[Unbound-users] From Unbound To DNS Via SOCKS, and Choices
bry8star at yahoo.com
Fri Oct 26 05:13:18 CEST 2012
-----BEGIN PGP SIGNED MESSAGE-----
My (side) Scenario (Pre-Conditions) :
MyNet = My Local Network computers & devices.
SOCKS-Srvr = origin SOCKS-server on remote servr.
SOCKS-prxy = SOCKS-proxy-server = is local SOCKS
forwarding proxy server.
Socks-Tnl = SOCKS-Tunnel = connection between
(local) socks-proxy & (origin) socks-server.
SOCKS = is a type of gateway, a type of tunnel,
a routing process between a client & a server.
(start from right most side "MyNet")
Socks-Tnl <-> SOCKS-prxy <-> Unbound <-> MyNet.
- --> SOCKS-Srvr <-> remote local-netwrk (DNS).
- --> SOCKS-Srvr <-> Internet <-> DNS-Servers.
I have multiple SOCKS proxy server,
(SOCKS v4a, v5),
Running & listening on (a server computer):
This gateway/server computer 10.0.1.10 has
an instance of "Unbound" (01) DNS-Resolver
running on 10.0.1.10:53
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: 10.0.1.10/8 allow
Different socks tunnel ending on (aka, routed
to) different destination locations (which has
the origin-SOCKS-server gateway software),
and ending/origin gateway computer there, is
connected with different ISP.
Need to use this 10.0.1.10:53 DNSSEC supported
DNS-Resolver, from all clients, (under my local
This DNS-Resolver must connect with destination
DNS-Server(s) or nameservers(NS) via different
ISPs, which are connected at the end of SOCKS
Those destination Nameserver(s) (NS-DNS-Srv)
( or Recursive dns-server(s) (Rc-DNS-Srv)
or Authoritative dns-server(s) (A-DNS-Srv) )
are able to work with both TCP & UDP DNS, and
listening on multiple ports 53, 110, 443, etc.
"Unbound" (01) (10.0.1.10:53) has multiple Forward
and Stub zones. Each forward or stub zone/domain
has at least 4, (in some cases 10), specific
nameservers (or specific Rc-DNS-Srv, or specific
I'm using at least 10 different set of
(custom/special) zones, where each zone
has from 4 to 10 (different) nameservers.
stub-zone: # 01
forward-zone: # 10
And, when a DNS-query does not match any
of those custom/special zones, then standard
set of DNS-Servers are to be used, like: Root
DNS-Servers, TLD DNS-Servers, SLD (Second Level
Domain) DNS-Servers, HSP (Hosting Service
Providers) DNS-Servers, Public DNSSEC based
DNS-Servers, etc, via another SOCKS proxy:
forward-addr: 188.8.131.52 # GPF DNSSEC
forward-addr: 184.108.40.206 # OARC DNSSEC
forward-addr: 220.127.116.11 # CZ.NIC DNSSEC
forward-addr: 18.104.22.168 # ROOT a USC-ISI
forward-addr: 22.214.171.124 # ROOT f ICANN
forward-addr: 126.96.36.199 # ROOT j
forward-addr: 188.8.131.52 # ROOT k RIPE
forward-addr: 184.108.40.206 # ROOT l
forward-addr: 220.127.116.11 # ROOT d UniMaryland
forward-addr: 18.104.22.168 # ROOT i
forward-addr: 22.214.171.124 # ROOT m
forward-addr: 126.96.36.199 # ROOT h
forward-addr: 188.8.131.52 # ROOT e NASA
forward-addr: 184.108.40.206 # ROOT
forward-addr: 220.127.116.11 # ROOT
forward-addr: 18.104.22.168 # ROOT
Can i consider existing below command
of Unbound, as it's outbound traffic
binding or forcing command/option ?
How can i bind/force "Unbound" (01) (10.0.1.10:53)
to use the 1st SOCKS proxy 10.0.1.10:1080 (IP:port)
for resolving a 1st set of zones ? (so that
Unbound can connect with correct 1st set of
nameservers assigned for that 1st set of zones),
And how to resolve another/2nd set of zones
via using another/2nd SOCKS at 10.0.1.10:1081 ?
(and allowing Unbound to connect with another
/2nd set of pre-assigned nameservers for that
2nd set of zones).
if there is a one command-line in "Unbound"
to use/bind/force outbound traffic go-through
a SOCKS proxy that will be best.
if not, then can anyone please point-to/indicate
/discuss/suggest what tools can be used to
achieve such function. Unbound to socks proxy.
(NOT looking for a solution on Linux/Unix).
(Looking for a solution on Windows, the local
"Unbound" (01) (10.0.1.10:53) is running on
Windows based computer).
if i have to run 5 "Unbound", even that type
of solution is also ok. but reduced Unbound
instance will be better.
Is there a tool, which can accept all
(incoming) traffic coming (from Unbound)
toward a network interface adapter's
(different ports & single) IP address,
and can forward those ports toward a
(single ip:port based) SOCKS proxy
server ? what functions like TAP-to-SOCKS ?
if a tool can perform TUN-to-SOCKS function,
then can such tool be used for send all
queries via SOCKS from Unbound, by binding
Unbound with that TUN's ip-address ?
for example, can an OpenSSH instance be run
in L2/3 tun VPN mode & forward tun ip-adrs
traffic toward a SOCKS proxy ?
Can this below command/option
"outgoing-port-permit:" be set to
use only 4 ports ? like:
or, even set to use only 1 port ?
What tool can allow to forward such
traffic from Unbound to a SOCKS proxy ?
Can i run an instance of OpenSSH to listen a
range of ports, from 53001 to 53004 on ip-adrs
127.0.0.53 and forward those toward a single
SOCKS proxy at 10.0.1.10:1080 ? and, after
running OpenSSH, can i run & force Unbound to
use outbobund traffic via:
Will these four commands work ? to
force using only 1 outgoing port:
will those slow down dns-resolving process
very slow ?
or, is there a tool which can function
like DNS-to-SOCKS ? how can it be used
with Unbound ?
How can i specify in "Unbound" to use port
110 with a DNS-Server, instead of port 53 ?
Can i specify SSL cert (server cert or CA/Root cert)
for a DNS-Server in Unbound ?
http://tools.ietf.org/html/rfc1928 SOCKS5 at IETF.
SOCKet Secure (SOCKS) is an Internet Protocol that
routes network packets between a client and server
through a proxy server. It works in Layer 5
(Session) of OSI.
OpenSSH: An "ad hoc" SOCKS proxy server can be
created using OpenSSH, and allows more flexible
proxying than is possible with ordinary port
DynamicForward 10.0.1.10:1080 # will create a
SOCKS on that ip:port.
GatewayPorts option allows wildcard address
usage. And tun-based VPN tunnel allowing
applications to transparently access remote
network resources without "socksification"
is now possible via OpenSSH.
- --Bright Star (Bry8Star).
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Unbound-users