[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Using unbound to resolve .onion domains



Did you restart unbound after the change to pf?

I had an issue in the past with Unbound blacklisting an upstream for
failing to respond (if you debug unbound it'll be logged as "chase to
blacklisted lame server"), from memory the default blacklist time is 900
seconds.

Failing that, it's probably packet capture time to see whether the queries
are actually going out, and where to

On Mon, Sep 11, 2017 at 12:34 PM, C. L. Martinez <carlopmart@xxxxxxxxx>
wrote:

> I have have changed my rdr rules in pf.conf to avoid to use port 1053 in
> dig queries, and ... It works doing a query directly to tor's gateway from
> my internal DNS server:
>
> root@fbsddns:~/fwrules/secgw# dig @172.22.56.4 protonirockerxow.onion
>
> ; <<>> DiG 9.4.2-P2 <<>> @172.22.56.4 protonirockerxow.onion
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56101
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;protonirockerxow.onion.                IN      A
>
> ;; ANSWER SECTION:
> protonirockerxow.onion. 60      IN      A       10.244.182.165
>
> ;; Query time: 2 msec
> ;; SERVER: 172.22.56.4#53(172.22.56.4)
> ;; WHEN: Mon Sep 11 15:03:10 2017
> ;; MSG SIZE  rcvd: 56
>
> .. but doing same query to unbound's host, it doesn't works:
>
> root@fbsddns:~/fwrules/secgw# dig protonirockerxow.onion
>
> ; <<>> DiG 9.4.2-P2 <<>> protonirockerxow.onion
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57586
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;protonirockerxow.onion.                IN      A
>
> ;; AUTHORITY SECTION:
> onion.                  10800   IN      SOA     localhost. nobody.invalid.
> 1 3600 1200 604800 10800
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Sep 11 15:06:03 2017
> ;; MSG SIZE  rcvd: 99
>
> Then, I think something is wrong with muy unbound's config ... but what?
>
>
> On Mon, Sep 11, 2017 at 12:56:36PM +0100, Ben Tasker wrote:
> > Ahh, your version of dig doesn't like that syntax and is trying to
> resolve
> > the resolver string.
> >
> > Try this instead
> > dig @172.22.56.4 -p1053 protonirockerxow.onion
> >
> >
> > Basically I'm wondering if something's stopping the packets from reach
> the
> > tor resolver (pf maybe?) given that your netstat shows it is bound to all
> > interfaces (which'd be the normal mistake)
> >
> >
> >
> > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > >
> > > > > What do you expect a DNS query for a .onion to return?
> >
> > With various config options set (VirtualAddressNetwork,
> AutomapHostSuffixes
> > and AutomapHostsOnResolve) it should return an IP in a given range, which
> > you then route via the transparent router to reach the endpoint.
> >
> >
> > On Mon, Sep 11, 2017 at 11:24 AM, C. L. Martinez <carlopmart@xxxxxxxxx>
> > wrote:
> >
> > > Nope ...
> > >
> > > root@fbsddns:~# dig @172.22.56.4#1053 protonirockerxow.onion
> > > dig: couldn't get address for '172.22.56.4#1053': not found
> > >
> > >
> > > On Mon, Sep 11, 2017 at 11:40:40AM +0100, Ben Tasker wrote:
> > > > Your config looks more or less exactly the same as mine (I allow tcp
> but
> > > > that's the only difference I can see).
> > > >
> > > > If you do a dig from the unbound server to the BSD gateway do you
> get a
> > > > result?
> > > >
> > > > dig @172.22.56.4#1053 protonirockerxow.onion
> > > >
> > > > On Mon, Sep 11, 2017 at 10:45 AM, C. L. Martinez <
> carlopmart@xxxxxxxxx>
> > > > wrote:
> > > >
> > > > > To resolve Tor's hostnames like for example ProtonMail. For
> example,
> > > If I
> > > > > do a query from FreeBSD's Tor gateway:
> > > > >
> > > > > root@torbsdgw:/var/log/tor # !345
> > > > > tor-resolve protonirockerxow.onion
> > > > > fe8d:ecdb:dc62:f60:6eda:15ea:39d9:b5c2
> > > > >
> > > > >  ... it works ...
> > > > >
> > > > > On Mon, Sep 11, 2017 at 12:16:23PM +0200, Tom van der Woerdt wrote:
> > > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > > >
> > > > > > What do you expect a DNS query for a .onion to return?
> > > > > >
> > > > > >
> > > > > > Op 11/09/2017 om 11:23 schreef C. L. Martinez:
> > > > > > > Hi all,
> > > > > > >
> > > > > > >  I am trying to figure out the best way to handle DNS requests
> to
> > > both
> > > > > clearnet and Tor onionland. Currently, I am using two virtual
> machines
> > > > > (both FreeBSD 11 based): one used as my internal DNS resolver and
> the
> > > other
> > > > > is a FreeBSD's tor gateway.
> > > > > > >
> > > > > > >  My unbound.conf's file in my internal DNS (unbound) is:
> > > > > > >
> > > > > > > server:
> > > > > > >     do-tcp: no
> > > > > > >     do-not-query-localhost: no
> > > > > > >         domain-insecure: "onion"
> > > > > > >         private-domain: "onion"
> > > > > > >
> > > > > > > forward-zone:
> > > > > > >         name: "onion"
> > > > > > >         forward-addr: 172.22.56.4@1053
> > > > > > >
> > > > > > >  And my FreeBSD's Tor gateway (172.22.56.4) is running Tor's
> DNS
> > > > > resolver:
> > > > > > >
> > > > > > > USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS
>  FOREIGN
> > > > > ADDRESS
> > > > > > > _tor     tor        89238 5  tcp4   127.0.0.1:9050        *:*
> > > > > > > _tor     tor        89238 6  udp4   *:1053                *:*
> > > > > > > _tor     tor        89238 7  tcp4   127.0.0.1:9040        *:*
> > > > > > > root     sendmail   40917 4  tcp4   127.0.0.1:25          *:*
> > > > > > > root     sshd       47802 4  tcp4   172.22.56.4:22        *:*
> > > > > > >
> > > > > > >  .. but If I try to resolve any .onion domain from my Unbound's
> > > > > internal DNS server it doesn't works:
> > > > > > >
> > > > > > > Server:         127.0.0.1
> > > > > > > Address:        127.0.0.1#53
> > > > > > >
> > > > > > > ** server can't find protonirockerxow.onion: NXDOMAIN
> > > > > > >
> > > > > > >  Any idea?? What is it wrong with my config?
> > > > > > >
> > > > > > > Thanks.
> > > > > > >
> > > > >
> > > > > --
> > > > > Greetings,
> > > > > C. L. Martinez
> > > > > --
> > > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe or change other settings go to
> > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Ben Tasker
> > > > https://www.bentasker.co.uk
> > > > --
> > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe or change other settings go to
> > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> > > --
> > > Greetings,
> > > C. L. Martinez
> > > --
> > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> >
> >
> >
> > --
> > Ben Tasker
> > https://www.bentasker.co.uk
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> --
> Greetings,
> C. L. Martinez
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Ben Tasker
https://www.bentasker.co.uk
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk