unbound - DoT

Help on building IPFire & Feature Requests
ummeegge
Community Developer
Community Developer
Posts: 4762
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » February 23rd, 2019, 4:57 am

Thank you both for your feedback.
firewell wrote:
February 22nd, 2019, 12:08 am
Looking forward to C128 release!
In Core 128 is an unbound initscript update, even you already use it (is included in the last update from here) you will need to play back the patched unbound version for DoT. This can be done via in- uninstaller.
But beside this, some more features will arrive with Core 128 which can be used for DoT either. OpenSSL-1.1.1a and kdig might bring some interesting things with, also some further tests can then be done.

Anyways, thank you both for being active in here :) .

Best,

UE
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4762
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » March 12th, 2019, 6:00 pm

Hi all,
have already uploaded the changes for Core 129 --> https://git.ipfire.org/?p=ipfire-2.x.gi ... ce542d0814 but also the en.pl is on Core 129 state. I know Core 128 is already in testing state so Core 129 is a little longer away but the changes needs also a patched dnsforward.cgi so they can currently not be used. Only wanted to inform you if someone uses the installation script and find some updates.

As always, if the update makes DoT unusable, just use the script from the starting topic to get the actual changes including the DoT functionality.

Greetings,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 918
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » March 12th, 2019, 7:36 pm

Hi,

FYI:

I'm testing 'unbound 1.9.1' since a few minutes - seems to run without problems.

Best,
Matthias

EDIT:
Changelog => https://nlnetlabs.nl/pipermail/unbound- ... 11415.html

ummeegge
Community Developer
Community Developer
Posts: 4762
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » March 13th, 2019, 5:17 pm

Heyho Matthias,
yes have build it also but also the new knot version -->

Code: Select all

Version 1.9.1
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1b  26 Feb 2019
linked modules: dns64 respip validator iterator

Code: Select all

kdig (Knot DNS), version 2.8.0
and it runs nice but also fast but a shady downside appears currently. kdig do not displays TLSv1.3 :( . Did some tests to check if there is a problem with unbound causing the new OpenSSL lib so i checked with tshark a little around -->

