From owner-freebsd-questions@FreeBSD.ORG Fri Nov 7 16:56:00 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 46139398 for ; Fri, 7 Nov 2014 16:56:00 +0000 (UTC) Received: from sam.nabble.com (sam.nabble.com [216.139.236.26]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2884EECB for ; Fri, 7 Nov 2014 16:55:59 +0000 (UTC) Received: from [192.168.236.26] (helo=sam.nabble.com) by sam.nabble.com with esmtp (Exim 4.72) (envelope-from ) id 1XmmpE-0005f2-W0 for freebsd-questions@freebsd.org; Fri, 07 Nov 2014 08:55:52 -0800 Date: Fri, 7 Nov 2014 08:55:52 -0800 (PST) From: Beeblebrox To: freebsd-questions@freebsd.org Message-ID: <1415379352984-5963426.post@n5.nabble.com> In-Reply-To: <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com> References: <86lhnup5l3.fsf@gly.ftfl.ca> <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com> Subject: Re: local_unbound and dnscrypt-proxy MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 16:56:00 -0000 There are several issues here: 1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't know why, but both port maintainer and software developer seem to not have taken the issue seriously. For now, disable in unbound.conf: # auto-trust-anchor-file: "/var/unbound/root.key" I'm going to re-open the issue I had filed about this on github. 2. You need to use some flags when starting dnscrypt-proxy. Here's mine, as an example. I have unbound from source (not ports) and dnscrypt-proxy running inside a jail. My resolv.conf points to the dns jail. Jail's rc.conf has below, with d=deamonize, a=listen-IP:port, m=log-level. local_unbound_enable="YES" dnscrypt_proxy_flags="-d -a 192.168.2.97:9040 -R dnscrypt.eu-nl --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --logfile=/var/log/dnscrypt-proxy.log -m 0" dnscrypt_proxy_enable="YES" You need to define provider-key for correct dnscrypt-proxy startup (download and review https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) 3. freebsd-24: I really don't understand your issue fully, but I would try these: * On , set forward-zone to non dnscrypt-proxy IP (8.8.8.8 for example) * Test and debug unbound on to make sure that unbound is forwarding DNS requests. * Once unbound is confirmed as working, re-set dnscrypt-proxy as forward-zone, and configure dnscrypt-proxy as descrbed above. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/local-unbound-and-dnscrypt-proxy-tp5961730p5963426.html Sent from the freebsd-questions mailing list archive at Nabble.com.