You are not logged in.

#1 2018-02-24 15:12:43

deafeningsylence
Member
Registered: 2016-09-23
Posts: 52

Setting up DNS query cache/encrypt - Unbound + DNSCrypt + DNSSEC + VPN

Dear Arch Community,

I finally got around to setup my DNS queries. This is not a post about an error but a polite request for somebody with a deeper understanding to explain how Unbound, DNSCrypt, and DNSSEC work with a VPN. I am using privateinterentaccess for a while now and the VPN is correctly setup in Networkmanager using the openvpn extension. To prevent DNS leaks in the past I had an iptables rule written that only allows requests to the privateinternetaccess DNS servers, which I will now dump I suppose.

Now, I want to use unbound along with DNSCrypt and DNSSEC. I have setup ubound successfully and also DNSSEC as well as DNSCrypt but I have some questions how I coordinate it with the VPN and its DNS Servers. Also, I am not quite sure about how DNSSEC works inbetween all those factors to validate the DNS requests. From what I read so far it goes like this:

DNS request gets managed/cached etc. through unbound which sends it to  DNSCrypt to be encrypted then DNSSEC checks if the origin server of the DNS is a valid one and finally I get the IP for the DNS if that is the case.

My question finally is, how would I need to set it up that I can use Unbound + DNSCrypt + DNSSEC with the VPN DNS Servers? I hope they support DNSSEC but being a VPN and about security and all I figure they do. My guess is that I need to put the VPN DNSServer IP into the dnscrypt.conf for ResolverName since this is the last point of exit?

A bonus question would be why do I only need to target unbound to the already present trust-anchor-file in the unbound destination? and do I need to replace it with some key I need to generate for my machine or is that automatically done when setting up unbound?

My unbound.conf looks like this:

GNU nano 2.9.3                                /etc/unbound/unbound.conf                                 Modified  

server:
  include /etc/unbound/adservers
  root-hints: "/etc/unbound/root.hints"
  trust-anchor-file: trusted-key.key
  access-control: 192.168.1.0/24 allow
  forward-zone:
  name: "."
  forward-addr: 209.222.18.222
  forward-addr: 209.222.18.218
  forward-addr: 127.0.0.1@5353

  remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes

    # what interfaces are listened to for remote control.
    # give 0.0.0.0 and ::0 to listen to all interfaces.
    control-interface: 127.0.0.1

    # port number for remote control operations.
    control-port: 8953

    # unbound server key file.
    server-key-file: "/etc/unbound/unbound_server.key"

    # unbound server certificate file.
    server-cert-file: "/etc/unbound/unbound_server.pem"

    # unbound-control key file.
    control-key-file: "/etc/unbound/unbound_control.key"

    # unbound-control certificate file.
    control-cert-file: "/etc/unbound/unbound_control.pem"

The first two "forward-addr" are those of the VPN, I had hoped that this way I can just use ubound instead of the iptables rule to take care of all the DNS requests going only to the VPN servers.
The third forward-addr is the one suggested in the DNSCrypt wiki, pointing forwards to DNSCrypt.

My understanding of this is, that setup like this the DNS requests will go to any of those 3 addresses and not only to the VPN provider.

I hope I could clarify what I mean because from the singular but great wiki articles about DNSSEC, DNSCrypt and Unbound it is not 100% clear how these would interact with a VPN.

Looking forward to the usually amazing answers I get here.

All the best,

An arch fan

Last edited by deafeningsylence (2018-02-24 15:16:49)

Offline

#2 2018-02-24 16:47:39

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: Setting up DNS query cache/encrypt - Unbound + DNSCrypt + DNSSEC + VPN

AFAIK, PIA does not support DNCrypt with their DNS resolvers, and I have never gotten DNSSEC to work with their resolver, although I may just be missing something. So if you want DNSCrypt, you'll need to use another DNS server. Same for if you want DNSSEC.

In resolv.conf you would have 127.0.0.1. In your unbound configuration you would still have 127.0.0.1 but with a different port (see https://wiki.archlinux.org/index.php/DNSCrypt#Unbound). You would not list the DNS servers here. Your example with 127.0.01:5353 should work, but remove the other two servers. Then DNSCrypt would be set to a DNS server that supports the protocol in /etc/dnscrypt-proxy.conf. You will also need to change the listening port in the systemd socket (see the wiki).

So you would have unbound listening to 127.0.0.1:53, sending requests to dnscrypt at 127.0.0.1:5353, which sends requests to the actual DNS servers.

On a side note, it probably doesn't make much sense to use a DNS that is not your VPN's DNS, since they see everything anyway. So I have used unbound with their DNS without DNSSEC with PIA.

Edit: It looks like they do support DNSSEC, so I guess I have my own troubleshooting to figure out what's wrong with my setup.

Edit2: Minimal working example for PIA with DNSSEC:

server:
  use-syslog: yes
  verbosity: 1
  trust-anchor-file: /etc/unbound/trusted-key.key
  root-hints: /etc/unbound/root.hints
  do-ip6: no
  forward-zone:
    name: "."
    forward-addr: 209.222.18.222
    forward-addr: 209.222.18.218

As a side note, I've disabled IPv6 system-wide to prevent leaks. Don't worry about the trusted-key.key. That gets taken care of automatically by the dnssec-anchors package and a pacman hook.

