[Bug 227129] dns/dnscrypt-proxy2: Instructions for using together with unbound are lacking

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Mar 31 01:00:50 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227129

            Bug ID: 227129
           Summary: dns/dnscrypt-proxy2: Instructions for using together
                    with unbound are lacking
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: erik at nordstroem.no
                CC: egypcio at googlemail.com
             Flags: maintainer-feedback?(egypcio at googlemail.com)
                CC: egypcio at googlemail.com

When you install dnscrypt-proxy2 from ports the following message is shown:

Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.

> By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353
> as the _dnscrypt-proxy user.
>
> It's possible to change back to port 53, but not recommended.
>
> Below are a few examples on how to redirect local connections from port
> 5353 to 53.
>
> [ipfw]
>
>   ipfw nat 1 config if lo0 reset same_ports \
>     redirect_port tcp 127.0.0.1:5353 53 \
>     redirect_port udp 127.0.0.1:5353 53
>   ipfw add nat 1 ip from any to 127.0.0.1 via lo0
>
>   /etc/rc.conf:
>     firewall_nat_enable="YES"
>
>   /etc/sysctl.conf:
>     net.inet.ip.fw.one_pass=0
>
> [pf]
> 
>   rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
>
> [unbound]
>
>   server:
>     interface: 127.0.0.1
>     do-not-query-localhost: no
>
>   forward-zone:
>     name: "."
>     forward-addr: 127.0.0.1 at 5353

First of all, I replace the contents of /etc/resolv.conf with

  nameserver 127.0.0.1

Then I did

  chflags schg /etc/resolv.conf

Then I added

  dnscrypt_proxy_enable="YES"
  local_unbound_enable="YES"

to /etc/rc.conf

and then I ran

  service local_unbound setup

then I configured as per the message that dnscrypt-proxy2 had shown upon
install.

  --- /var/unbound/unbound.conf.orig    2018-03-31 02:37:45.561257000 +0200
  +++ /var/unbound/unbound.conf 2018-03-31 02:37:58.333075000 +0200
  @@ -1,12 +1,13 @@
  -# This file was generated by local-unbound-setup.
  -# Modifications will be overwritten.
   server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
  +     interface: 127.0.0.1
  +     do-not-query-localhost: no

  +include: /var/unbound/forward.conf
   include: /var/unbound/lan-zones.conf
   include: /var/unbound/control.conf
   include: /var/unbound/conf.d/*.conf

  --- /dev/null 2018-03-31 02:33:00.000000000 +0200
  +++ /var/unbound/forward.conf 2018-03-31 02:37:58.341486000 +0200
  @@ -0,0 +1,3 @@
  +forward-zone:
  +     name: .
  +     forward-addr: 127.0.0.1 at 5353

Then I started both services.

  service dnscrypt-proxy start
  service local_unbound start

Then I wait a little while for dnscrypt-proxy2 to finish starting and then try
and query dnscrypt-proxy directly;

  drill -p 5353 @127.0.0.1 vg.no

And I get A-records returned (but the authority section is empty though)

  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33496
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.     IN      A

  ;; ANSWER SECTION:
  vg.no.        599     IN      A       195.88.54.16
  vg.no.        599     IN      A       195.88.55.16

  ;; AUTHORITY SECTION:

  ;; ADDITIONAL SECTION:

  ;; Query time: 5055 msec
  ;; EDNS: version 0; flags: ; udp: 1204
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:42:02 2018
  ;; MSG SIZE  rcvd: 76

But then I try to query unbound;

  drill @127.0.0.1 vg.no

And the response I get does not contain any records

  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 12128
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.     IN      A

  ;; ANSWER SECTION:

  ;; AUTHORITY SECTION:

  ;; ADDITIONAL SECTION:

  ;; Query time: 23 msec
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:51:49 2018
  ;; MSG SIZE  rcvd: 23

For comparison, here's what unbound answers when it talks to external DNS
servers directly, it has both the authority section contents and the A-records;

  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50666
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.     IN      A

  ;; ANSWER SECTION:
  vg.no.        600     IN      A       195.88.54.16
  vg.no.        600     IN      A       195.88.55.16

  ;; AUTHORITY SECTION:
  vg.no.        3600    IN      NS      ns-foo.linpro.net.
  vg.no.        3600    IN      NS      ns-zoo.linpro.net.
  vg.no.        3600    IN      NS      ns-bar.linpro.net.

  ;; ADDITIONAL SECTION:

  ;; Query time: 229 msec
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:57:02 2018
  ;; MSG SIZE  rcvd: 128

PS: I am using vg.no as example just because it's short and it's the biggest
newspaper in my country and I've just gotten a habit typing vg.no when I want
to check if my DNS is working as it should.

Something is amiss, and IMO the problem is that the instructions for
dnscrypt-proxy2 do not describe in good enough detail how to actually perform
the configuration that is required for it and unbound to work together.

How do I get them working together?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list