unbound - DoT

Help on building IPFire & Feature Requests
User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » June 30th, 2019, 6:04 pm

Hi,

thanks from me, too!

And: I'd like to have a problem: ;)

Today I activated Ligthning Wire Labs with DoT and found a lot of these errors in the unbound log:
...
12:46:34 unbound: [5351:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
12:46:34 unbound: [5351:0] notice: ssl handshake failed 81.3.27.54 port 853
...
All other DoT servers (~9) work fine. No problems there.

Is there anything I could do about this?

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4942
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 1st, 2019, 4:29 am

Hi all,
dnl wrote:
June 30th, 2019, 9:57 am
Hi ummeegge,
Thanks for all your great work adding features to IPFire!

Do you think this DoT "DNS Privacy" support will be included in IPFire by default any time soon?
I appreciate the amount of effort you've done to investigate this.
thanks dnl for your positive feedback. There was already a discussion on the dev mailinglist to implement this feature but this will involve a lot of other work/steps before. The plan was to integrate all other DNS sections available in IPFire into one CGI where the further progress currently stucks a little since i need there definitely more help but am also currently short in time. So to answer your question i don´t think that it will be a default soon but may in the next time.
FischerM wrote:
June 30th, 2019, 6:04 pm
Hi,

thanks from me, too!

And: I'd like to have a problem: ;)

Today I activated Ligthning Wire Labs with DoT and found a lot of these errors in the unbound log:
...
12:46:34 unbound: [5351:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
12:46:34 unbound: [5351:0] notice: ssl handshake failed 81.3.27.54 port 853
...
All other DoT servers (~9) work fine. No problems there.

Is there anything I could do about this?
Hi Matthias, your welcome too ;) . I get this error if the "Hostname" entry is not correct. Lightning Wire Labs uses "rec1.dns.lightningwirelabs.com" for their DoT may there is irgendwo der Hund begraben ?!

Thank you both again.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 1st, 2019, 2:40 pm

ummeegge wrote:may there is irgendwo der Hund begraben
Bingo.

The hund was buried beneath a "-"

"rec1.dns-lightningwirelabs.com" was the culprit.

Corrected. Looking better now.

Thanks! :D

tikok974
Posts: 71
Joined: January 3rd, 2017, 9:53 am

Re: unbound - DoT

Post by tikok974 » July 18th, 2019, 8:23 am

Hi everybody,

I come back to this thread just to give news.

For my part, the problem exposed here (See: viewtopic.php?f=50&t=21954&start=30#p124263) has been solved. Our DNS provider (DNSFilter) has done the necessary on their side so that we can use their DNS without any problems on Ipfire with DNSSEC (see: https://feedback.dnsfilter.com/feature- ... ec-support ).

I would like to thank all the people who have contributed to trying to solve my problem and especially Ummeegge, Ryan29 and Mike (DNSfilter support team) ;)

Thanks

User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 28th, 2019, 5:13 pm

Hi,

sorry, I'm back:
...error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
17:01:21 unbound: [21252:0] notice: ssl handshake failed 81.3.27.54 port 853
...
Same problem - this time with rec1.dns.lightningwirelabs.com

Deactivated. Errors are gone.

Any ideas? Reason?

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4942
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 28th, 2019, 6:06 pm

Hi Matthias,
it seems that the Lightninwirelabs DoT is currently down

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; WARNING: connection timeout for 81.3.27.54@853(TCP)
;; ERROR: failed to query server 81.3.27.54@853(TCP)

Exit status: 1
may the new infrastructure ?

Best,

UE

EDIT: You can check your configured servers also with this one --> https://gitlab.com/ummeegge/dot-for-ipf ... est_tls.sh a little more detailed.
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4942
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 29th, 2019, 4:03 am

Good morning Matthias,
tried it today again and got the following from Lightningwirelabs:

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=recursor01.dns.ipfire.org
;; DEBUG:      SHA-256 PIN: 58mhvlSFW/L/u7AVyu/9VMwPsIxgDSjRLq0nFIw+Z4Q=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The name in the certificate does not match the expected. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 81.3.27.54@853(TCP)

Exit status: 1

so it seems that the server is up again but the Common Name has been changed from "rec1.dns.lightningwirelabs.com" to "recursor01.dns.ipfire.org" which i tried and it seems that this work (may only?) for the first -->

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=recursor01.dns.ipfire.org
;; DEBUG:      SHA-256 PIN: 58mhvlSFW/L/u7AVyu/9VMwPsIxgDSjRLq0nFIw+Z4Q=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11599
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190811085007 20190728085007 7283 isoc.org. OSWdBehNCpkfutghqf/YGkUmvuC4zKPQU43qZJnlMzBmsVYyGRLEWk6PG56rvI0r+YjPfg6NhWXFdndCIIY5hByNhncHMS9/3s9lNd5ICfrHVnvTBWRKvmRXgP9OAUvFha9yQoS688g/ouo9Z52Cev3KAVliNYydC9HKqZqn3tY=

;; Received 225 B
;; Time 2019-07-29 05:59:57 CEST
;; From 81.3.27.54@853(TCP) in 463.2 ms

Exit status: 0

Code: Select all

From Host: recursor01.dns.ipfire.org ---- With IP: 81.3.27.54 ---- Date: Mon 29 Jul 2019 06:03:03 AM CEST

in 155.8 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-ECDSA-SECP384R1-SHA384-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK

Best,

UE

EDIT: Have updated and already uploaded all files for Core 135, not sure if something will change until the release... The changed unbound initscript runs here without problems...
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 29th, 2019, 4:46 am

Thanks!

