When you install dnscrypt-proxy2 from ports the following message is shown: Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable of dropping privileges after binding to a low port on FreeBSD. > By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353 > as the _dnscrypt-proxy user. > > It's possible to change back to port 53, but not recommended. > > Below are a few examples on how to redirect local connections from port > 5353 to 53. > > [ipfw] > > ipfw nat 1 config if lo0 reset same_ports \ > redirect_port tcp 127.0.0.1:5353 53 \ > redirect_port udp 127.0.0.1:5353 53 > ipfw add nat 1 ip from any to 127.0.0.1 via lo0 > > /etc/rc.conf: > firewall_nat_enable="YES" > > /etc/sysctl.conf: > net.inet.ip.fw.one_pass=0 > > [pf] > > rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353 > > [unbound] > > server: > interface: 127.0.0.1 > do-not-query-localhost: no > > forward-zone: > name: "." > forward-addr: 127.0.0.1@5353 First of all, I replace the contents of /etc/resolv.conf with nameserver 127.0.0.1 Then I did chflags schg /etc/resolv.conf Then I added dnscrypt_proxy_enable="YES" local_unbound_enable="YES" to /etc/rc.conf and then I ran service local_unbound setup then I configured as per the message that dnscrypt-proxy2 had shown upon install. --- /var/unbound/unbound.conf.orig 2018-03-31 02:37:45.561257000 +0200 +++ /var/unbound/unbound.conf 2018-03-31 02:37:58.333075000 +0200 @@ -1,12 +1,13 @@ -# This file was generated by local-unbound-setup. -# Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key + interface: 127.0.0.1 + do-not-query-localhost: no +include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf --- /dev/null 2018-03-31 02:33:00.000000000 +0200 +++ /var/unbound/forward.conf 2018-03-31 02:37:58.341486000 +0200 @@ -0,0 +1,3 @@ +forward-zone: + name: . + forward-addr: 127.0.0.1@5353 Then I started both services. service dnscrypt-proxy start service local_unbound start Then I wait a little while for dnscrypt-proxy2 to finish starting and then try and query dnscrypt-proxy directly; drill -p 5353 @127.0.0.1 vg.no And I get A-records returned (but the authority section is empty though) ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33496 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; vg.no. IN A ;; ANSWER SECTION: vg.no. 599 IN A 195.88.54.16 vg.no. 599 IN A 195.88.55.16 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 5055 msec ;; EDNS: version 0; flags: ; udp: 1204 ;; SERVER: 127.0.0.1 ;; WHEN: Sat Mar 31 02:42:02 2018 ;; MSG SIZE rcvd: 76 But then I try to query unbound; drill @127.0.0.1 vg.no And the response I get does not contain any records ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 12128 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; vg.no. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 23 msec ;; SERVER: 127.0.0.1 ;; WHEN: Sat Mar 31 02:51:49 2018 ;; MSG SIZE rcvd: 23 For comparison, here's what unbound answers when it talks to external DNS servers directly, it has both the authority section contents and the A-records; ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50666 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;; vg.no. IN A ;; ANSWER SECTION: vg.no. 600 IN A 195.88.54.16 vg.no. 600 IN A 195.88.55.16 ;; AUTHORITY SECTION: vg.no. 3600 IN NS ns-foo.linpro.net. vg.no. 3600 IN NS ns-zoo.linpro.net. vg.no. 3600 IN NS ns-bar.linpro.net. ;; ADDITIONAL SECTION: ;; Query time: 229 msec ;; SERVER: 127.0.0.1 ;; WHEN: Sat Mar 31 02:57:02 2018 ;; MSG SIZE rcvd: 128 PS: I am using vg.no as example just because it's short and it's the biggest newspaper in my country and I've just gotten a habit typing vg.no when I want to check if my DNS is working as it should. Something is amiss, and IMO the problem is that the instructions for dnscrypt-proxy2 do not describe in good enough detail how to actually perform the configuration that is required for it and unbound to work together. How do I get them working together?
Comment these two lines and try it again, please: #include: /var/unbound/lan-zones.conf #include: /var/unbound/conf.d/*.conf -------------------------------------------------------- $ cat unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid auto-trust-anchor-file: /var/unbound/root.key interface: 127.0.0.1 do-not-query-localhost: no include: /var/unbound/forward.conf #include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf #include: /var/unbound/conf.d/*.conf $ cat forward.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. forward-zone: name: . forward-addr: 127.0.0.1@5353
This port was tested with unbound from ports. The local_unbound come with DNSSEC by default. [1522499703] unbound[60108:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass [1522499703] unbound[60108:0] info: validator operate: query netbsd.org. A IN [1522499703] unbound[60108:0] info: Could not establish a chain of trust to keys for org. DNSKEY IN You should comment `auto-trust-anchor-file ...` line or config dnscrypt-proxy to use servers with DNSSEC only. The instructions in pkg-message should be upgraded.
One idea is to add this to the pkg-message: If you are using local_unbound, DNSSEC is enabled by default and you should comment "auto-trust-anchor-file ..." line or change dnscrypt-proxy to use servers with DNSSEC support only. Any other suggestion?
(In reply to Danilo G. Baio from comment #3) Configuring dnscrypt-proxy2 to require DNSSEC makes it work like you said. I agree with your proposed change of pkg-message, that would solve the concern of this problem report.
Created attachment 192105 [details] dns/dnscrypt-proxy2: instructions for using together with unbound, r466217 Thank you! Patch is attached.
Created attachment 192370 [details] dns/dnscrypt-proxy2: instructions for using together with unbound, r466876 https://reviews.freebsd.org/D15024 again, tyvm for reporting it! very appreciated.
A commit references this bug: Author: dbaio Date: Wed Apr 18 02:25:49 UTC 2018 New revision: 467667 URL: https://svnweb.freebsd.org/changeset/ports/467667 Log: dns/dnscrypt-proxy2: Update to 2.0.10 Main changes in the port: - Improve instructions for using dnscrypt-proxy2 together with unbound. [1] - Add dnscrypt_proxy_suexec option for users who want to run the daemon as root. - Move the configuration file from ${PREFIX}/etc/dnscrypt-proxy.toml to ${PREFIX}/etc/dnscrypt-proxy/dnscrypt-proxy.toml, because by default temporary files will use the path of the config file. This fixes a permission issue when fetching the public resolvers list. Changes: https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/2.0.10/ChangeLog PR: 227129 [1] Submitted by: egypcio@googlemail.com (maintainer) Reported by: erik@nordstroem.no [1] Differential Revision: https://reviews.freebsd.org/D15024 Changes: head/UPDATING head/dns/dnscrypt-proxy2/Makefile head/dns/dnscrypt-proxy2/distinfo head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in head/dns/dnscrypt-proxy2/files/pkg-message.in head/dns/dnscrypt-proxy2/pkg-message head/dns/dnscrypt-proxy2/pkg-plist
Committed, thanks!