You are not logged in.

#1 2016-11-10 00:24:43

acidvegas
Member
From: Olympia, Greece
Registered: 2016-11-09
Posts: 5
Website

DNSCrypt + Unbound Timeout Loops (Cant retrieve certificates)

I have DNScrypt setup to work with Unbound and am using 2 DNScrypt servers. I can connect to the internet and drill'ing hosts works, but when I run journalctl I get the following output:

Nov 09 18:57:02 spunbox systemd[1]: Starting DNSCrypt client proxy...
Nov 09 18:57:02 spunbox systemd[1]: Stopped DNSCrypt client proxy.
Nov 09 18:57:03 spunbox systemd[1]: Starting DNSCrypt client proxy...
Nov 09 18:57:03 spunbox dnscrypt-proxy[12802]: [INFO] + DNS Security Extensions are supported
Nov 09 18:57:03 spunbox dnscrypt-proxy[12802]: [INFO] + Provider supposedly doesn't keep logs
Nov 09 18:57:03 spunbox dnscrypt-proxy[12802]: [NOTICE] Starting dnscrypt-proxy 1.7.0
Nov 09 18:57:03 spunbox dnscrypt-proxy[12802]: [INFO] Generating a new session key pair
Nov 09 18:57:03 spunbox dnscrypt-proxy[12802]: [INFO] Done
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] + DNS Security Extensions are supported
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] + Namecoin domains can be resolved
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] + Provider supposedly doesn't keep logs
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [NOTICE] Starting dnscrypt-proxy 1.7.0
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] Generating a new session key pair
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] Done
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] Server certificate with serial '0001' received
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] This certificate is valid
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] Chosen certificate #808464433 is valid from [2014-10-15] to [2019-10-14]
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [INFO] Server key fingerprint is F0AD:8CEB:52C5:8DCD:0244:C28B:550A:BA4F:7BDB:4593:6F19:63DB:72D3:683A:30C0:0612
Nov 09 18:57:03 spunbox dnscrypt-proxy[12801]: [NOTICE] Proxying from 127.0.0.1:60309 to 178.216.201.222:2053
Nov 09 18:57:18 spunbox dnscrypt-proxy[12802]: [ERROR] Unable to retrieve server certificates
Nov 09 18:57:19 spunbox dnscrypt-proxy[12802]: [INFO] Refetching server certificates
Nov 09 18:57:34 spunbox dnscrypt-proxy[12802]: [ERROR] Unable to retrieve server certificates
Nov 09 18:57:37 spunbox dnscrypt-proxy[12802]: [INFO] Refetching server certificates
Nov 09 18:57:52 spunbox dnscrypt-proxy[12802]: [ERROR] Unable to retrieve server certificates
Nov 09 18:57:58 spunbox dnscrypt-proxy[12802]: [INFO] Refetching server certificates
Nov 09 18:58:13 spunbox dnscrypt-proxy[12802]: [ERROR] Unable to retrieve server certificates
Nov 09 18:58:22 spunbox dnscrypt-proxy[12802]: [INFO] Refetching server certificates
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@soltysiak.service: Start operation timed out. Terminating.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@4armed.service: Start operation timed out. Terminating.
Nov 09 18:58:33 spunbox systemd[1]: Failed to start DNSCrypt client proxy.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@soltysiak.service: Unit entered failed state.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@soltysiak.service: Failed with result 'timeout'.
Nov 09 18:58:33 spunbox systemd[1]: Failed to start DNSCrypt client proxy.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@4armed.service: Unit entered failed state.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@4armed.service: Failed with result 'timeout'.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@soltysiak.service: Service hold-off time over, scheduling restart.
Nov 09 18:58:33 spunbox systemd[1]: dnscrypt-proxy@4armed.service: Service hold-off time over, scheduling restart.
Nov 09 18:58:33 spunbox systemd[1]: Stopped DNSCrypt client proxy.
Nov 09 18:58:33 spunbox systemd[1]: Starting DNSCrypt client proxy...
Nov 09 18:58:33 spunbox systemd[1]: Stopped DNSCrypt client proxy.
Nov 09 18:58:33 spunbox systemd[1]: Starting DNSCrypt client proxy...
Nov 09 18:58:33 spunbox dnscrypt-proxy[13172]: [INFO] + DNS Security Extensions are supported
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] + DNS Security Extensions are supported
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] + Namecoin domains can be resolved
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] + Provider supposedly doesn't keep logs
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [NOTICE] Starting dnscrypt-proxy 1.7.0
Nov 09 18:58:33 spunbox dnscrypt-proxy[13172]: [INFO] + Provider supposedly doesn't keep logs
Nov 09 18:58:33 spunbox dnscrypt-proxy[13172]: [NOTICE] Starting dnscrypt-proxy 1.7.0
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] Generating a new session key pair
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] Done
Nov 09 18:58:33 spunbox dnscrypt-proxy[13172]: [INFO] Generating a new session key pair
Nov 09 18:58:33 spunbox dnscrypt-proxy[13172]: [INFO] Done
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] Server certificate with serial '0001' received
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] This certificate is valid
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] Chosen certificate #808464433 is valid from [2014-10-15] to [2019-10-14]
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [INFO] Server key fingerprint is F0AD:8CEB:52C5:8DCD:0244:C28B:550A:BA4F:7BDB:4593:6F19:63DB:72D3:683A:30C0:0612
Nov 09 18:58:33 spunbox dnscrypt-proxy[13173]: [NOTICE] Proxying from 127.0.0.1:60309 to 178.216.201.222:2053
Nov 09 18:58:48 spunbox dnscrypt-proxy[13172]: [ERROR] Unable to retrieve server certificates
Nov 09 18:58:49 spunbox dnscrypt-proxy[13172]: [INFO] Refetching server certificates
Nov 09 18:59:04 spunbox dnscrypt-proxy[13172]: [ERROR] Unable to retrieve server certificates
Nov 09 18:59:07 spunbox dnscrypt-proxy[13172]: [INFO] Refetching server certificates

