Direct Unbound DNS-over-HTTPS (DoH) traffic through SSH tunneling

norainfallduckdog

New Member
Joined
Dec 10, 2024
Messages
9
Reaction score
0
Credits
218
Results from searching on the internet, would the following be the way to implement this request?

To direct Unbound DNS-over-HTTPS (DoH) traffic through an SSH tunneling port, configure your system to use a SOCKS proxy on the SSH tunnel's local port, then set Unbound to use that SOCKS proxy for outbound DoH connections by specifying it in the "proxy-out" option within your Unbound configuration file; essentially, all DoH requests will be routed through the SSH tunnel.

Key steps:
Establish SSH Tunnel with SOCKS Proxy:
• Open an SSH connection to your remote server using the -D flag to enable dynamic port forwarding.
• Example command: ssh -D 1080 user@server
• This creates a SOCKS proxy accessible on port 1080 on your local machine.

Configure Unbound:
• Edit your Unbound configuration file (usually located at /etc/unbound/unbound.conf)
• Add the following line under the "interface:" section to specify the SOCKS proxy => proxy-out: 127.0.0.1:1080;socks
• Important: Ensure your firewall rules allow outbound traffic on port 1080.
• Restart Unbound:
• Restart the Unbound service to apply the changes.


The following steps were applied without changing or adding attibutes to unbound.conf:

DNS-over-HTTPS was verified to have worked on Linux Mint 22 according to this: https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html#using-doh

Librewolf Settings:
  1. General -> Network Settings ->Settings
  2. Connection Settings
    Manual proxy configuration selected
    SOCK Host = 127.0.0.1 and Port = 443
    No proxy for = localhost, 127.0.0.1
    Proxy DNS when using SOCK v5 check marked'
  3. Enable DNS ove HTTPS using
    Increased Protection
    Custom = https://doh/applied-privacy.net/query
Created a VM on Digital Ocean

From Linux Mint 22:
ssh -4 -TND 443 [email protected] <---------- nnn.nnn.nnn.nnn VM IP address

The following errors appeared:
bind [127.0.0.1]:443: Permission denied
channel_setup_fwd_listener_tcpip: cannot listen to port: 443
Could not request local forwarding.


The search for "proxy-out:" attribute came back without results from this link: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html

My questions would be:
-Are there attributes to use to forward Unbound DoH traffic (port 443) to the SSH tunneling (VM) using some other port instead of port 443? Is it better to use a separate port for SSH tunneling?
-Are the settings for Librewolf required as such?
-Are there instructions on how to achieve this request?

My objective is to use Unbound DoH with SSH tunneling to hide my ISP IP address. Would this be possible with Unbound?
 


Is there any reason you don't want to use port 1080? Maybe your digital ocean subscription is layer 7 only?

tcp/ip rules are different for ports below 1024. It isn't impossible, but it's more difficult.

I don't use unbound, and I've never done dns over https. It would seem like it's possible.
It seem's a little odd that you need https thru a ssh tunnel, you are encrypting traffic through an encrypted port.
Probably not necessry.

The permission denied is probably because you're using a port below 1024.
Some other things to check are your firewall.
Are you using appArmor or SElinux? These can block non-standard configurations and ports as well.
Do you something else (like a web server for example) already using port 443?

I don't have much experience with unbound and dns over https. However I do have some experience with ssh tunneling.
But I would guess this would hide your ISP ip from the end users.
 
Is there any reason you don't want to use port 1080? Maybe your digital ocean subscription is layer 7 only?

tcp/ip rules are different for ports below 1024. It isn't impossible, but it's more difficult.

I don't use unbound, and I've never done dns over https. It would seem like it's possible.
It seem's a little odd that you need https thru a ssh tunnel, you are encrypting traffic through an encrypted port.
Probably not necessry.

The permission denied is probably because you're using a port below 1024.
Some other things to check are your firewall.
Are you using appArmor or SElinux? These can block non-standard configurations and ports as well.
Do you something else (like a web server for example) already using port 443?

I don't have much experience with unbound and dns over https. However I do have some experience with ssh tunneling.
But I would guess this would hide your ISP ip from the end users.

I see it now. VPN does the encrypting and tunneling at the same time, so dns over https is not necessary.
It makes sense; same with this post: https://linux.org/threads/unbound-vpn-ip-addresses.54984/
I only have Linux Mint 22 and Unbound on my PC.

