***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

Started by opnfwb, April 04, 2018, 12:54:02 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4 5 6
User actions
April 12, 2018, 05:39:02 AM #45
When I use the supplied settings nothing seems to resolve. I see the following errors in my logs:

unbound: [1433:0] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

and a bunch of these:

unbound: [1433:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version
April 12, 2018, 12:59:48 PM #46
Works fine for me  :)

My Settings:
(keep in mind i have setup up a Lancache with advertisement filtering)

Code Select
harden-glue: yes
harden-short-bufsize: yes
harden-large-queries: yes

use-caps-for-id: yes
val-clean-additional: yes

cache-min-ttl: 3600
cache-max-ttl: 86400

num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m

include: /var/unbound/ads_and_lancache.conf

unwanted-reply-threshold: 10000
qname-minimisation: yes
do-not-query-localhost: no
ssl-upstream: yes

forward-zone:
name: "."
forward-addr: 9.9.9.9@853

please excuse my bad English

Itow
April 15, 2018, 02:44:16 AM #47
Just wanted to post this interesting bit of info from Cloudflare regarding 1.1.1.1. I am still seeing occasional logs in Unbound showing the following.

Code Select
unbound: [49082:2] error: outgoing tcp: connect: Address already in use for 1.1.1.1
unbound: [49082:3] error: outgoing tcp: connect: Address already in use for 1.0.0.1

It's very possible this could be related to the issues that Cloudflare is reporting here: https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/

I have exclusively switched to Cloudflare and do not have any other DNS servers configured, just to verify if these errors seem to be impacting lookups. While I see these errors in the Unbound logs, I have no had any failures on DNS lookups. According to Cloudflare's findings, it looks bad for some AT&T users that are stuck with a Pace5268 modem/router.
April 28, 2018, 09:39:18 AM #48
Hello,

I'm a bit confused about the pros and cons of using this Cloudflare setup.  Can someone enlighten me?

I thought the reason one might want to use unbound in resolve mode is so that all DNS queries would begin at the root servers, then resolve each step down so that you end up with a response that is for sure accurate.  The downside is that this takes longer because you have to query multiple servers (and I guess the queries are not encrypted).

In forward mode, you're just querying your favorite server (e,g., OpenDNS) without going to the root servers.  The pro is that this is faster.  The con is that you're trusting that the server is not messing with the response (or tracking your queries).  These queries are still not encrypted.

It sounds like this new server 1.1.1.1 is DNS using forward mode, with the same pros and cons, except they encrypt the queries, claim it's the fastest server, and claim to not log your queries.

Is the above summary correct in terms of the pros and cons?
April 28, 2018, 10:42:11 PM #49
Mostly - yes.

Some folks experience poor ISP provided dns (poorly maintained, outsourced to a data mining organization, etc) and are just looking for a fast reliable dns service. Several companies have stepped up to offer DNS, but people often don't take the time to understand what the motivation is for these companies.

Cloudflare has stated their motivation. I suspect it's what they've said plus that they can make a better content delivery decision when they know the real ip generating the query and not a intermediary DNS recursive server.
AMD Ryzen 3 1200
GA-A320M-S2H
8GB DDR4
Intel X550-T2 10GB
32GB Industrial SSD

Shuttle SZ270R8
Intel i5-6500
8gb ram
120gb ssd
Intel x540-t2 10gb nic
May 04, 2018, 03:00:22 PM #50
I have been running the original config with just quad9 on 18.1.7 (openssl) for more than 24 hours now and no problems. Great work, thanks!
May 04, 2018, 05:05:51 PM #51
Unbound still crashes after some minutes when using DNS TLS with Cloudflare.
Don't want to replace libressl for openssl, is there anything I could help to further investigate this issue?
May 04, 2018, 10:22:02 PM #52 Last Edit: May 07, 2018, 04:21:51 PM by miroco
For me it works for an hour or two, then it stops. The Unbound log is swamped with these. I'm on 18.1.7_1, LibreSSL flavour.
May 05, 2018, 04:49:50 AM #53
18.1.7 here with OpenSSL, no issues to report. Still using CloudFlare DoT settings from the first post, it has been rock solid stable. The only time Unbound restarts is when I reboot the router for an update. :D
May 07, 2018, 04:22:41 PM #54 Last Edit: May 07, 2018, 04:29:17 PM by miroco
Switching from LibreSSL to OpenSSL and DNS-over-TLS (Quad9 and Cloudflare) has been working for 48 h straight. Few and expected entries in the Unbound log during that time frame. I'm still on 18.1.7_1
June 12, 2018, 07:04:12 PM #55
Ive been using this configuration for a while, but I started getting the following errors in my Unbound logs recently.. Anyone know what they mean?

Code Select
Jun 12 12:45:34 unbound: [79836:1] info: generate keytag query _ta-4a5c-4f66. NULL IN

Thanks,
Rick
June 13, 2018, 05:42:06 PM #56
I'm also seeing this.

Code Select
Jun 13 17:30:52 unbound: [89359:2] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 17:30:52 unbound: [89359:3] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 17:19:54 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 16:25:23 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 15:28:45 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
June 14, 2018, 06:28:51 PM #57
I have these too without DNS TLS. Not sure what this is about.


Cheers,
Franco
June 18, 2018, 08:04:05 PM #58
Yes, a bit weird.

Also, lately it feels like the DNS has slowed down a bit. I get ~1000ms when I resolve a new domain. If it's cached I get 0ms.

Code Select
drill -D norge.no @10.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 36955
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; norge.no. IN A

;; ANSWER SECTION:
norge.no. 300 IN A 93.94.10.5
norge.no. 300 IN RRSIG A 14 2 300 20180628000000 20180607000000 52173 norge.no. hRF42hSawMhG8IpIEtOall6XPFV8n/MHKm6XyD4QrgIO+9z/NGa8MTRTItkdDEKksR4klEUGsDWKTkk/6hQ52BmZosAegVbbI13z4H4g3Hj3wJ7WxpJzfbTzWTdORrvG

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1603 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 10.0.0.1
;; WHEN: Mon Jun 18 20:02:52 2018
;; MSG SIZE  rcvd: 189

Code Select
drill -D norge.no @10.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56876
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; norge.no. IN A

;; ANSWER SECTION:
norge.no. 265 IN A 93.94.10.5
norge.no. 265 IN RRSIG A 14 2 300 20180628000000 20180607000000 52173 norge.no. hRF42hSawMhG8IpIEtOall6XPFV8n/MHKm6XyD4QrgIO+9z/NGa8MTRTItkdDEKksR4klEUGsDWKTkk/6hQ52BmZosAegVbbI13z4H4g3Hj3wJ7WxpJzfbTzWTdORrvG

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 10.0.0.1
;; WHEN: Mon Jun 18 20:03:28 2018
;; MSG SIZE  rcvd: 189

I feel ~1 second is a bit too much. Any input on this?
June 22, 2018, 02:26:02 AM #59
I had reported earlier that this was rock solid on 18.1.7 using OpenSSL. I also had no problems with 18.1.8. With 18.1.9 unbound stopped 3 times over the life of 18.1.9 (3 weeks).  I just upgraded to 18.1.10 and unbound died within an hour. I am not sure what to post to help solve the problem, but this nice feature doesn't seem to work anymore.
Print
Go Up Pages 1 2 3 4 5 6
User actions