XPost: alt.windows7.general

Anyone have experience with DNS over HTTPS or
TLS? After trying several things I ended up with
Unbound, but once I set up the config file it keeps
quitting as soon as it starts. The error log has it
saying "error in config file". Not much help. The
config file is complex, not really documented, and
samples I find online are conflicting.

Earlier I tried updating certs and IE on XP, so that
I could use Acrylic, but that errors on a wininet call.

I like the idea of privacy for DNS, but the methods
available seem to be immature and mainly only used by
Linux admins with detailed knowledge of DNS and TLS.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

Mayayana wrote:

Anyone have experience with DNS over HTTPS or
TLS? After trying several things I ended up with
Unbound, but once I set up the config file it keeps
quitting as soon as it starts. The error log has it
saying "error in config file". Not much help. The
config file is complex, not really documented, and
samples I find online are conflicting.

Earlier I tried updating certs and IE on XP, so that
I could use Acrylic, but that errors on a wininet call.

I like the idea of privacy for DNS, but the methods
available seem to be immature and mainly only used by
Linux admins with detailed knowledge of DNS and TLS.

One thing you should point out in a post like this,
is your network configuration. You've claimed in a
previous recent posting, to not using a router.

broadband-modem??? ------- Win7-PPPOE-termination

And that should significantly simplify the root causes
of failures to be considered. Sure, you could have a
Firewall, but it's the Windows Firewall. And you'd
look for any advice on punching whatever holes this
scheme needs, through the Firewall.

I have no idea what the requirements of Acrylic are,
but you've got that going for you, that there's not
much equipment to get in the way. Hell, I bet even
IPV6 works on your setup :-) (It doesn't on mine.
Only Teredo Tunneling can get out of mine.) )

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

"Paul" <nospam@needed.invalid> wrote

| One thing you should point out in a post like this,
| is your network configuration. You've claimed in a
| previous recent posting, to not using a router.
|

I wouldn't have thought that mattered. But I
never said I had no router. I did say I'm not networked
and some people seem to interpret that as meaning I'm
using a laptop on someone else's wifi, apparently
because they don't remember the days when they
didn't set up a LAN.

What I've got is an RCN modem with a router and
3 computers hard wired to it. (But no network in the
sense that networking services and filesharing are
disabled on all 3. No Server or workstation service,
no DCOM, no UPNP, no network discovery functionality,
etc. So there's nothing like Network Neighborhood.)
There's also wifi but that's only used by guests.

On XP I have Online Armor. On Win7 I have Tiny
Firewall. There's no problem with anything getting
through. I'm used to dealing with that.

Acrylic is DNS proxy. I set the DNS server in network
settings to 127.0.0.1 and Acrylic handles it. Unbound is
similar. The problem is not that it can't get out but
rather that once I set up the config file the service quits
as soon as I start it and the error says there's an error
in the config file.
So far I have no other clues. So I was hoping to find
someone who's set up Unbound on Windows with encrypted
DNS. The trouble is that the config is very involved, most
of the advice is for Linux, and there are no basic instructions.
The man page and sample file assume one already knows
all about DNS and there's no GUI. It just installs a DNS
resolver service. So I'm not even sure that I've included
all the settings I need. I just know that Unbound either
doesn't like at least one of them or requires some I haven't
added.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

On Wed, 01 Jan 2020 20:52:17 -0500, Paul <nospam@needed.invalid> wrote:

Mayayana wrote:

Anyone have experience with DNS over HTTPS or
TLS? After trying several things I ended up with
Unbound, but once I set up the config file it keeps
quitting as soon as it starts. The error log has it
saying "error in config file". Not much help. The
config file is complex, not really documented, and
samples I find online are conflicting.

Earlier I tried updating certs and IE on XP, so that
I could use Acrylic, but that errors on a wininet call.

I like the idea of privacy for DNS, but the methods
available seem to be immature and mainly only used by
Linux admins with detailed knowledge of DNS and TLS.

One thing you should point out in a post like this,
is your network configuration. You've claimed in a
previous recent posting, to not using a router.

broadband-modem??? ------- Win7-PPPOE-termination

And that should significantly simplify the root causes
of failures to be considered. Sure, you could have a
Firewall, but it's the Windows Firewall. And you'd
look for any advice on punching whatever holes this
scheme needs, through the Firewall.

