[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Using unbound to resolve .onion domains (SOLVED)



Ok, now it is working ... I have added:

local-zone: "onion." nodefault

..to unbound's config file, and it is works ... but I don't understadn why this is needed ... Any idea?



On Mon, Sep 11, 2017 at 04:32:58PM +0100, Ben Tasker wrote:
> Did you restart unbound after the change to pf?
> 
> I had an issue in the past with Unbound blacklisting an upstream for
> failing to respond (if you debug unbound it'll be logged as "chase to
> blacklisted lame server"), from memory the default blacklist time is 900
> seconds.
> 
> Failing that, it's probably packet capture time to see whether the queries
> are actually going out, and where to
> 
> On Mon, Sep 11, 2017 at 12:34 PM, C. L. Martinez <carlopmart@xxxxxxxxx>
> wrote:
> 
> > I have have changed my rdr rules in pf.conf to avoid to use port 1053 in
> > dig queries, and ... It works doing a query directly to tor's gateway from
> > my internal DNS server:
> >
> > root@fbsddns:~/fwrules/secgw# dig @172.22.56.4 protonirockerxow.onion
> >
> > ; <<>> DiG 9.4.2-P2 <<>> @172.22.56.4 protonirockerxow.onion
> > ; (1 server found)
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56101
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;protonirockerxow.onion.                IN      A
> >
> > ;; ANSWER SECTION:
> > protonirockerxow.onion. 60      IN      A       10.244.182.165
> >
> > ;; Query time: 2 msec
> > ;; SERVER: 172.22.56.4#53(172.22.56.4)
> > ;; WHEN: Mon Sep 11 15:03:10 2017
> > ;; MSG SIZE  rcvd: 56
> >
> > .. but doing same query to unbound's host, it doesn't works:
> >
> > root@fbsddns:~/fwrules/secgw# dig protonirockerxow.onion
> >
> > ; <<>> DiG 9.4.2-P2 <<>> protonirockerxow.onion
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57586
> > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;protonirockerxow.onion.                IN      A
> >
> > ;; AUTHORITY SECTION:
> > onion.                  10800   IN      SOA     localhost. nobody.invalid.
> > 1 3600 1200 604800 10800
> >
> > ;; Query time: 0 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Mon Sep 11 15:06:03 2017
> > ;; MSG SIZE  rcvd: 99
> >
> > Then, I think something is wrong with muy unbound's config ... but what?
> >
> >
> > On Mon, Sep 11, 2017 at 12:56:36PM +0100, Ben Tasker wrote:
> > > Ahh, your version of dig doesn't like that syntax and is trying to
> > resolve
> > > the resolver string.
> > >
> > > Try this instead
> > > dig @172.22.56.4 -p1053 protonirockerxow.onion
> > >
> > >
> > > Basically I'm wondering if something's stopping the packets from reach
> > the
> > > tor resolver (pf maybe?) given that your netstat shows it is bound to all
> > > interfaces (which'd be the normal mistake)
> > >
> > >
> > >
> > > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > > >
> > > > > > What do you expect a DNS query for a .onion to return?
> > >
> > > With various config options set (VirtualAddressNetwork,
> > AutomapHostSuffixes
> > > and AutomapHostsOnResolve) it should return an IP in a given range, which
> > > you then route via the transparent router to reach the endpoint.
> > >
> > >
> > > On Mon, Sep 11, 2017 at 11:24 AM, C. L. Martinez <carlopmart@xxxxxxxxx>
> > > wrote:
> > >
> > > > Nope ...
> > > >
> > > > root@fbsddns:~# dig @172.22.56.4#1053 protonirockerxow.onion
> > > > dig: couldn't get address for '172.22.56.4#1053': not found
> > > >
> > > >
> > > > On Mon, Sep 11, 2017 at 11:40:40AM +0100, Ben Tasker wrote:
> > > > > Your config looks more or less exactly the same as mine (I allow tcp
> > but
> > > > > that's the only difference I can see).
> > > > >
> > > > > If you do a dig from the unbound server to the BSD gateway do you
> > get a
> > > > > result?
> > > > >
> > > > > dig @172.22.56.4#1053 protonirockerxow.onion
