You are not logged in.

Pages: 1

Topic closed

#1 2016-06-27 10:26:38

Maxiride
Member
From: Italy
Registered: 2016-06-22
Posts: 9

[Solved] Unable to setup dnscrypt and unbound - name not resolved

After a lot of hours and many trials and error I managed to bring down the problem to 1 thing. Unbound and dnscrypt now seems to be set properly and thanks to systemctl status something now I see that every DNSSEC resolver I try to use I always get the same error: Unable to retrieve server certificates. This error is reported by many on the dnscrypt github which all solved it by just trying another one because this error occur when the ISP is blocking the resolver address.

But I can't believe that all the DNSSEC resolver are censored from my ISP... More updates here, turns out that yes they are almost all blocked by my ISP mad very unlikely but happened.

giu 27 16:53:43 arch-anywhere-federico systemd[1]: Starting DNSCrypt client proxy...
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] + DNS Security Extensions are supported
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] + Namecoin domains can be resolved
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] + Provider supposedly doesn't keep logs
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [NOTICE] Starting dnscrypt-proxy 1.6.1
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] Generating a new session key pair
giu 27 16:53:43 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] Done
giu 27 16:53:57 arch-anywhere-federico dnscrypt-proxy[16836]: [ERROR] Unable to retrieve server certificates
giu 27 16:53:58 arch-anywhere-federico dnscrypt-proxy[16858]: [ERROR] Unable to retrieve server certificates
giu 27 16:53:58 arch-anywhere-federico dnscrypt-proxy[16836]: [INFO] Refetching server certificates
giu 27 16:53:59 arch-anywhere-federico dnscrypt-proxy[16858]: [INFO] Refetching server certificates

[federico@arch-anywhere-federico]: ~>$




All of the following can now be skipped.

I'm leaving it since it may or may not be useful for others to understand how I debugged the issue bit by bit
I wanted to setup unbound as a local dns cache along with the dnscrypt service. I read both wiki pages without managing to get them working :\

I tried different things and here is a summary of them, assume an initial setup as the one obtainable doing Step 2 and 3.1 of dnscrypt wiki page.

Attempt #1

As suggested by another kind user in another post with a similar issue, instead of using the same ip with different ports for listening and forwarding DNS queries (as suggested in the wiki) I chained them using different IPs.

  • # systemctl edit dnscrypt-proxy.socket to modify ListenStream and ListenDatagram to 128.0.0.1 (first pair blank, second pair with the ip as explained in the note in the wiki)

  • # nano /etc/unbound/unbound.conf to change forward-addr to 128.0.0.1

  • # nano /etc/resolvconf.conf to enable the the use of 127.0.0.1 as a local dns resolver by uncommenting the last line

  • Did a # resolvconf -u to update the changes in resolv.conf and restarted all the services with # systemctl restart dnscrypt-proxy unbound NetworkManager

At end when I try to load a page I get the ERR name not resolved error in Chromium, hence this setup is not working for me. The previous setup was the same but using 127.0.0.1:40 as listening and forward-addr, not working either. hmm

Attempt #2

I also gave a shot to this blog post which basically does the same as in the wiki except for one step which is the one I did: instead of using # systemctl edit dnscrypt-proxy.socket to change the dnscrypt ip\port the author modify nano /etc/conf.d/dnscrypt-config (Step 5 in the linked guide) a config created after running the script dnscrypt-autoinstall.

Also this kind of approach is not working for me sad
So I started to think that the issue lies somewhere else... neutral

Attempt #3 Unbound only

I left resolv.conf with 127.0.0.1 as the only nameserver and modified unbound.conf to redirect the queries to google and opendns DNS servers.
Even with this minimal setup something's wrong because I still get "name not resolved" errors in chromium sad

[root@arch-anywhere-federico]: /home/federico># cat /etc/unbound/unbound.conf
server:
  use-syslog: no
  username: "unbound"
  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  logfile: "/etc/unbound/unbound.log"
  do-not-query-localhost: yes <- also tried with the "no" option too
  forward-zone:
     name: "."
     forward-addr: 8.8.8.8
     forward-addr: 8.8.4.4
     forward-addr: 208.67.222.222
     forward-addr: 208.67.220.220
Attempt #4 Unbound only using the network defaults DNS servers

I tried to go even smaller on the modifications and following openreslv wiki I modified my resolvconf.conf uncommenting 127.0.0.1 and adding unbound_conf=/etc/unbound-resolvconf.conf at the end of the file. resolvconf - u then auto generated the needed config which I then included into unbound.conf

This is what the auto generated file looks like where *** is the network I'm attached to and the ips are its provided DNS servers.

[root@arch-anywhere-federico]: /home/federico># cat /etc/unbound-resolvconf.conf 
# Generated by resolvconf

forward-zone:
        name: "***" <- obfuscated domain
        forward-addr: 192.168.206.99
        forward-addr: 192.168.119.99

forward-zone:
        name: "."
        forward-addr: 192.168.206.99
        forward-addr: 192.168.119.99

Even like so I'm still unable to resolve any dns, even tho I'm basically manually using the SAME DNS servers provided by the network D: indeed manually doing drill @192.168.206.99 google.it works fine.

Last edited by Maxiride (2016-06-28 07:58:39)

Offline

#2 2016-06-28 07:58:20

Maxiride
Member
From: Italy
Registered: 2016-06-22
Posts: 9

Re: [Solved] Unable to setup dnscrypt and unbound - name not resolved

The topic can be closed.

Offline

Pages: 1

Topic closed

Board footer

Powered by FluxBB