My journalctl is just FULL of this as it occurs every minute pretty much.
Below are my related configs



Here is my /etc/unbound/unbound.conf

server:
  interface: 127.0.0.1
  port: 53
  do-daemonize: yes
  username: "unbound"

  # Security
  hide-identity: yes
  hide-version: yes
  harden-short-bufsize: yes
  harden-large-queries: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  harden-below-nxdomain: yes
  harden-referral-path: yes
  use-caps-for-id: yes
  prefetch: yes

 # Performance
  num-threads: 2
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  rrset-cache-size: 100m
  msg-cache-size: 50m
  outgoing-range: 206
  num-queries-per-thread: 128
  so-rcvbuf: 4m
  so-sndbuf: 4m
  so-reuseport: yes
  cache-min-ttl: 3600
  cache-max-ttl: 86400

  directory: "/etc/unbound"
  trust-anchor-file: trusted-key.key
  use-syslog: no
  verbosity: 1
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes
  do-not-query-localhost: no

forward-zone:
  name: "."
  forward-addr: 127.0.0.1@60309
  forward-addr: 127.0.0.1@57782

remote-control:
  control-enable: no


/etc/systemd/system/dnscrypt-proxy@.service
Note: yes I have the dnscrypt user created

[Unit]
Description=DNSCrypt client proxy
Documentation=man:dnscrypt-proxy(8)
Requires=dnscrypt-proxy@%i.socket

[Service]
Type=notify
NonBlocking=true
ExecStart=/usr/sbin/dnscrypt-proxy --resolver-name %i --user=dnscrypt
Restart=always


/etc/systemd/system/dnscrypt-proxy@4armed.socket

[Unit]
Description=dnscrypt-proxy listening socket

[Socket]
ListenStream=127.0.0.1:57782
ListenDatagram=127.0.0.1:57782

[Install]
WantedBy=sockets.target


/etc/systemd/system/dnscrypt-proxy@soltysiak.socket

[Unit]
Description=dnscrypt-proxy listening socket

[Socket]
ListenStream=127.0.0.1:60309
ListenDatagram=127.0.0.1:60309

[Install]
WantedBy=sockets.target


My /etc/resolv.conf is set to point at 127.0.0.1 and is chattr +i so it wont be overwritten.

I cant find any help on this issue. I have tried like 6 other DNSCrypt servers and it still is producing the same errors.
Please help.

Last edited by acidvegas (2016-11-10 00:26:29)


MOST DANGEROUS MOTHERFUCK
GithubSuperNETs

Offline

Board footer

Powered by FluxBB