> > > > >
> > > > > On Mon, Sep 11, 2017 at 10:45 AM, C. L. Martinez <
> > carlopmart@xxxxxxxxx>
> > > > > wrote:
> > > > >
> > > > > > To resolve Tor's hostnames like for example ProtonMail. For
> > example,
> > > > If I
> > > > > > do a query from FreeBSD's Tor gateway:
> > > > > >
> > > > > > root@torbsdgw:/var/log/tor # !345
> > > > > > tor-resolve protonirockerxow.onion
> > > > > > fe8d:ecdb:dc62:f60:6eda:15ea:39d9:b5c2
> > > > > >
> > > > > >  ... it works ...
> > > > > >
> > > > > > On Mon, Sep 11, 2017 at 12:16:23PM +0200, Tom van der Woerdt wrote:
> > > > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > > > >
> > > > > > > What do you expect a DNS query for a .onion to return?
> > > > > > >
> > > > > > >
> > > > > > > Op 11/09/2017 om 11:23 schreef C. L. Martinez:
> > > > > > > > Hi all,
> > > > > > > >
> > > > > > > >  I am trying to figure out the best way to handle DNS requests
> > to
> > > > both
> > > > > > clearnet and Tor onionland. Currently, I am using two virtual
> > machines
> > > > > > (both FreeBSD 11 based): one used as my internal DNS resolver and
> > the
> > > > other
> > > > > > is a FreeBSD's tor gateway.
> > > > > > > >
> > > > > > > >  My unbound.conf's file in my internal DNS (unbound) is:
> > > > > > > >
> > > > > > > > server:
> > > > > > > >     do-tcp: no
> > > > > > > >     do-not-query-localhost: no
> > > > > > > >         domain-insecure: "onion"
> > > > > > > >         private-domain: "onion"
> > > > > > > >
> > > > > > > > forward-zone:
> > > > > > > >         name: "onion"
> > > > > > > >         forward-addr: 172.22.56.4@1053
> > > > > > > >
> > > > > > > >  And my FreeBSD's Tor gateway (172.22.56.4) is running Tor's
> > DNS
> > > > > > resolver:
> > > > > > > >
> > > > > > > > USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS
> >  FOREIGN
> > > > > > ADDRESS
> > > > > > > > _tor     tor        89238 5  tcp4   127.0.0.1:9050        *:*
> > > > > > > > _tor     tor        89238 6  udp4   *:1053                *:*
> > > > > > > > _tor     tor        89238 7  tcp4   127.0.0.1:9040        *:*
> > > > > > > > root     sendmail   40917 4  tcp4   127.0.0.1:25          *:*
> > > > > > > > root     sshd       47802 4  tcp4   172.22.56.4:22        *:*
> > > > > > > >
> > > > > > > >  .. but If I try to resolve any .onion domain from my Unbound's
> > > > > > internal DNS server it doesn't works:
> > > > > > > >
> > > > > > > > Server:         127.0.0.1
> > > > > > > > Address:        127.0.0.1#53
> > > > > > > >
> > > > > > > > ** server can't find protonirockerxow.onion: NXDOMAIN
> > > > > > > >
> > > > > > > >  Any idea?? What is it wrong with my config?
> > > > > > > >
> > > > > > > > Thanks.
> > > > > > > >
> > > > > >
> > > > > > --
> > > > > > Greetings,
> > > > > > C. L. Martinez
> > > > > > --
> > > > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > > > To unsubscribe or change other settings go to
> > > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Ben Tasker
> > > > > https://www.bentasker.co.uk
> > > > > --
> > > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe or change other settings go to
> > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > >
> > > > --
> > > > Greetings,
> > > > C. L. Martinez
> > > > --
> > > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe or change other settings go to
> > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > >
> > >
> > >
> > >
> > > --
> > > Ben Tasker
> > > https://www.bentasker.co.uk
> > > --
> > > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> > --
> > Greetings,
> > C. L. Martinez
> > --
> > tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> >
> 
> 
> 
> -- 
> Ben Tasker
> https://www.bentasker.co.uk
> -- 
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
Greetings,
C. L. Martinez
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk