***call for testing*** DNS TLS encryption using Quad9 and Cloudflare DNS servers

[kanstin]

When I use the supplied settings nothing seems to resolve. I see the following errors in my logs:

unbound: [1433:0] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

and a bunch of these:

unbound: [1433:0] error: could not SSL_new crypto error:14FFF0E4:SSL routines:(UNKNOWN)SSL_internal:ssl ctx has no default ssl version

[Itow]

Works fine for me 

My Settings:
(keep in mind i have setup up a Lancache with advertisement filtering)

Code: [Select]

harden-glue: yes
harden-short-bufsize: yes
harden-large-queries: yes

use-caps-for-id: yes
val-clean-additional: yes

cache-min-ttl: 3600
cache-max-ttl: 86400

num-threads: 4
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
rrset-cache-size: 256m
msg-cache-size: 128m

include: /var/unbound/ads_and_lancache.conf

unwanted-reply-threshold: 10000
qname-minimisation: yes
do-not-query-localhost: no
ssl-upstream: yes

forward-zone:
name: "."
forward-addr: 9.9.9.9@853
please excuse my bad English

Itow

[opnfwb]

Just wanted to post this interesting bit of info from Cloudflare regarding 1.1.1.1. I am still seeing occasional logs in Unbound showing the following.

Code: [Select]

unbound: [49082:2] error: outgoing tcp: connect: Address already in use for 1.1.1.1
unbound: [49082:3] error: outgoing tcp: connect: Address already in use for 1.0.0.1
It's very possible this could be related to the issues that Cloudflare is reporting here: https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/

I have exclusively switched to Cloudflare and do not have any other DNS servers configured, just to verify if these errors seem to be impacting lookups. While I see these errors in the Unbound logs, I have no had any failures on DNS lookups. According to Cloudflare's findings, it looks bad for some AT&T users that are stuck with a Pace5268 modem/router.

[randomwalk]

Hello,

I'm a bit confused about the pros and cons of using this Cloudflare setup.  Can someone enlighten me?

I thought the reason one might want to use unbound in resolve mode is so that all DNS queries would begin at the root servers, then resolve each step down so that you end up with a response that is for sure accurate.  The downside is that this takes longer because you have to query multiple servers (and I guess the queries are not encrypted).

In forward mode, you're just querying your favorite server (e,g., OpenDNS) without going to the root servers.  The pro is that this is faster.  The con is that you're trusting that the server is not messing with the response (or tracking your queries).  These queries are still not encrypted.

It sounds like this new server 1.1.1.1 is DNS using forward mode, with the same pros and cons, except they encrypt the queries, claim it's the fastest server, and claim to not log your queries.

Is the above summary correct in terms of the pros and cons?

[va176thunderbolt]

Mostly - yes.

Some folks experience poor ISP provided dns (poorly maintained, outsourced to a data mining organization, etc) and are just looking for a fast reliable dns service. Several companies have stepped up to offer DNS, but people often don't take the time to understand what the motivation is for these companies.

Cloudflare has stated their motivation. I suspect it's what they've said plus that they can make a better content delivery decision when they know the real ip generating the query and not a intermediary DNS recursive server.

[crt333]

I have been running the original config with just quad9 on 18.1.7 (openssl) for more than 24 hours now and no problems. Great work, thanks!

[loredo]

Unbound still crashes after some minutes when using DNS TLS with Cloudflare.
Don't want to replace libressl for openssl, is there anything I could help to further investigate this issue?

[miroco]

For me it works for an hour or two, then it stops. The Unbound log is swamped with these. I'm on 18.1.7_1, LibreSSL flavour.

[opnfwb]

18.1.7 here with OpenSSL, no issues to report. Still using CloudFlare DoT settings from the first post, it has been rock solid stable. The only time Unbound restarts is when I reboot the router for an update.

[miroco]

Switching from LibreSSL to OpenSSL and DNS-over-TLS (Quad9 and Cloudflare) has been working for 48 h straight. Few and expected entries in the Unbound log during that time frame. I'm still on 18.1.7_1

[RickNY]

Ive been using this configuration for a while, but I started getting the following errors in my Unbound logs recently.. Anyone know what they mean?

Code: [Select]

Jun 12 12:45:34 unbound: [79836:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
Thanks,
Rick

[nle]

I'm also seeing this.

Code: [Select]

Jun 13 17:30:52 unbound: [89359:2] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 17:30:52 unbound: [89359:3] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 17:19:54 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 16:25:23 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Jun 13 15:28:45 unbound: [89359:0] info: generate keytag query _ta-4a5c-4f66. NULL IN

[franco]

I have these too without DNS TLS. Not sure what this is about.


Cheers,
Franco

[nle]

Yes, a bit weird.

Also, lately it feels like the DNS has slowed down a bit. I get ~1000ms when I resolve a new domain. If it's cached I get 0ms.

Code: [Select]

drill -D norge.no @10.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 36955
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; norge.no. IN A

;; ANSWER SECTION:
norge.no. 300 IN A 93.94.10.5
norge.no. 300 IN RRSIG A 14 2 300 20180628000000 20180607000000 52173 norge.no. hRF42hSawMhG8IpIEtOall6XPFV8n/MHKm6XyD4QrgIO+9z/NGa8MTRTItkdDEKksR4klEUGsDWKTkk/6hQ52BmZosAegVbbI13z4H4g3Hj3wJ7WxpJzfbTzWTdORrvG

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1603 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 10.0.0.1
;; WHEN: Mon Jun 18 20:02:52 2018
;; MSG SIZE  rcvd: 189

Code: [Select]

drill -D norge.no @10.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 56876
;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; norge.no. IN A

;; ANSWER SECTION:
norge.no. 265 IN A 93.94.10.5
norge.no. 265 IN RRSIG A 14 2 300 20180628000000 20180607000000 52173 norge.no. hRF42hSawMhG8IpIEtOall6XPFV8n/MHKm6XyD4QrgIO+9z/NGa8MTRTItkdDEKksR4klEUGsDWKTkk/6hQ52BmZosAegVbbI13z4H4g3Hj3wJ7WxpJzfbTzWTdORrvG

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; EDNS: version 0; flags: do ; udp: 4096
;; SERVER: 10.0.0.1
;; WHEN: Mon Jun 18 20:03:28 2018
;; MSG SIZE  rcvd: 189
I feel ~1 second is a bit too much. Any input on this?

[crt333]

I had reported earlier that this was rock solid on 18.1.7 using OpenSSL. I also had no problems with 18.1.8. With 18.1.9 unbound stopped 3 times over the life of 18.1.9 (3 weeks).  I just upgraded to 18.1.10 and unbound died within an hour. I am not sure what to post to help solve the problem, but this nice feature doesn't seem to work anymore.