Will test this when I'm back from work... ::)

Best,
Matthias

EDIT: Works!

webcapcha
Posts: 2
Joined: September 23rd, 2019, 10:38 am

Re: unbound - DoT

Post by webcapcha » September 23rd, 2019, 10:42 am

Hello guys. I have configured Unbound locally as DoT.

My config is:

Code: Select all

server:

        access-control: 10.0.0.0/8 allow
        access-control: 192.168.0.0/16 allow
        access-control: fddd::/48 allow
        aggressive-nsec: yes
        root-hints: root.hints
        trust-anchor-file: "trusted-key.key"
        cache-max-ttl: 18000
        cache-min-ttl: 300
        chroot: /etc/unbound
        directory: /etc/unbound
        do-ip4: yes
        do-ip6: yes
        do-tcp: yes
        hide-identity: yes
        hide-version: yes
        interface: 127.0.0.1
        interface: ::1
#   pidfile: /var/run/local_unbound.pid
        port: 53
        prefetch-key: yes
        prefetch: yes
        rrset-roundrobin: yes
        tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
        use-caps-for-id: yes
        username: unbound
        do-daemonize: no
        verbosity: 1
        use-syslog: yes
        logfile: "/etc/unbound/unbound.log"
remote-control:
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1@853#one.one.one.one
        forward-addr: 8.8.8.8@853#dns.google
        forward-addr: 9.9.9.9@853#dns.quad9.net
        forward-addr: 1.0.0.1@853#one.one.one.one
        forward-addr: 8.8.4.4@853#dns.google
        forward-addr: 149.112.112.112@853#dns.quad9.net
But when I use this online test https://www.cloudflare.com/ssl/encrypted-sni/
It says that i don't use Secure DNS and Encrypted SNI

Any suggestions to improve my config?

User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » September 23rd, 2019, 3:36 pm

Hi,

same results here:

cloudflare_encrypted_sni.png

Sorry, I have no hint. Perhaps Erik?

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4942
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » September 23rd, 2019, 4:34 pm

Hi all,
ESNI is currently only available via DoH and i think Firefox (cause the TRR feature) is currently (or was) also a must have for this. You can find here --> viewtopic.php?f=50&t=21954&start=45#p124874 a little deeper testing in that manner. In short you need to enable a "Trusted Recursive Resolver" in your browser --> https://blog.nightly.mozilla.org/2018/0 ... n-firefox/ which is per default Cloudflair in Firefox and meanwhile i think also per default activated in some countries --> https://blog.mozilla.org/futurereleases ... e-default/ . Here --> https://github.com/curl/curl/wiki/DNS-over-HTTPS you can find also some alternatives. Have disabled it completely (network.trr.mode = 5) since those tests showed a green hock (nice to see) for the encrypted server name indication but tshark doesn´t reflect that at that time and i also don´t wanted to have DoH. Also i like the randomization with DoT --> https://www.monperrus.net/martin/random ... s-requests whereby the centralization of one TRR breaks this a little IMHO.

I can say not much causing the "Secure DNS" test from Cloudflair since i don´t know what their tests looks like, even there is a question mark and no red cross i think they just don´t know it.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 1009
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » September 23rd, 2019, 4:37 pm

Thanks for the clarification! ;)

webcapcha
Posts: 2
Joined: September 23rd, 2019, 10:38 am

Re: unbound - DoT

Post by webcapcha » September 23rd, 2019, 4:43 pm

So looks like DoH is better comparing to DoT in privacy? As far as it supporting SNI?

ummeegge
Community Developer
Community Developer
Posts: 4942
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » September 23rd, 2019, 4:49 pm

FischerM wrote:
September 23rd, 2019, 4:37 pm
Thanks for the clarification! ;)
Your welcome.
webcapcha wrote:
September 23rd, 2019, 4:43 pm
So looks like DoH is better comparing to DoT in privacy? As far as it supporting SNI?
You mean ESNI ? In my tests it didn´t work so far but even this has been changed i won´t use it in the current implementation causing the mentioned arguments (please check the links).

Best,

UE
Image
Image

dnl
Posts: 375
Joined: June 28th, 2013, 11:03 am

Re: unbound - DoT

Post by dnl » October 4th, 2019, 9:42 am

Just had a chance to try this today. Thanks again ummeegge it makes setting up DoT with unbound trivial!

Some feedback:

1. Consider renaming the installer. 'dot_in-uninstaller.sh' is confusing! The first time I read it I thought it was only the uninstaller. Why not call it 'dot-setup.sh'
2. None of the "DNS over TLS" servers were pre-configured you show in your screenshot. I had to manually add the service I wanted. Is there a reason they are not configured and disabled by default?
3. In your instructions, please mention that the "DNS over TLS configuration" page added by this is in the "IPFire" menu and that the "Assign DNS-Server" screen (also called "Domain Name System") in the "Network" menu should not be used.
4. Consider adding a 'test' function to the shell script which wraps 'knot' for beginners. This way people can install this, configure it in the UI then use the shell script to do a test without needing to know knot or tcpdump syntax.

Anyway the main thing is that it works! I have not noticed any increased latency, which I suppose is the existing DNS cache has significantly reduced the number of new queries required.

Thanks!
IPFire 2.x (Latest Update) on x86_64 Intel Bay Trail CPU, 4GiB RAM, RED + GREEN + BLUE + ORANGE

Post Reply