I have no idea what the requirements of Acrylic are,
but you've got that going for you, that there's not
much equipment to get in the way. Hell, I bet even
IPV6 works on your setup :-) (It doesn't on mine.
Only Teredo Tunneling can get out of mine.) )

I could be wrong since I haven't set this up and tested it, but...

Unbound seems to be a local DNS resolver with additional capabilities, and
thus it will be listening on UDP port 53**, just as Acrylic is currently
doing. So if Unbound and Acrylic are on the same PC, then one or the other
will need to be shut down. The two applications could run simultaneously on
two separate PCs on the LAN, but that assumes that there is a LAN, a
networked PC that is reachable for DNS queries. On the first PC, Acrylic
would be configured as the local DNS, which is already in place in his
case, and Acrylic in turn would be configured to use Unbound on the second
PC as its local DNS resolver. Unbound doesn't forward its queries to an untrusted DNS server; instead, it goes straight to one of the root servers
and walks down from there.

Unbound listens for DNS queries on UDP port 53 because that's the standard,
but it doesn't have to use UDP 53 as a destination port on its outbound queries. In fact, that seems to be the whole point, that it will use TCP
versus UDP. It doesn't look as if Unbound for Windows includes DNS over
HTTPS like the Linux versions apparently do. Perhaps that's coming in a
later version.

Looking here, https://nlnetlabs.nl/downloads/unbound/, it looks like
version 1.9.6 is the latest non-RC version, so that's probably what I'd use
for testing if I was going to play with it. I don't see anyone bragging
about which versions of Windows are supported.

Sample Windows config file, the first that I found. It's for an older
version of the application, so take it with a grain of salt. <https://www.quakemachinex.com/blog/wp-content/plugins/clean-archives-reloaded/ajax-single.php?postid=170>

I see that in addition to the server.conf file, there are also some
registry settings that need to be added. No idea if that has been done, and
no idea what the current config file looks like.


--

Char Jackson

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

On Wed, 1 Jan 2020 19:13:43 -0500, Mayayana wrote:

Anyone have experience with DNS over HTTPS or
TLS? After trying several things I ended up with
Unbound, but once I set up the config file it keeps
quitting as soon as it starts. The error log has it
saying "error in config file". Not much help. The
config file is complex, not really documented, and
samples I find online are conflicting.

Earlier I tried updating certs and IE on XP, so that
I could use Acrylic, but that errors on a wininet call.

I like the idea of privacy for DNS, but the methods
available seem to be immature and mainly only used by
Linux admins with detailed knowledge of DNS and TLS.

The problem is likely what Char Jackson have mentioned. In short, a port
number can not have more than one listener. e.g. binding Acryllic and
Unbound to port 53 of IP 127.0.0.0. That would cause a conflict.

You can use Windows built in "Microsoft Loopback Adapter" virtual network device(s) for each proxy. Then configure them and the system DNS setting
like a chain.

As for DNS privacy... I use DNSCrypt. It's an encrypting DNS proxy console software which can use one or multiple remote DNSs (selectable; can be more than two), so it provides additional layer of encryption. Remote DNSs can either be unencrypted, DoH, TLS, or DNSSEC, but must be DNSCrypt compatible. This makes sure that the ISP or any middle network nodes, only see encrypted DNS query and response data even though unencrypted remote DNS is used.

https://github.com/DNSCrypt/dnscrypt-proxy

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

"JJ" <jj4public@vfemail.net> wrote

|
| The problem is likely what Char Jackson have mentioned. In short, a port
| number can not have more than one listener. e.g. binding Acryllic and
| Unbound to port 53 of IP 127.0.0.0. That would cause a conflict.
|

That's not an issue. I'm not running both services
at once. They're both set to run as services, so it's
not a big deal to turn one off to run the other.
And the error specifically says there's a config problem.
Everyone seems to be missing that point. What I'm asking
for is a working example of the Unbound conf file on
Windows, with some version of encrytped DNS working.

