[Bug 227129] dns/dnscrypt-proxy2: Instructions for using together with unbound are lacking
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sat Mar 31 01:00:50 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=227129
Bug ID: 227129
Summary: dns/dnscrypt-proxy2: Instructions for using together
with unbound are lacking
Product: Ports & Packages
Version: Latest
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: Individual Port(s)
Assignee: freebsd-ports-bugs at FreeBSD.org
Reporter: erik at nordstroem.no
CC: egypcio at googlemail.com
Flags: maintainer-feedback?(egypcio at googlemail.com)
CC: egypcio at googlemail.com
When you install dnscrypt-proxy2 from ports the following message is shown:
Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.
> By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353
> as the _dnscrypt-proxy user.
>
> It's possible to change back to port 53, but not recommended.
>
> Below are a few examples on how to redirect local connections from port
> 5353 to 53.
>
> [ipfw]
>
> ipfw nat 1 config if lo0 reset same_ports \
> redirect_port tcp 127.0.0.1:5353 53 \
> redirect_port udp 127.0.0.1:5353 53
> ipfw add nat 1 ip from any to 127.0.0.1 via lo0
>
> /etc/rc.conf:
> firewall_nat_enable="YES"
>
> /etc/sysctl.conf:
> net.inet.ip.fw.one_pass=0
>
> [pf]
>
> rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
>
> [unbound]
>
> server:
> interface: 127.0.0.1
> do-not-query-localhost: no
>
> forward-zone:
> name: "."
> forward-addr: 127.0.0.1 at 5353
First of all, I replace the contents of /etc/resolv.conf with
nameserver 127.0.0.1
Then I did
chflags schg /etc/resolv.conf
Then I added
dnscrypt_proxy_enable="YES"
local_unbound_enable="YES"
to /etc/rc.conf
and then I ran
service local_unbound setup
then I configured as per the message that dnscrypt-proxy2 had shown upon
install.
--- /var/unbound/unbound.conf.orig 2018-03-31 02:37:45.561257000 +0200
+++ /var/unbound/unbound.conf 2018-03-31 02:37:58.333075000 +0200
@@ -1,12 +1,13 @@
-# This file was generated by local-unbound-setup.
-# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
+ interface: 127.0.0.1
+ do-not-query-localhost: no
+include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
--- /dev/null 2018-03-31 02:33:00.000000000 +0200
+++ /var/unbound/forward.conf 2018-03-31 02:37:58.341486000 +0200
@@ -0,0 +1,3 @@
+forward-zone:
+ name: .
+ forward-addr: 127.0.0.1 at 5353
Then I started both services.
service dnscrypt-proxy start
service local_unbound start
Then I wait a little while for dnscrypt-proxy2 to finish starting and then try
and query dnscrypt-proxy directly;
drill -p 5353 @127.0.0.1 vg.no
And I get A-records returned (but the authority section is empty though)
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33496
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; vg.no. IN A
;; ANSWER SECTION:
vg.no. 599 IN A 195.88.54.16
vg.no. 599 IN A 195.88.55.16
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 5055 msec
;; EDNS: version 0; flags: ; udp: 1204
;; SERVER: 127.0.0.1
;; WHEN: Sat Mar 31 02:42:02 2018
;; MSG SIZE rcvd: 76
But then I try to query unbound;
drill @127.0.0.1 vg.no
And the response I get does not contain any records
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 12128
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; vg.no. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 23 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Mar 31 02:51:49 2018
;; MSG SIZE rcvd: 23
For comparison, here's what unbound answers when it talks to external DNS
servers directly, it has both the authority section contents and the A-records;
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50666
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; vg.no. IN A
;; ANSWER SECTION:
vg.no. 600 IN A 195.88.54.16
vg.no. 600 IN A 195.88.55.16
;; AUTHORITY SECTION:
vg.no. 3600 IN NS ns-foo.linpro.net.
vg.no. 3600 IN NS ns-zoo.linpro.net.
vg.no. 3600 IN NS ns-bar.linpro.net.
;; ADDITIONAL SECTION:
;; Query time: 229 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Mar 31 02:57:02 2018
;; MSG SIZE rcvd: 128
PS: I am using vg.no as example just because it's short and it's the biggest
newspaper in my country and I've just gotten a habit typing vg.no when I want
to check if my DNS is working as it should.
Something is amiss, and IMO the problem is that the instructions for
dnscrypt-proxy2 do not describe in good enough detail how to actually perform
the configuration that is required for it and unbound to work together.
How do I get them working together?
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list