Date: Fri, 7 Nov 2014 08:55:52 -0800 (PST) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-questions@freebsd.org Subject: Re: local_unbound and dnscrypt-proxy Message-ID: <1415379352984-5963426.post@n5.nabble.com> In-Reply-To: <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com> References: <86lhnup5l3.fsf@gly.ftfl.ca> <1415281391.3654995.187813213.7FAECF4C@webmail.messagingengine.com>
next in thread | previous in thread | raw e-mail | index | archive | help
There are several issues here: 1. DNSSEC does NOT work with the unbound -> dnscrypt-proxy chain. I don't know why, but both port maintainer and software developer seem to not have taken the issue seriously. For now, disable in unbound.conf: # auto-trust-anchor-file: "/var/unbound/root.key" I'm going to re-open the issue I had filed about this on github. 2. You need to use some flags when starting dnscrypt-proxy. Here's mine, as an example. I have unbound from source (not ports) and dnscrypt-proxy running inside a jail. My resolv.conf points to the dns jail. Jail's rc.conf has below, with d=deamonize, a=listen-IP:port, m=log-level. local_unbound_enable="YES" dnscrypt_proxy_flags="-d -a 192.168.2.97:9040 -R dnscrypt.eu-nl --provider-key=67C0:0F2C:21C5:5481:45DD:7CB4:6A27:1AF2:EB96:9931:40A3:09B6:2B8D:1653:1185:9C66 --logfile=/var/log/dnscrypt-proxy.log -m 0" dnscrypt_proxy_enable="YES" You need to define provider-key for correct dnscrypt-proxy startup (download and review https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv) 3. freebsd-24: I really don't understand your issue fully, but I would try these: * On <Second IP>, set forward-zone to non dnscrypt-proxy IP (8.8.8.8 for example) * Test and debug unbound on <Second IP> to make sure that unbound is forwarding DNS requests. * Once unbound is confirmed as working, re-set dnscrypt-proxy as forward-zone, and configure dnscrypt-proxy as descrbed above. ----- FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS -- View this message in context: http://freebsd.1045724.n5.nabble.com/local-unbound-and-dnscrypt-proxy-tp5961730p5963426.html Sent from the freebsd-questions mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1415379352984-5963426.post>