unbound - DoT

Help on building IPFire & Feature Requests
User avatar
FischerM
Community Developer
Community Developer
Posts: 994
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » June 30th, 2019, 6:04 pm

Hi,

thanks from me, too!

And: I'd like to have a problem: ;)

Today I activated Ligthning Wire Labs with DoT and found a lot of these errors in the unbound log:
...
12:46:34 unbound: [5351:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
12:46:34 unbound: [5351:0] notice: ssl handshake failed 81.3.27.54 port 853
...
All other DoT servers (~9) work fine. No problems there.

Is there anything I could do about this?

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 1st, 2019, 4:29 am

Hi all,
dnl wrote:
June 30th, 2019, 9:57 am
Hi ummeegge,
Thanks for all your great work adding features to IPFire!

Do you think this DoT "DNS Privacy" support will be included in IPFire by default any time soon?
I appreciate the amount of effort you've done to investigate this.
thanks dnl for your positive feedback. There was already a discussion on the dev mailinglist to implement this feature but this will involve a lot of other work/steps before. The plan was to integrate all other DNS sections available in IPFire into one CGI where the further progress currently stucks a little since i need there definitely more help but am also currently short in time. So to answer your question i don´t think that it will be a default soon but may in the next time.
FischerM wrote:
June 30th, 2019, 6:04 pm
Hi,

thanks from me, too!

And: I'd like to have a problem: ;)

Today I activated Ligthning Wire Labs with DoT and found a lot of these errors in the unbound log:
...
12:46:34 unbound: [5351:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
12:46:34 unbound: [5351:0] notice: ssl handshake failed 81.3.27.54 port 853
...
All other DoT servers (~9) work fine. No problems there.

Is there anything I could do about this?
Hi Matthias, your welcome too ;) . I get this error if the "Hostname" entry is not correct. Lightning Wire Labs uses "rec1.dns.lightningwirelabs.com" for their DoT may there is irgendwo der Hund begraben ?!

Thank you both again.

Best,

UE
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 994
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 1st, 2019, 2:40 pm

ummeegge wrote:may there is irgendwo der Hund begraben
Bingo.

The hund was buried beneath a "-"

"rec1.dns-lightningwirelabs.com" was the culprit.

Corrected. Looking better now.

Thanks! :D

tikok974
Posts: 62
Joined: January 3rd, 2017, 9:53 am

Re: unbound - DoT

Post by tikok974 » July 18th, 2019, 8:23 am

Hi everybody,

I come back to this thread just to give news.

For my part, the problem exposed here (See: viewtopic.php?f=50&t=21954&start=30#p124263) has been solved. Our DNS provider (DNSFilter) has done the necessary on their side so that we can use their DNS without any problems on Ipfire with DNSSEC (see: https://feedback.dnsfilter.com/feature- ... ec-support ).

I would like to thank all the people who have contributed to trying to solve my problem and especially Ummeegge, Ryan29 and Mike (DNSfilter support team) ;)

Thanks

User avatar
FischerM
Community Developer
Community Developer
Posts: 994
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 28th, 2019, 5:13 pm

Hi,

sorry, I'm back:
...error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_serv er_certificate:certificate verify failed
17:01:21 unbound: [21252:0] notice: ssl handshake failed 81.3.27.54 port 853
...
Same problem - this time with rec1.dns.lightningwirelabs.com

Deactivated. Errors are gone.

Any ideas? Reason?

Best,
Matthias

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 28th, 2019, 6:06 pm

Hi Matthias,
it seems that the Lightninwirelabs DoT is currently down

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; WARNING: connection timeout for 81.3.27.54@853(TCP)
;; ERROR: failed to query server 81.3.27.54@853(TCP)

Exit status: 1
may the new infrastructure ?

Best,

UE

EDIT: You can check your configured servers also with this one --> https://gitlab.com/ummeegge/dot-for-ipf ... est_tls.sh a little more detailed.
Image
Image

ummeegge
Community Developer
Community Developer
Posts: 4904
Joined: October 9th, 2010, 10:00 am

Re: unbound - DoT

Post by ummeegge » July 29th, 2019, 4:03 am

Good morning Matthias,
tried it today again and got the following from Lightningwirelabs:

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=recursor01.dns.ipfire.org
;; DEBUG:      SHA-256 PIN: 58mhvlSFW/L/u7AVyu/9VMwPsIxgDSjRLq0nFIw+Z4Q=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The name in the certificate does not match the expected. 
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 81.3.27.54@853(TCP)

Exit status: 1

so it seems that the server is up again but the Common Name has been changed from "rec1.dns.lightningwirelabs.com" to "recursor01.dns.ipfire.org" which i tried and it seems that this work (may only?) for the first -->

Code: Select all

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 140 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=recursor01.dns.ipfire.org
;; DEBUG:      SHA-256 PIN: 58mhvlSFW/L/u7AVyu/9VMwPsIxgDSjRLq0nFIw+Z4Q=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP384R1-SHA384)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11599
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190811085007 20190728085007 7283 isoc.org. OSWdBehNCpkfutghqf/YGkUmvuC4zKPQU43qZJnlMzBmsVYyGRLEWk6PG56rvI0r+YjPfg6NhWXFdndCIIY5hByNhncHMS9/3s9lNd5ICfrHVnvTBWRKvmRXgP9OAUvFha9yQoS688g/ouo9Z52Cev3KAVliNYydC9HKqZqn3tY=

;; Received 225 B
;; Time 2019-07-29 05:59:57 CEST
;; From 81.3.27.54@853(TCP) in 463.2 ms

Exit status: 0

Code: Select all

From Host: recursor01.dns.ipfire.org ---- With IP: 81.3.27.54 ---- Date: Mon 29 Jul 2019 06:03:03 AM CEST

in 155.8 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-ECDSA-SECP384R1-SHA384-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK

Best,

UE

EDIT: Have updated and already uploaded all files for Core 135, not sure if something will change until the release... The changed unbound initscript runs here without problems...
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 994
Joined: November 2nd, 2011, 12:28 pm

Re: unbound - DoT

Post by FischerM » July 29th, 2019, 4:46 am

Thanks!

Will test this when I'm back from work... ::)

Best,
Matthias

EDIT: Works!

Post Reply