Ahhh, ok.
Good news! :D
Looks like Unbound have added .onion to the list of AS112 domains:
*onion* *(RFC* *7686)*
Default content:
local-zone: "onion." static
local-data: "onion. 10800 IN NS localhost."
local-data: "onion. 10800 IN
SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
So yeah, without nodefault it won't let you forward queries for that TLD
and will just return an NXDOMAIN.
On Mon, Sep 11, 2017 at 1:09 PM, C. L. Martinez <carlopm...@gmail.com>
wrote:
> Ok, now it is working ... I have added:
>
> local-zone: "onion." nodefault
>
> ..to unbound's config file, and it is works ... but I don't understadn why
> this is needed ... Any idea?
>
>
>
> On Mon, Sep 11, 2017 at 04:32:58PM +0100, Ben Tasker wrote:
> > Did you restart unbound after the change to pf?
> >
> > I had an issue in the past with Unbound blacklisting an upstream for
> > failing to respond (if you debug unbound it'll be logged as "chase to
> > blacklisted lame server"), from memory the default blacklist time is 900
> > seconds.
> >
> > Failing that, it's probably packet capture time to see whether the
> queries
> > are actually going out, and where to
> >
> > On Mon, Sep 11, 2017 at 12:34 PM, C. L. Martinez <carlopm...@gmail.com>
> > wrote:
> >
> > > I have have changed my rdr rules in pf.conf to avoid to use port 1053
> in
> > > dig queries, and ... It works doing a query directly to tor's gateway
> from
> > > my internal DNS server:
> > >
> > > root@fbsddns:~/fwrules/secgw# dig @172.22.56.4 protonirockerxow.onion
> > >
> > > ; <<>> DiG 9.4.2-P2 <<>> @172.22.56.4 protonirockerxow.onion
> > > ; (1 server found)
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56101
> > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;protonirockerxow.onion. IN A
> > >
> > > ;; ANSWER SECTION:
> > > protonirockerxow.onion. 60 IN A 10.244.182.165
> > >
> > > ;; Query time: 2 msec
> > > ;; SERVER: 172.22.56.4#53(172.22.56.4)
> > > ;; WHEN: Mon Sep 11 15:03:10 2017
> > > ;; MSG SIZE rcvd: 56
> > >
> > > .. but doing same query to unbound's host, it doesn't works:
> > >
> > > root@fbsddns:~/fwrules/secgw# dig protonirockerxow.onion
> > >
> > > ; <<>> DiG 9.4.2-P2 <<>> protonirockerxow.onion
> > > ;; global options: printcmd
> > > ;; Got answer:
> > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57586
> > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> > >
> > > ;; QUESTION SECTION:
> > > ;protonirockerxow.onion. IN A
> > >
> > > ;; AUTHORITY SECTION:
> > > onion. 10800 IN SOA localhost.
> nobody.invalid.
> > > 1 3600 1200 604800 10800
> > >
> > > ;; Query time: 0 msec
> > > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > > ;; WHEN: Mon Sep 11 15:06:03 2017
> > > ;; MSG SIZE rcvd: 99
> > >
> > > Then, I think something is wrong with muy unbound's config ... but
> what?
> > >
> > >
> > > On Mon, Sep 11, 2017 at 12:56:36PM +0100, Ben Tasker wrote:
> > > > Ahh, your version of dig doesn't like that syntax and is trying to
> > > resolve
> > > > the resolver string.
> > > >
> > > > Try this instead
> > > > dig @172.22.56.4 -p1053 protonirockerxow.onion
> > > >
> > > >
> > > > Basically I'm wondering if something's stopping the packets from
> reach
> > > the
> > > > tor resolver (pf maybe?) given that your netstat shows it is bound
> to all
> > > > interfaces (which'd be the normal mistake)
> > > >
> > > >
> > > >
> > > > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > > > >
> > > > > > > What do you expect a DNS query for a .onion to return?
> > > >
> > > > With various config options set (VirtualAddressNetwork,
> > > AutomapHostSuffixes
> > > > and AutomapHostsOnResolve) it should return an IP in a given range,
> which
> > > > you then route via the transparent router to reach the endpoint.
> > > >
> > > >
> > > > On Mon, Sep 11, 2017 at 11:24 AM, C. L. Martinez <
> carlopm...@gmail.com>
> > > > wrote:
> > > >
> > > > > Nope ...
> > > > >
> > > > > root@fbsddns:~# dig @172.22.56.4#1053 protonirockerxow.onion
> > > > > dig: couldn't get address for '172.22.56.4#1053': not found
> > > > >
> > > > >
> > > > > On Mon, Sep 11, 2017 at 11:40:40AM +0100, Ben Tasker wrote:
> > > > > > Your config looks more or less exactly the same as mine (I allow
> tcp
> > > but
> > > > > > that's the only difference I can see).
> > > > > >
> > > > > > If you do a dig from the unbound server to the BSD gateway do you
> > > get a
> > > > > > result?
