search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.17k stars 361 forks source link

Unencrypted query is sent when forward-tls-upstream: yes is used without tls-cert-bundle #676

Closed pemensik closed 1 year ago

pemensik commented 2 years ago

Describe the bug I were playing with unbound and DNS over TLS. I wanted to check it does something, so I have configured unbound to provide TLS service. Then I made configuration for unbound-host to specify remotes.

To reproduce Steps to reproduce the behavior:

  1. provide TLS service on local unbound.
  2. create local.conf with following contents: 
    
server:
# tls-cert-bundle: "/etc/unbound/unbound_server.pem"

forward-zone: name: "." forward-addr: 10.0.1.103@853 forward-tls-upstream: yes

3. ``unbound-host -C local.conf unbound.net``

Host unbound.net not found: 2(SERVFAIL). Host unbound.net not found: 2(SERVFAIL). Host unbound.net not found: 2(SERVFAIL).

4. check record pcap.

It seems this sends query just over TCP, but without proper TLS encapsulation. Queried name is visible in wireshark dump.

**Expected behavior**
It should always encrypt the query. It it is requested to do so but it cannot, it should emit error or at least warning. Nothing is emitted this way.

**System:**
 - Unbound version: 1.13.1
 - OS: Red Hat Enterprise Linux release 9.1 Beta (Plow)
 - `unbound -V` output:

Version 1.13.1

Configure line: --build=x86_64-redhat-linux-gnu --host=x86_64-redhat-linux-gnu --program-prefix= --disable-dependency-tracking --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-pythonmodule --with-pyunbound PYTHON=/usr/bin/python3 --enable-dnstap --with-libnghttp2 --with-libevent --with-pthreads --with-ssl --disable-rpath --disable-static --enable-relro-now --enable-pie --enable-subnet --enable-ipsecmod --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound/unbound.pid --enable-sha2 --disable-gost --enable-ecdsa --with-rootkey-file=/var/lib/unbound/root.key --enable-linux-ip-local-port-range --disable-sha1 Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.1 14 Dec 2021 Linked modules: dns64 python ipsecmod subnetcache respip validator iterator

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues



**Additional information**
It would be cool if I could build-in default value for tls-cert-bundle pointing to distribution specific trust anchor storage. I guess it would be great default value and would be useful not only for unbound, which has a common config path. But tools like unbound-host have no default path to put that in.

Would PR specifying default value for TLS bundle be acceptable?
Philip-NLnetLabs commented 2 years ago

I have trouble reproducing this with unbound 1.5.1 (compiled on centos7). Can you give that try?

pemensik commented 2 years ago

I am trying this on Fedora 35, compiled with commit 11d077c826c94aa5f20b91382eec3f6e08e59177 on master branch. Using this config to check:

server:
    #tls-system-cert: yes

forward-zone:
    name: "."
    #forward-host: "dns.google"
    forward-addr: 8.8.8.8@853
    forward-addr: 8.8.4.4@853
    forward-tls-upstream: yes

Then attempt to resolve over this channel it fails reliably

$ ./unbound-host -C google.conf google.com
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486690] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
Host google.com not found: 2(SERVFAIL).
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
Host google.com not found: 2(SERVFAIL).
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.8.8 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
[1653486691] libunbound[94606:0] error: read (in tcp r): Connection reset by peer for 8.8.4.4 port 853
Host google.com not found: 2(SERVFAIL).

As soon as I uncomment system cert statement it starts resolving.

$ ./unbound-host -C google.conf google.com
google.com has address 142.251.37.110
google.com has IPv6 address 2a00:1450:4014:80f::200e
google.com mail is handled by 10 smtp.google.com.
pemensik commented 2 years ago

I got also the same results on RHEL8 and RHEL7. The latter I tried Red Hat Enterprise Linux Server release 7.9 (Maipo)

pemensik commented 2 years ago

Steps required on CentOS Linux 7 (Core):

pemensik commented 2 years ago

The same result happen, when I use:

forward-zone:
        name: "."
        forward-addr: "8.8.8.8#dns.google"
        forward-addr: "8.8.4.4#dns.google"
        forward-tls-upstream: yes
Philip-NLnetLabs commented 2 years ago

Ah. I tried your config with unbound where it works (for me). It does fail with unbound-host. I'll take a look why unbound-host is different from unbound in this respect.

Philip-NLnetLabs commented 1 year ago

Fixed in master