Though it's possible that the config file is not the only
problem. The Windows version of Unbound seems to be
an afterthought. And the glossy PDF "manual" for Windows
really just explains how to install it.

| As for DNS privacy... I use DNSCrypt. It's an encrypting DNS proxy console
| software which can use one or multiple remote DNSs (selectable; can be
more
| than two), so it provides additional layer of encryption. Remote DNSs can
| either be unencrypted, DoH, TLS, or DNSSEC, but must be DNSCrypt
compatible.
| This makes sure that the ISP or any middle network nodes, only see
encrypted
| DNS query and response data even though unencrypted remote DNS is used.
|
| https://github.com/DNSCrypt/dnscrypt-proxy

I looked into that but couldn't figure out how
to set it up. I was hoping to get something without
having to become an expert on DNS and TLS.

Can you offer any guidance on how to get that
going? I also want it on XP. I think dnscrypt-proxy
will run on XP but it would need to have its own
encryption functionality. Getting TLS 1.2 on XP is
a complicated affair. And I don't think I can use any
DNSCrypt GUI wrappers because they all seem to
use things like .Net 4.6 that won't run on XP.
DNSCrypt may need TLS 1.3.

This debacle has provided some interesting info
about TLS support, though. There are basically 3
ways I know of to use Windows functionality for
these things.

1) Winsock. Works great but then the software needs
its own encryption libraries.

2) Wininet.dll. Essentially IE. Only IE11 has native
TLS 1.2.

3) Winhttp. Works well and can be updated to provide
TLS 1.2. But then certs are also needed.

That was another reason to try Unbound. It appears
to handle getting its own certs and uses its own
networking code, using winsock and crypt32 directly.

It turns out that XP with the
POS Registry setting can have an IE8 update from
2018 to make IE up-to-date. (Maybe you followed
that in the VB group with Obiwan's posts?)
The down side of that is that IE8 makes OE6 crash.
(I'd forgotten about that until I tried doing all those
updates yesterday. :)

But I did end up with an interesting result from
all my research: I came across an arcane method
for updating certs on XP. Now my Bing maps program
that uses TLS 1.2 through winhttp doesn't show
cert errors.

It occurred to me that actually writing this myself
might not be a big deal. But I'd rather not have to.
And I'd have to set up half the program before I
could even test whether winhttp with my certs
update tweak can successfully talk to a DoH server.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

Update on this:

It appears that few if any people are actually curious
about secure DNS, but in case anyone is....

I finally worked
out Unbound. It turns out the config file format is very
specific and the docs are virtually non-existent. So I
was reduced to collecting chats online and trying to
figure out which people knew what they were talking
about.

Someone in a programming group explained to me
that the file unbound-checkconf.exe could be used
at command line to check for errors in the config file.
That will at least tell you what line the error is on.
They also offered an example of their config.
Finally, after a lot of fiddling, I got a config that works.
I then confirmed with Smart Sniffer that I'm getting
DNS over TLS on port 853.

I must confess that I don't entirely understand all this,
but here are the details:

This, used as service.conf, will do the trick:

# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
verbosity: 0
directory: "%EXECUTABLE%"
username: "unbound"
logfile: "unbound.log"
use-syslog: yes

# on Windows, this setting adds the certificates from the Windows
# Cert Store. For when you want to use forwarders with TLS.
tls-win-cert: yes

# listen interfaces and port
interface: 0.0.0.0
port: 53

# who can query the server
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow


auto-trust-anchor-file: "root.key"

# https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt
tls-cert-bundle: "ca-bundle.crt"

# https://www.internic.net/domain/named.root
root-hints: "named.root"

prefetch: no
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

# security/privacy
aggressive-nsec: yes
cache-max-ttl: 14400
cache-min-ttl: 1200
hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
val-clean-additional: yes
rrset-roundrobin: yes
use-caps-for-id: yes

include: "hosts.conf"

#Adding DNS-Over-TLS support

forward-zone:
name: "."
forward-tls-upstream: yes
## Cloudflare DNS
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

# ---- end config file

It uses Cloudflare for DNS. The options are limited.
Cloudflare seems to be well rated. It's what Mozilla
uses. Other options: Google? Not on your life. A handful
of others. But you have to make sure the server you
want to use supports DNS over TLS.

Other notes: The two links to .root and .crt files
seem to be needed. Apparently they're part of the
process of confirming certificates. The line:

include: "hosts.conf"

refers to my HOSTS file, which I
converted to Unbound format using a VBScript. The
"include" is as in PHP. It directs Unbound to read in
that file and regard it as part of the main config file.
It's external only because it's big. All of these extra
files need to be in the program folder.