> > > > > >
> > > > > > dig @172.22.56.4#1053 protonirockerxow.onion
> > > > > >
> > > > > > On Mon, Sep 11, 2017 at 10:45 AM, C. L. Martinez <
> > > carlopm...@gmail.com>
> > > > > > wrote:
> > > > > >
> > > > > > > To resolve Tor's hostnames like for example ProtonMail. For
> > > example,
> > > > > If I
> > > > > > > do a query from FreeBSD's Tor gateway:
> > > > > > >
> > > > > > > root@torbsdgw:/var/log/tor # !345
> > > > > > > tor-resolve protonirockerxow.onion
> > > > > > > fe8d:ecdb:dc62:f60:6eda:15ea:39d9:b5c2
> > > > > > >
> > > > > > > ... it works ...
> > > > > > >
> > > > > > > On Mon, Sep 11, 2017 at 12:16:23PM +0200, Tom van der Woerdt
> wrote:
> > > > > > > > Looks fine, you're getting NXDOMAIN, not SERVFAIL.
> > > > > > > >
> > > > > > > > What do you expect a DNS query for a .onion to return?
> > > > > > > >
> > > > > > > >
> > > > > > > > Op 11/09/2017 om 11:23 schreef C. L. Martinez:
> > > > > > > > > Hi all,
> > > > > > > > >
> > > > > > > > > I am trying to figure out the best way to handle DNS
> requests
> > > to
> > > > > both
> > > > > > > clearnet and Tor onionland. Currently, I am using two virtual
> > > machines
> > > > > > > (both FreeBSD 11 based): one used as my internal DNS resolver
> and
> > > the
> > > > > other
> > > > > > > is a FreeBSD's tor gateway.
> > > > > > > > >
> > > > > > > > > My unbound.conf's file in my internal DNS (unbound) is:
> > > > > > > > >
> > > > > > > > > server:
> > > > > > > > > do-tcp: no
> > > > > > > > > do-not-query-localhost: no
> > > > > > > > > domain-insecure: "onion"
> > > > > > > > > private-domain: "onion"
> > > > > > > > >
> > > > > > > > > forward-zone:
> > > > > > > > > name: "onion"
> > > > > > > > > forward-addr: 172.22.56.4@1053
> > > > > > > > >
> > > > > > > > > And my FreeBSD's Tor gateway (172.22.56.4) is running
> Tor's
> > > DNS
> > > > > > > resolver:
> > > > > > > > >
> > > > > > > > > USER COMMAND PID FD PROTO LOCAL ADDRESS
> > > FOREIGN
> > > > > > > ADDRESS
> > > > > > > > > _tor tor 89238 5 tcp4 127.0.0.1:9050
> *:*
> > > > > > > > > _tor tor 89238 6 udp4 *:1053
> *:*
> > > > > > > > > _tor tor 89238 7 tcp4 127.0.0.1:9040
> *:*
> > > > > > > > > root sendmail 40917 4 tcp4 127.0.0.1:25
> *:*
> > > > > > > > > root sshd 47802 4 tcp4 172.22.56.4:22
> *:*
> > > > > > > > >
> > > > > > > > > .. but If I try to resolve any .onion domain from my
> Unbound's
> > > > > > > internal DNS server it doesn't works:
> > > > > > > > >
> > > > > > > > > Server: 127.0.0.1
> > > > > > > > > Address: 127.0.0.1#53
> > > > > > > > >
> > > > > > > > > ** server can't find protonirockerxow.onion: NXDOMAIN
> > > > > > > > >
> > > > > > > > > Any idea?? What is it wrong with my config?
> > > > > > > > >
> > > > > > > > > Thanks.
> > > > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Greetings,
> > > > > > > C. L. Martinez
> > > > > > > --
> > > > > > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > > > > > To unsubscribe or change other settings go to
> > > > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Ben Tasker
> > > > > > https://www.bentasker.co.uk
> > > > > > --
> > > > > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > > > > To unsubscribe or change other settings go to
> > > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > > >
> > > > > --
> > > > > Greetings,
> > > > > C. L. Martinez
> > > > > --
> > > > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > > > To unsubscribe or change other settings go to
> > > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Ben Tasker
> > > > https://www.bentasker.co.uk
> > > > --
> > > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > > To unsubscribe or change other settings go to
> > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> > > --
> > > Greetings,
> > > C. L. Martinez
> > > --
> > > tor-talk mailing list - tor-talk@lists.torproject.org
> > > To unsubscribe or change other settings go to
> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
> > >
> >
> >
> >
> > --
> > Ben Tasker
> > https://www.bentasker.co.uk
> > --
> > tor-talk mailing list - tor-talk@lists.torproject.org
> > To unsubscribe or change other settings go to
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
> --
> Greetings,
> C. L. Martinez
> --
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
--
Ben Tasker
https://www.bentasker.co.uk
--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