Last edited by rdeckard (2018-02-24 17:00:13)

Offline

#3 2018-02-25 11:47:46

deafeningsylence
Member
Registered: 2016-09-23
Posts: 52

Re: Setting up DNS query cache/encrypt - Unbound + DNSCrypt + DNSSEC + VPN

Thanks @rdeckard for the detailed reply and taking the time!

I searched the web a bit and found this post where PIA officially states that all the DNS requests are encrypted anyway and therefore DNSCrypt does not need to be used at all. Meanwhile I also found an older post in the PIA forums (from a member, not official side) explaining how to set it up on Windows, maybe it was only necessary to use it in the past? Anyway, I think I might text the PIA support regarding this question to get absolute clarity and also to get an answer to if they support DNSSEC, I will report back here what they say.

Thus for now, I put in the PIA DNS servers in the forward-addr section of my unbound.conf so only they are used and removed DNSCrypt from it (127.0.0.1:5353) and disabled the systemd services of DNSCrypt as well. DNSSEC I left setup and it does seem to be supported by the PIA DNS Servers because I do have internet and do not get any resolving errors.

In the end I am now only running Unbound + DNSSEC + VPN (but still am wondering if leaving DNSCrypt out here does not compromise security because I do not understand how the requests are encrypted if there is no encryption set up on my side. On the other hand they do mention in the PIA post above that DNSCrypt is or was maintained by Cisco and they might see all the traffic. Hence, leaving them out of the equation might be safer after all, that is if the traffic to the PIA DNS Servers is encrypted.

One last question I had was why you have verbosity: 1 in your unbound.conf?

Anyway that is it for now and here is my current unbound.conf:

  
GNU nano 2.9.3                                                    /etc/unbound/unbound.conf                                                               

server:
# include /etc/unbound/adservers
  root-hints: "/etc/unbound/root.hints"
  trust-anchor-file: trusted-key.key
  access-control: 192.168.178.0/24 allow
  forward-zone:
  name: "."
  forward-addr: 209.222.18.222
  forward-addr: 209.222.18.218

  remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes

    # what interfaces are listened to for remote control.
    # give 0.0.0.0 and ::0 to listen to all interfaces.
    control-interface: 127.0.0.1

    # port number for remote control operations.
    control-port: 8953

    # unbound server key file.
    server-key-file: "/etc/unbound/unbound_server.key"

    # unbound server certificate file.
    server-cert-file: "/etc/unbound/unbound_server.pem"

    # unbound-control key file.
    control-key-file: "/etc/unbound/unbound_control.key"

    # unbound-control certificate file.
    control-cert-file: "/etc/unbound/unbound_control.pem"

Offline

#4 2018-02-25 14:40:49

deafeningsylence
Member
Registered: 2016-09-23
Posts: 52

Re: Setting up DNS query cache/encrypt - Unbound + DNSCrypt + DNSSEC + VPN

Okay, a short update. I noticed a DNS leak when testing with dnsleak.com with this setup (above) because I forgot to disable NetworkManagers updating of the resolv.conf again when I tried some things. Anyway, I renabled that, put the PIA DNS IPs into the unbound.conf restarted the unbound-control-setup and the services of unbound and networkmanager and then I had no DNS leak anymore. Nice!

Only weird thing is that my DNS requests, whenever not connected to the VPN, apparently now always go to or come from (according to dnsleak.com):

DNS IP: 107.191.36.51
Hostname: 107.191.36.51.choopa.com
Country: United States
City: Piscataway

And that is not the VPN's DNS IP (209.222.18.218&222) or did I get this completely wrong and the address given in dnsleak.com has nothing to do with the DNS Server IP one gives to unbound. Or does PIA maybe refer the DNS request via another server for anonymity reasons that is then this DNS IP? I am puzzled. 

My unbound.conf looks like this now:

server:
# include /etc/unbound/adservers
  root-hints: "/etc/unbound/root.hints"
  trust-anchor-file: trusted-key.key
#  access-control: 192.168.178.0/24 allow
  do-ip6: no
  forward-zone:
   name: "."
   forward-addr: 209.222.18.222
   forward-addr: 209.222.18.218

#   forward-addr: 8.8.8.8
#   forward-addr: 8.8.4.4

  remote-control:
    # Enable remote control with unbound-control(8) here.
    # set up the keys and certificates with unbound-control-setup.
    control-enable: yes

    # what interfaces are listened to for remote control.
    # give 0.0.0.0 and ::0 to listen to all interfaces.
    control-interface: 127.0.0.1

    # port number for remote control operations.
    control-port: 8953

    # unbound server key file.
    server-key-file: "/etc/unbound/unbound_server.key"

    # unbound server certificate file.
    server-cert-file: "/etc/unbound/unbound_server.pem"

    # unbound-control key file.
    control-key-file: "/etc/unbound/unbound_control.key"

    # unbound-control certificate file.
    control-cert-file: "/etc/unbound/unbound_control.pem"

Any new ideas from you guys? smile

Offline

#5 2018-03-01 12:50:28

rdeckard
Wiki Maintainer
Registered: 2015-01-28
Posts: 137

Re: Setting up DNS query cache/encrypt - Unbound + DNSCrypt + DNSSEC + VPN

I don't remember why I set verbosity 1. I think I was troubleshooting.

Concerning the possible DNS leak: ensure that your resolv.conf is not getting overwritten by anything else. Your IP and DNS IP should be exactly the same on the test at dnsleak.com, which will be different than the actual DNS IP. As long as it says you are not leaking, you are fine.

Offline

Board footer

Powered by FluxBB