If you haven't already installed it, the following is the script of commands to implement Unbound to get it going. You can then add more attributes to unbound.conf configuration file. It's easy; copy and paste to the command line:

wget https://nlnetlabs.nl/downloads/unbound/unbound-latest.tar.gz
tar xzf unbound-latest.tar.gz

sudo apt update
sudo apt install -y build-essential

sudo apt install -y libssl-dev
sudo apt install -y libexpat1-dev
sudo apt install -y libnghttp2-dev <----Skip this for DNS over HTTPS

sudo apt-get install -y bison
sudo apt-get install -y flex

pwd
cd unbound-1.22.0

./configure

make

sudo make install

./configure --with-libnghttp2 <----Skip this for DNS over HTTPS

make <----Skip this for DNS over HTTPS

sudo make install <----Skip this for DNS over HTTPS

unbound -V

cd /usr/local/etc/unbound

sudo nano unbound.conf <----Make a backup copy, delete all the entries, add only the following to test; add more later

server:
# can be uncommented if you do not need user privilege protection
# username: ""

# can be uncommented if you do not need file access protection
# chroot: ""

# location of the trust anchor file that enables DNSSEC. note that
# the location of this file can be elsewhere
# auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
# auto-trust-anchor-file: "/var/lib/unbound/root.key"

# send minimal amount of information to upstream servers to enhance privacy
qname-minimisation: yes

# specify the interface to answer queries from by ip-address.
interface: 0.0.0.0
# interface: ::0

# addresses from the IP range that are allowed to connect to the resolver
access-control: 192.168.0.0/16 allow
# access-control: 2001:DB8/64 allow

do-ip6: no

unbound.checkconf

systemctl stop systemd-resolved
systemctl disable systemd-resolved

ss -lp 'sport = :domain'
sudo lsof -i :53
sudo ss -lnptu | grep 53

sudo unbound -d -vv -c unbound.conf <---- let this run on another window on the background
<----after making changing to unbound.conf, ctrl-c and run it again

cd /usr/local/etc/unbound

sudo nano unbound.conf

remote-control: <-------Add to unbound.conf
# enable remote-control
control-enable: yes

sudo unbound-control-setup

sudo ldconfig

sudo unbound-anchor

cd /usr/local/etc/unbound

sudo nano unbound.conf

server:
# enable DNSSEC
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key" <----uncomment out this line

dig example.com @127.0.0.1

cd /etc/systemd

sudo nano /etc/systemd/resolved.conf

[Resolve]
DNS=127.0.0.1 <-----Uncomment
#FallbackDNS=
#Domains=
DNSSEC=yes <-----Uncomment
#DNSOverTLS=no
#MulticastDNS=no
#LLMNR=no
#Cache=no-negative
DNSStubListener=no <-----Uncomment
#DNSStubListenerExtra=

sudo ln -fs /run/systemd/resolve/resolv.conf /etc/resolv.conf

systemctl restart systemd-resolved

minty@minty:/etc/systemd$ dig example.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61493
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com. IN A

;; ANSWER SECTION:
example.com. 300 IN A 23.215.0.136
example.com. 300 IN A 23.215.0.138
example.com. 300 IN A 96.7.128.175
example.com. 300 IN A 96.7.128.198
example.com. 300 IN A 23.192.228.80
example.com. 300 IN A 23.192.228.84

;; Query time: 36 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) <------Verify this
;; WHEN: Thu Jan 16 11:20:33 PST 2025
;; MSG SIZE rcvd: 136


https://dnsleaktest.com/ <----It should list ONLY your ISP IP


Verify for DNSSEC: The response should contain the AD (Authentic Data) flag:
dig @localhost example.nl +dnssec +multi
dig +dnssec A www.ipinfo.io | grep ad

sudo unbound-host -C /usr/local/etc/unbound/unbound.conf -v go.dnscheck.tools

unbound-host -C /usr/local/etc/unbound/unbound.conf -v badsig.go.dnscheck.tools

drill badsig.go.dnscheck.tools <--- Should give rcode of SERVFAIL but not

drill go.dnscheck.tools

dig com. SOA +dnssec


cd
cd unbound-1.22.0
make dohclient <-----Skip if dns over https is not necessary

cd /usr/local/etc/unbound
sudo nano unbound.conf <--- add the following to "server:" section

interface: 127.0.0.1@443
tls-service-key: "unbound_server.key"
tls-service-pem: "unbound_server.pem"

unbound-checkconf
cd
cd unbound-1.22.0

./dohclient -s 127.0.0.1 nlnetlabs.nl AAAA IN
./dohclient -s 127.0.0.1 -p 443 www.nlnetlabs.nl A IN



Tracking Errors:

Error 1:
minty@minty:/usr/local/etc/unbound$ sudo unbound -d -vv -c unbound.conf
[1737060782] unbound[22059:0] notice: Start of unbound 1.22.0.
[1737060782] unbound[22059:0] error: can't bind socket: Cannot assign requested address for ::1 port 8953
[1737060782] unbound[22059:0] error: cannot open control interface ::1 8953
[1737060782] unbound[22059:0] fatal error: could not open ports

Solution: Add "do-ip6: no" unbound.conf <--- add the following to "server:" section


Reference links:
https://unbound.docs.nlnetlabs.nl/en/latest/getting-started/installation.html <----Start here first
 
Last edited:
See these websites for attributes and DNSSEC:
 

Members online


Latest posts

Top