 +
 +TLS must be properly configured for the secure remote resolver being accessed through the SSH tunnel and your local certificate authority bundle must include the certificate of the authority that issued your TLS certificate. 
 +
 +
 +This example uses:
 +
 +  * server-name.tld is a name compatible with the certificate.  Use openssl to determine CN.
 +  * An SSH tunnel exists from localhost@11853 to the remote secure server’s port 853.
 </WRAP> </WRAP>
  
networking/dns/unbound/configure_encrypted_dns_with_caching.1607252982.txt.gz · Last modified: 2020/12/06 11:09 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki