search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.06k stars 349 forks source link

problem with ssl-upstream and vpn interface #27

Open changemenemo opened 5 years ago

changemenemo commented 5 years ago

Hi,

Since I haven't been able to post anything through the mailing list to get some help, I'm posting here instead.

I recently wanted to setup unbound in place of dnscrypt to resolve queries with my pi-hole on my rasp.

The version of unbound available on Raspbian is 1.6.0 currently.

When activating the options 


    ssl-upstream: yes
    ssl-service-key: "/etc/ssl/certs/ca-certificates.crt"

unbound stopped working and we have something like this in the logs:

[1556709926] unbound[4394:0] info: server stats for thread 0: 23 queries, 7 answers from cache, 16 recursions, 0 prefetch
[1556709926] unbound[4394:0] info: server stats for thread 0: requestlist max 13 avg 1.875 exceeded 0 jostled 0
[1556709926] unbound[4394:0] info: mesh has 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 16 recursion replies sent, 0 replies dropped, 0 states jostled out
[1556709926] unbound[4394:0] info: average recursion processing time 0.948223 sec
[1556709926] unbound[4394:0] info: histogram of recursion processing times
[1556709926] unbound[4394:0] info: [25%]=0.32768 median[50%]=0.603573 [75%]=0.920715
[1556709926] unbound[4394:0] info: lower(secs) upper(secs) recursions
[1556709926] unbound[4394:0] info:    0.000000    0.000001 1
[1556709926] unbound[4394:0] info:    0.008192    0.016384 1
[1556709926] unbound[4394:0] info:    0.016384    0.032768 1
[1556709926] unbound[4394:0] info:    0.262144    0.524288 4
[1556709926] unbound[4394:0] info:    0.524288    1.000000 6
[1556709926] unbound[4394:0] info:    1.000000    2.000000 1
[1556709926] unbound[4394:0] info:    2.000000    4.000000 2
[1556709926] unbound[4394:0] debug: cache memory msg=33040 rrset=33040 infra=17292 val=40931
[1556709926] unbound[4394:0] debug: switching log to stderr

I did also try to setup unbound to send queries through a vpn connection on the rasp itself But I can’t resolve apparently through the vpn connection. I tried set it up by hardcoding the ip address from the vpn connection, same result. I tried to used udp and tcp separately, same result

Am I missing something? I have connectivity through my vpn so that’s not the problem apparently. And the problem disappear as soon as I deactivate the vpn connection. Or is all that supposed to happen in 1.6?

Does anyone have an idea about this?

Thanks in advance.

changemenemo commented 5 years ago

about the vpn part of the quesiton, it seems that my vpn is hijacking all dns queries besides those sent through some port. How would I specify port 1400 udp and 1401 tcp for example? maybe I can't specify the protocol ?

EDIT: no need to contraint unbound to certain port, I had to connect to the vpn server to a specific port to apparently not having that system put in place by the vpn provider(absurd IMO). so for the vpn part it is resolved, there is still the problem with the ssl-upstream, I suppose I didn't configure that correctly? but checkconf didn't notice me of any errors.

wcawijngaards commented 5 years ago

For the ssl-upstream setup, the config is wrong: ssl-service-key: "/etc/ssl/certs/ca-certificates.crt" This should be the private key, and ssl-service-pem the public key, of your tls service (for downstream TLS, by the way, not upstream). The ca certificates go into an option called tls-cert-bundle, which was introduced in version 1.7.1 I think, so 1.6.0 is not going to work. For the upstream connection itself, you have to also specify where it goes, I mean, like the forward-addr destination. Here is a configuration example for tls upstream, in the 1.7.1 release anouncement. https://nlnetlabs.nl/news/2018/May/03/unbound-1.7.1-released/