[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Using unbound to resolve .onion domains

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Using unbound to resolve .onion domains
From: Ben Tasker <ben@xxxxxxxxxxxxxxx>
Date: Mon, 11 Sep 2017 12:56:36 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 11 Sep 2017 07:57:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bentasker.co.uk; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=xRP3idMaH/qtkalHeVfcdR+2y6sL2Bfi0qHo/0Tq3Fg=; b=eJUPbaR/owbAwxqMu/Vr3NMfaSh2qz/n8ZTYcwVWVqlqNsF4H89O2BpfsFYMfkhOb5 AAvMuEAUJMjeg1ny5O/BMLEtWhQnyuzuAllAkF2UVac0uF9UjjoWqU8i+b7XpT0hLHmP 68p1Vf6CNpZ/l8XG29soiLvTfymmv6kg81YCg=
In-reply-to: <20170911102434.agq44rng54xianqp@kirkwall.lab.uxdom.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <20170911092352.qnvrw6lu4eorr57q@kirkwall.lab.uxdom.org> <644bf94b-524f-2319-e0a7-363e801b3d02@tvdw.eu> <20170911094549.iu7oysdpwxnri55i@kirkwall.lab.uxdom.org> <CABMkiz40w3dd7TvPFSRYJ0O0UKk2QxL-OYOxmTvwCS3khnu+nQ@mail.gmail.com> <20170911102434.agq44rng54xianqp@kirkwall.lab.uxdom.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

Ahh, your version of dig doesn't like that syntax and is trying to resolve
the resolver string.

Try this instead
dig @172.22.56.4 -p1053 protonirockerxow.onion


Basically I'm wondering if something's stopping the packets from reach the
tor resolver (pf maybe?) given that your netstat shows it is bound to all
interfaces (which'd be the normal mistake)



> > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > >
> > > What do you expect a DNS query for a .onion to return?

With various config options set (VirtualAddressNetwork, AutomapHostSuffixes
and AutomapHostsOnResolve) it should return an IP in a given range, which
you then route via the transparent router to reach the endpoint.


On Mon, Sep 11, 2017 at 11:24 AM, C. L. Martinez <carlopmart@xxxxxxxxx>
wrote:

> Nope ...
>
> root@fbsddns:~# dig @172.22.56.4#1053 protonirockerxow.onion
> dig: couldn't get address for '172.22.56.4#1053': not found
>
>
> On Mon, Sep 11, 2017 at 11:40:40AM +0100, Ben Tasker wrote:
> > Your config looks more or less exactly the same as mine (I allow tcp but
> > that's the only difference I can see).
> >
> > If you do a dig from the unbound server to the BSD gateway do you get a
> > result?
> >
> > dig @172.22.56.4#1053 protonirockerxow.onion
> >
> > On Mon, Sep 11, 2017 at 10:45 AM, C. L. Martinez <carlopmart@xxxxxxxxx>
> > wrote:
> >
> > > To resolve Tor's hostnames like for example ProtonMail. For example,
> If I
> > > do a query from FreeBSD's Tor gateway:
> > >
> > > root@torbsdgw:/var/log/tor # !345
> > > tor-resolve protonirockerxow.onion
> > > fe8d:ecdb:dc62:f60:6eda:15ea:39d9:b5c2
> > >
> > >  ... it works ...
> > >
> > > On Mon, Sep 11, 2017 at 12:16:23PM +0200, Tom van der Woerdt wrote:
> > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > >
> > > > What do you expect a DNS query for a .onion to return?
> > > >
> > > >
> > > > Op 11/09/2017 om 11:23 schreef C. L. Martinez:
> > > > > Hi all,
> > > > >
> > > > >  I am trying to figure out the best way to handle DNS requests to
> both
> > > clearnet and Tor onionland. Currently, I am using two virtual machines
> > > (both FreeBSD 11 based): one used as my internal DNS resolver and the
> other
> > > is a FreeBSD's tor gateway.
> > > > >
> > > > >  My unbound.conf's file in my internal DNS (unbound) is:
> > > > >
> > > > > server:
> > > > >     do-tcp: no
> > > > >     do-not-query-localhost: no
> > > > >         domain-insecure: "onion"
> > > > >         private-domain: "onion"
> > > > >
> > > > > forward-zone:
> > > > >         name: "onion"
> > > > >         forward-addr: 172.22.56.4@1053
> > > > >
> > > > >  And my FreeBSD's Tor gateway (172.22.56.4) is running Tor's DNS
> > > resolver:
> > > > >
> > > > > USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN
> > > ADDRESS
> > > > > _tor     tor        89238 5  tcp4   127.0.0.1:9050        *:*
> > > > > _tor     tor        89238 6  udp4   *:1053                *:*
> > > > > _tor     tor        89238 7  tcp4   127.0.0.1:9040        *:*
> > > > > root     sendmail   40917 4  tcp4   127.0.0.1:25          *:*
> > > > > root     sshd       47802 4  tcp4   172.22.56.4:22        *:*
> > > > >
> > > > >  .. but If I try to resolve any .onion domain from my Unbound's
> > > internal DNS server it doesn't works:
> > > > >
> > > > > Server:         127.0.0.1
> > > > > Address:        127.0.0.1#53
> > > > >
> > > > > ** server can't find protonirockerxow.onion: NXDOMAIN
> > > > >
> > > > >  Any idea?? What is it wrong with my config?
> > > > >
> > > > > Thanks.
> > > > >
> > >
> > > --
> > > Greetings,
> > > C. L. Martinez
> > > --
> > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> >
> >
> >
> > --
> > Ben Tasker
> > https://www.bentasker.co.uk
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> --
> Greetings,
> C. L. Martinez
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Using unbound to resolve .onion domains
  - From: C. L. Martinez

References:
- [tor-talk] Using unbound to resolve .onion domains
  - From: C. L. Martinez
- Re: [tor-talk] Using unbound to resolve .onion domains
  - From: Tom van der Woerdt
- Re: [tor-talk] Using unbound to resolve .onion domains
  - From: C. L. Martinez
- Re: [tor-talk] Using unbound to resolve .onion domains
  - From: Ben Tasker
- Re: [tor-talk] Using unbound to resolve .onion domains
  - From: C. L. Martinez

Prev by Author: Re: [tor-talk] Tor bridges over ICMP or DNS
Next by Author: [tor-talk] Tor Weekly News Discontinued? Any Plan to Revive?
Previous by thread: Re: [tor-talk] Using unbound to resolve .onion domains
Next by thread: Re: [tor-talk] Using unbound to resolve .onion domains
Index(es):
- Author
- Thread