Unbound NSD DNSSEC dnscrypt-proxy OpenBSD

alanware · 11-04-2017, 09:12 AM

I am trying to setup Unbound to provide caching/forwarding to dnscrypt proxy alongside authoritative NSD for internal dns.

What I would like is to have unbound provide caching/forwarding to dnscrypt proxy for the Internet and forward to my local domain on an NSD server for local resolution. I am running into problems when I start adding in forwading/dnscrypt proxy.

OpenBSD 6.2
unbound 1.6.6
nsd 4.1.10
dnscrypt-proxy 1.9.5

What works:
Unbound configured with stub zones to NSD domain and recursive/caching.
Unbound configured with forward zone to NSD domain.

What does not work:
Unbound configured with stub zones to NSD domain and caching/forwarding to dnscrypt proxy.
Unbound configured with forward zones to NSD domain and caching/forwarding to dnscrypt proxy.

I have been working off of Arch guide that seems pretty concise.
Archlinux - Unbound

unbound.conf

Code:

# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
	interface: 127.0.0.1
	interface: 192.168.5.20
	do-ip6: no

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: 192.168.5.0/24 allow

	hide-identity: yes
	hide-version: yes

	verbosity: 2
	log-queries: yes

	auto-trust-anchor-file: "/var/unbound/db/root.key"

	do-not-query-localhost: no

	# private networks:
	private-address: 10.0.0.0/8
	private-address: 100.64.0.0/10
	private-address: 172.16.0.0/12
	private-address: 192.0.0.0/29
	private-address: 192.168.0.0/16
	private-address: 198.18.0.0/15
	# example source code & documentation:
	private-address: 192.0.2.0/24
	private-address: 198.51.100.0/24
	private-address: 203.0.113.0/24
	# subnet, autoconfiguration between two hosts on a single link:
	private-address: 169.254.0.0/16
	# reserved for multicast assignments:
	private-address: 224.0.0.0/4
	# reserved for future use:
	private-address: 240.0.0.0/4


local-zone: "example.net" transparent
local-zone: "168.192.in-addr.arpa." transparent

local-zone: "localhost." static
	local-data: "localhost. 10800 IN NS localhost."
	local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
	local-data: "localhost. 10800 IN A 127.0.0.1"
local-zone: "127.in-addr.arpa." static
	local-data: "127.in-addr.arpa. 10800 IN NS localhost."
	local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
	local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: /var/run/unbound.sock

forward-zone:
	name: "example.net."
	forward-addr: 127.0.0.1@8053
forward-zone:
	name: "168.192.in-addr.arpa."
	forward-addr: 127.0.0.1@8053

#forward-zone:
#	name: "."
#	forward-addr: 127.0.0.1@40

bjov · 11-06-2017, 08:17 AM

With Unbound 1.6.2 there is DNSCrypt support. Compile with --enable-dnscrypt. Some bugs were squashed in the meantime, so preferably install the latest Unbound version.

For setup of Unbound DNSCrypt, see the DNSCrypt Options section in unbound.conf(5).

Success,

-- Benno

bjov · 11-06-2017, 09:26 AM

Suggested solution above is for DNSCrypt server side.

You want a DNSCrypt client of course. Your setup should work and your config is fine. Maybe it is an issue in combination with dnscrypt-proxy, but it is hard to tell without additional info.

I suggest you forward your question to the the unbound-users mailing list (https://www.unbound.net/pipermail/unbound-users/). There is quite some expertise with the people on the mailing list.

Cheers,

-- Benno