Bug 227129

Summary: dns/dnscrypt-proxy2: Instructions for using together with unbound are lacking
Product: Ports & Packages Reporter: Erik Nordstrøm <erik>
Component: Individual Port(s)Assignee: Danilo G. Baio <dbaio>
Status: Closed FIXED    
Severity: Affects Only Me CC: dbaio, egypcio
Priority: --- Flags: egypcio: maintainer-feedback+
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
dns/dnscrypt-proxy2: instructions for using together with unbound, r466217
egypcio: maintainer-approval+
dns/dnscrypt-proxy2: instructions for using together with unbound, r466876 egypcio: maintainer-approval+

Description Erik Nordstrøm 2018-03-31 01:00:48 UTC 
When you install dnscrypt-proxy2 from ports the following message is shown:

Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.

> By default, the dnscrypt-proxy2 port will listen on (tcp/udp) port 5353
> as the _dnscrypt-proxy user.
>
> It's possible to change back to port 53, but not recommended.
>
> Below are a few examples on how to redirect local connections from port
> 5353 to 53.
>
> [ipfw]
>
>   ipfw nat 1 config if lo0 reset same_ports \
>     redirect_port tcp 127.0.0.1:5353 53 \
>     redirect_port udp 127.0.0.1:5353 53
>   ipfw add nat 1 ip from any to 127.0.0.1 via lo0
>
>   /etc/rc.conf:
>     firewall_nat_enable="YES"
>
>   /etc/sysctl.conf:
>     net.inet.ip.fw.one_pass=0
>
> [pf]
> 
>   rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353
>
> [unbound]
>
>   server:
>     interface: 127.0.0.1
>     do-not-query-localhost: no
>
>   forward-zone:
>     name: "."
>     forward-addr: 127.0.0.1@5353

First of all, I replace the contents of /etc/resolv.conf with

  nameserver 127.0.0.1

Then I did

  chflags schg /etc/resolv.conf

Then I added

  dnscrypt_proxy_enable="YES"
  local_unbound_enable="YES"

to /etc/rc.conf

and then I ran

  service local_unbound setup

then I configured as per the message that dnscrypt-proxy2 had shown upon install.

  --- /var/unbound/unbound.conf.orig	2018-03-31 02:37:45.561257000 +0200
  +++ /var/unbound/unbound.conf	2018-03-31 02:37:58.333075000 +0200
  @@ -1,12 +1,13 @@
  -# This file was generated by local-unbound-setup.
  -# Modifications will be overwritten.
   server:
   	username: unbound
   	directory: /var/unbound
   	chroot: /var/unbound
   	pidfile: /var/run/local_unbound.pid
   	auto-trust-anchor-file: /var/unbound/root.key
  +	interface: 127.0.0.1
  +	do-not-query-localhost: no
  
  +include: /var/unbound/forward.conf
   include: /var/unbound/lan-zones.conf
   include: /var/unbound/control.conf
   include: /var/unbound/conf.d/*.conf

  --- /dev/null	2018-03-31 02:33:00.000000000 +0200
  +++ /var/unbound/forward.conf	2018-03-31 02:37:58.341486000 +0200
  @@ -0,0 +1,3 @@
  +forward-zone:
  +	name: .
  +	forward-addr: 127.0.0.1@5353

Then I started both services.

  service dnscrypt-proxy start
  service local_unbound start

Then I wait a little while for dnscrypt-proxy2 to finish starting and then try and query dnscrypt-proxy directly;

  drill -p 5353 @127.0.0.1 vg.no

And I get A-records returned (but the authority section is empty though)

  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 33496
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.	IN	A
  
  ;; ANSWER SECTION:
  vg.no.	599	IN	A	195.88.54.16
  vg.no.	599	IN	A	195.88.55.16
  
  ;; AUTHORITY SECTION:
  
  ;; ADDITIONAL SECTION:
  
  ;; Query time: 5055 msec
  ;; EDNS: version 0; flags: ; udp: 1204
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:42:02 2018
  ;; MSG SIZE  rcvd: 76

But then I try to query unbound;

  drill @127.0.0.1 vg.no

And the response I get does not contain any records

  ;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 12128
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.	IN	A
  
  ;; ANSWER SECTION:
  
  ;; AUTHORITY SECTION:
  
  ;; ADDITIONAL SECTION:
  
  ;; Query time: 23 msec
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:51:49 2018
  ;; MSG SIZE  rcvd: 23

For comparison, here's what unbound answers when it talks to external DNS servers directly, it has both the authority section contents and the A-records;

  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50666
  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
  ;; QUESTION SECTION:
  ;; vg.no.	IN	A
  
  ;; ANSWER SECTION:
  vg.no.	600	IN	A	195.88.54.16
  vg.no.	600	IN	A	195.88.55.16
  
  ;; AUTHORITY SECTION:
  vg.no.	3600	IN	NS	ns-foo.linpro.net.
  vg.no.	3600	IN	NS	ns-zoo.linpro.net.
  vg.no.	3600	IN	NS	ns-bar.linpro.net.
  