Code: Select all

$ tshark -i red0 port 853 | grep TLSv1.3
Running as user "root" and group "root". This could be dangerous.
Capturing on 'red0'
    5 0.023727828     9.9.9.10 → 192.168.32.234  TLSv1.3 2946 Server Hello, Change Cipher Spec, Application Data, Application Data
    7 0.023975963     9.9.9.10 → 192.168.32.234  TLSv1.3 194 Application Data, Application Data
    9 0.040179299  192.168.32.234 → 9.9.9.10     TLSv1.3 146 Change Cipher Spec, Application Data
   10 0.050384404     9.9.9.10 → 192.168.32.234  TLSv1.3 145 Application Data
   11 0.050552114  192.168.32.234 → 9.9.9.10     TLSv1.3 145 Application Data
   12 0.050615542     9.9.9.10 → 192.168.32.234  TLSv1.3 145 Application Data
   13 0.063588209     9.9.9.10 → 192.168.32.234  TLSv1.3 299 Application Data
   16 0.064821222  192.168.32.234 → 9.9.9.10     TLSv1.3 90 Application Data
   18 0.075265210     9.9.9.10 → 192.168.32.234  TLSv1.3 90 Application Data
44    61 0.322884305      8.8.8.8 → 192.168.32.234  TLSv1.3 2920 Server Hello, Change Cipher Spec, Application Data
   63 0.328614830  192.168.32.234 → 8.8.8.8      TLSv1.3 130 Change Cipher Spec, Application Data
73    65 0.339647495  192.168.32.234 → 8.8.8.8      TLSv1.3 133 Application Data
   66 0.346933762      8.8.8.8 → 192.168.32.234  TLSv1.3 556 Application Data
   68 0.358089364      8.8.8.8 → 192.168.32.234  TLSv1.3 854 Application Data
   70 0.359134888  192.168.32.234 → 8.8.8.8      TLSv1.3 90 Application Data
   95 1.062951917      8.8.8.8 → 192.168.32.234  TLSv1.3 2920 Server Hello, Change Cipher Spec, Application Data
   97 1.068785290  192.168.32.234 → 8.8.8.8      TLSv1.3 130 Change Cipher Spec, Application Data
   99 1.078971774  192.168.32.234 → 8.8.8.8      TLSv1.3 155 Application Data
  101 1.088492227      8.8.8.8 → 192.168.32.234  TLSv1.3 556 Application Data
135   102 1.114922839      8.8.8.8 → 192.168.32.234  TLSv1.3 324 Application Data
  105 1.116241577  192.168.32.234 → 8.8.8.8      TLSv1.3 90 Application Data
  154 2.045863267 146.185.167.43 → 192.168.32.234  TLSv1.3 4162 Server Hello, Change Cipher Spec, Application Data
  156 2.047959439 146.185.167.43 → 192.168.32.234  TLSv1.3 1637 Application Data, Application Data, Application Data
  158 2.052284540  192.168.32.234 → 146.185.167.43 TLSv1.3 130 Change Cipher Spec, Application Data
  159 2.071599482 146.185.167.43 → 192.168.32.234  TLSv1.3 321 Application Data
  160 2.071772008  192.168.32.234 → 146.185.167.43 TLSv1.3 129 Application Data
  161 2.071830179 146.185.167.43 → 192.168.32.234  TLSv1.3 321 Application Data
  162 2.094840592 146.185.167.43 → 192.168.32.234  TLSv1.3 838 Application Data
  164 2.096341406  192.168.32.234 → 146.185.167.43 TLSv1.3 90 Application Data
  166 2.115308743 146.185.167.43 → 192.168.32.234  TLSv1.3 90 Application Data
  177 2.200459058      8.8.8.8 → 192.168.32.234  TLSv1.3 2920 Server Hello, Change Cipher Spec, Application Data
  179 2.205777764  192.168.32.234 → 8.8.8.8      TLSv1.3 130 Change Cipher Spec, Application Data
  181 2.217456444  192.168.32.234 → 8.8.8.8      TLSv1.3 146 Application Data
  182 2.224987929      8.8.8.8 → 192.168.32.234  TLSv1.3 556 Application Data
  184 2.247730101      8.8.8.8 → 192.168.32.234  TLSv1.3 264 Application Data
  187 2.248978959  192.168.32.234 → 8.8.8.8      TLSv1.3 90 Application Data
206   214 2.407554122      8.8.4.4 → 192.168.32.234  TLSv1.3 2920 Server Hello, Change Cipher Spec, Application Data
  216 2.412944312  192.168.32.234 → 8.8.4.4      TLSv1.3 130 Change Cipher Spec, Application Data
  218 2.424086009  192.168.32.234 → 8.8.4.4      TLSv1.3 134 Application Data
  219 2.431382461      8.8.4.4 → 192.168.32.234  TLSv1.3 556 Application Data
  221 2.443915127      8.8.4.4 → 192.168.32.234  TLSv1.3 853 Application Data
  224 2.446099204  192.168.32.234 → 8.8.4.4      TLSv1.3 90 Application Data
  231 2.469316871     9.9.9.10 → 192.168.32.234  TLSv1.3 2946 Server Hello, Change Cipher Spec, Application Data, Application Data
  233 2.469563603     9.9.9.10 → 192.168.32.234  TLSv1.3 195 Application Data, Application Data
  235 2.486038071  192.168.32.234 → 9.9.9.10     TLSv1.3 146 Change Cipher Spec, Application Data
  236 2.496340254     9.9.9.10 → 192.168.32.234  TLSv1.3 145 Application Data
  237 2.496502445  192.168.32.234 → 9.9.9.10     TLSv1.3 132 Application Data
  238 2.496564881     9.9.9.10 → 192.168.32.234  TLSv1.3 145 Application Data
  239 2.507635120     9.9.9.10 → 192.168.32.234  TLSv1.3 853 Application Data
272   241 2.508892995  192.168.32.234 → 9.9.9.10     TLSv1.3 90 Application Data
  243 2.519706157     9.9.9.10 → 192.168.32.234  TLSv1.3 90 Application Data
  277 3.558888948 146.185.167.43 → 192.168.32.234  TLSv1.3 4162 Server Hello, Change Cipher Spec, Application Data
  279 3.560108086 146.185.167.43 → 192.168.32.234  TLSv1.3 1637 Application Data, Application Data, Application Data
  281 3.564520651  192.168.32.234 → 146.185.167.43 TLSv1.3 130 Change Cipher Spec, Application Data
  282 3.587611110 146.185.167.43 → 192.168.32.234  TLSv1.3 321 Application Data
  283 3.587787090  192.168.32.234 → 146.185.167.43 TLSv1.3 137 Application Data
  284 3.587847135 146.185.167.43 → 192.168.32.234  TLSv1.3 321 Application Data
  285 3.614210453 146.185.167.43 → 192.168.32.234  TLSv1.3 195 Application Data
  288 3.615378143  192.168.32.234 → 146.185.167.43 TLSv1.3 90 Application Data
  293 3.639069570 146.185.167.43 → 192.168.32.234  TLSv1.3 90 Application Data
  340 3.944165284 146.185.167.43 → 192.168.32.234  TLSv1.3 4162 Server Hello, Change Cipher Spec, Application Data
  342 3.946512975 146.185.167.43 → 192.168.32.234  TLSv1.3 1637 Application Data, Application Data, Application Data
348   344 3.949957038  192.168.32.234 → 146.185.167.43 TLSv1.3 130 Change Cipher Spec, Application Data
  345 3.969412952 146.185.167.43 → 192.168.32.234  TLSv1.3 321 Application Data

...
and all looked good but kdig thinks in other ways (example with securedns.eu):

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(146.185.167.43), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=securedns.eu
;; DEBUG:      SHA-256 PIN: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG:  #3, CN=securedns.eu
;; DEBUG:      SHA-256 PIN: h3mufC43MEqRD6uE4lz6gAgULZ5/riqH/E+U+jE3H8g=
;; DEBUG:  #4, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52135
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 239 B

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190327085001 20190313085001 54512 isoc.org. YRI3Oko8e2R6ob3orLxmJK2qZfrjDY/GkCCVEzZb2FNh5zZc1ZdBUnW3yYVlsT87gO6hpaQJp0vfRmDAPmpVRyyv7p2z4XfQlf401lluVFnZSs8+AbBRGZUSI6TjDckjcz/6d3jrOKHjytkMjCEF5yrt+XgjT+7HrGjOxzud00E=

;; Received 468 B
;; Time 2019-03-13 18:03:20 CET
;; From 146.185.167.43@853(TCP) in 37.8 ms

Exit status: 0

same with Quad9, Cloudflare, Google, ... :( . If someone is too lazy to tcpdump it, have build tshark (only for 64 bit) which can be found in here --> https://people.ipfire.org/~ummeegge/tshark/ .

So am happy that OpenSSL-1.1.1 works but unhappy with kdig.

So what, this will also be cleared.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 918
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » March 13th, 2019, 7:33 pm

Hi,

All confirmed for Core 127 with 'unbound 1.9.1' and 'knot 2.8.0'. ::)

We'll see...

Best,
Matthias

Post Reply