HOSTS format:
Unbound, unfortunately, doesn't recognize HOSTS
format. On the bright side, it does handle top level
domains. So you don't need to use:

forty-different-things.doubleclick.net

Just plain doubleclick.net works fine. It requires
two lines for each entry. The following is a sample
section of my hosts.conf file:

local-zone: "scorecardresearch.com" redirect
local-data: "scorecardresearch.com A 0.0.0.0"
local-zone: "1e100.com" redirect
local-data: "1e100.com A 0.0.0.0"
local-zone: "1e100.net" redirect
local-data: "1e100.net A 0.0.0.0"
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 0.0.0.0"
local-zone: "doubleclick.com" redirect
local-data: "doubleclick.com A 0.0.0.0"
local-zone: "googletagservices.com" redirect
local-data: "googletagservices.com A 0.0.0.0"
local-zone: "googletagmanager.com" redirect
local-data: "googletagmanager.com A 0.0.0.0"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 0.0.0.0"
local-zone: "fonts.googleapis.com" redirect
local-data: "fonts.googleapis.com A 0.0.0.0"

# acts as a comment marker in these files. If
you edit services.conf then be conservative.
It turned out the main problem I was having was
that the include line was in the wrong section of
the config file. What wrong section? No one mentions
that! But the lines server: and forward-zone: above
actually define sections, something like an INI file.
Unfortuantely, the authors don't explain that anywhere
and didn't alter the format to mark a section header
recognizable.

Classic OSS. Works great... if only you can find
someone who knows how to use it. :) But Unbound
seems to be highly regarded, comes with most Linux
versions, and seems to be typical for security in
corporate settings. The idea is to prevent your ISP or
various third parties from knowing what sites you visit
and possibly even injecting alterations or serving those
pages from their own cache. With this method an
observer on the network sees a call that they know is
DNS because it's on port 853, but they can't read the
content.
DNS over HTTPS (DoH) seems to be slightly more
desirable because it runs over port 443, the same as
for https webpages. So even the fact of it being a
DNS call is hidden. But for now Unbound doesn't handle
DoH.

Once you have everything working (good idea to
run unbound-checkconf) then you need to activate
the service at startup and change your DNS target
in network settings. It should be 127.0.0.1. So any
software calling for DNS resolution will call Unbound,
which is listening on port 53, which then makes the
DNS call and returns the result.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

Mayayana wrote:

Classic OSS. Works great... if only you can find
someone who knows how to use it. :) But Unbound
seems to be highly regarded, comes with most Linux
versions, and seems to be typical for security in
corporate settings.

This is generally true for projects where you're
modifying the networking stack on your OS.
It's always going to be a nail-biter, as
you never know how it'll turn out (dumpster
fire, or Nobel Prize).

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.windows7.general

"Paul" <nospam@needed.invalid> wrote
| This is generally true for projects where you're
| modifying the networking stack on your OS.
| It's always going to be a nail-biter, as
| you never know how it'll turn out (dumpster
| fire, or Nobel Prize).
|

Actually, so far it seems that Unbound is very stable
and easy to use. And it seems to be held in high
regard. The only problem is that they didn't bother
to write a help file. They have a Windows guide in
PDF form that's little more than pictures of the installation.
Maybe a practical joke meant to be a dig at Windows
users? I don't know.

Someone told me I could test the config in a console
window with one of the files in the install. I *never once*
saw mention of that in the config notes or on any of the
webpages I found where people were offering tips for
setting up Unbound.

The only guidance is a few comments in the config file,
but it's assumed one has a thorough knowledge of both
networking protocols and Unbound itself.

I find that's common with these things. Not just OSS.
Try finding out how to write the notation for an IP
address range. It's easy to find samples. Very difficult
to find a clear explanation for beginners. The problem
with only having samples is that the rules can't be inferred.
And you don't know if the samples are accurate. I came
across 3 or 4 ways to set up the syntax for HOSTS
blocking in Unbound. There's no credible reason that it
doesn't use the same syntax as HOSTS. And why are
there so many variations? Do they all work? Are some
people doing it wrong? Without an explanation of the
syntax rule it's hard to know.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)