  ;; ADDITIONAL SECTION:
  
  ;; Query time: 229 msec
  ;; SERVER: 127.0.0.1
  ;; WHEN: Sat Mar 31 02:57:02 2018
  ;; MSG SIZE  rcvd: 128

PS: I am using vg.no as example just because it's short and it's the biggest newspaper in my country and I've just gotten a habit typing vg.no when I want to check if my DNS is working as it should.

Something is amiss, and IMO the problem is that the instructions for dnscrypt-proxy2 do not describe in good enough detail how to actually perform the configuration that is required for it and unbound to work together.

How do I get them working together?
Comment 1 Danilo G. Baio freebsd_committer freebsd_triage 2018-03-31 12:08:24 UTC 
Comment these two lines and try it again, please:

#include: /var/unbound/lan-zones.conf
#include: /var/unbound/conf.d/*.conf


--------------------------------------------------------
$ cat unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
        interface:      127.0.0.1
        do-not-query-localhost: no

include: /var/unbound/forward.conf
#include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
#include: /var/unbound/conf.d/*.conf

$ cat forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-addr: 127.0.0.1@5353
Comment 2 Danilo G. Baio freebsd_committer freebsd_triage 2018-03-31 12:47:19 UTC 
This port was tested with unbound from ports.
The local_unbound come with DNSSEC by default.

[1522499703] unbound[60108:0] debug: validator[module 0] operate: extstate:module_wait_subquery event:module_event_pass
[1522499703] unbound[60108:0] info: validator operate: query netbsd.org. A IN
[1522499703] unbound[60108:0] info: Could not establish a chain of trust to keys for org. DNSKEY IN

You should comment `auto-trust-anchor-file ...` line or
config dnscrypt-proxy to use servers with DNSSEC only.

The instructions in pkg-message should be upgraded.
Comment 3 Danilo G. Baio freebsd_committer freebsd_triage 2018-03-31 12:57:24 UTC 
One idea is to add this to the pkg-message:

  If you are using local_unbound, DNSSEC is enabled by default and you should
  comment "auto-trust-anchor-file ..." line or change dnscrypt-proxy to use
  servers with DNSSEC support only.

Any other suggestion?
Comment 4 Erik Nordstrøm 2018-03-31 21:03:53 UTC 
(In reply to Danilo G. Baio from comment #3)

Configuring dnscrypt-proxy2 to require DNSSEC makes it work like you said.

I agree with your proposed change of pkg-message, that would solve the concern of this problem report.
Comment 5 Vinícius Zavam freebsd_committer freebsd_triage 2018-04-02 12:58:27 UTC 
Created attachment 192105 [details]
dns/dnscrypt-proxy2: instructions for using together with unbound, r466217

Thank you! Patch is attached.
Comment 6 Vinícius Zavam freebsd_committer freebsd_triage 2018-04-09 21:49:24 UTC 
Created attachment 192370 [details]
dns/dnscrypt-proxy2: instructions for using together with unbound, r466876

https://reviews.freebsd.org/D15024

again, tyvm for reporting it! very appreciated.
Comment 7 commit-hook freebsd_committer freebsd_triage 2018-04-18 02:26:50 UTC 
A commit references this bug:

Author: dbaio
Date: Wed Apr 18 02:25:49 UTC 2018
New revision: 467667
URL: https://svnweb.freebsd.org/changeset/ports/467667

Log:
  dns/dnscrypt-proxy2: Update to 2.0.10

  Main changes in the port:
    - Improve instructions for using dnscrypt-proxy2 together with unbound. [1]
    - Add dnscrypt_proxy_suexec option for users who want to run the daemon as
      root.
    - Move the configuration file from ${PREFIX}/etc/dnscrypt-proxy.toml to
      ${PREFIX}/etc/dnscrypt-proxy/dnscrypt-proxy.toml, because by default
      temporary files will use the path of the config file.
      This fixes a permission issue when fetching the public resolvers list.

  Changes:	https://raw.githubusercontent.com/jedisct1/dnscrypt-proxy/2.0.10/ChangeLog

  PR:		227129 [1]
  Submitted by:	egypcio@googlemail.com (maintainer)
  Reported by:	erik@nordstroem.no [1]
  Differential Revision:	https://reviews.freebsd.org/D15024

Changes:
  head/UPDATING
  head/dns/dnscrypt-proxy2/Makefile
  head/dns/dnscrypt-proxy2/distinfo
  head/dns/dnscrypt-proxy2/files/dnscrypt-proxy.in
  head/dns/dnscrypt-proxy2/files/pkg-message.in
  head/dns/dnscrypt-proxy2/pkg-message
  head/dns/dnscrypt-proxy2/pkg-plist
Comment 8 Danilo G. Baio freebsd_committer freebsd_triage 2018-04-18 02:29:03 UTC 
Committed, thanks!