# dnscrypt resolver on 127.0.0.1 and 127.0.0.2



## gariac (Jul 22, 2017)

I have dnscrypt running. That is the good part. The plan is to get the resolver running on 127.0.0.2 then use unbound to set up resolver on 10.8.0.1 for openvpn. Here is the problem. Though I set up dnscrypt to use 127.0.0.2, which does work, it also works on 127.0.0.1, which will conflict with unbound's default. (unbound issues an error message when started, so the problem is real.) So the question is just how is 127.0.0.1 being used for dns?

First the proof:

```
# hostip -r 127.0.0.1 cnn.com
151.101.193.67
151.101.65.67
151.101.129.67
151.101.1.67
# hostip -r 127.0.0.2 cnn.com
151.101.129.67
151.101.193.67
151.101.65.67
151.101.1.67
```

The relevant part of rc.conf:

```
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="cs-uswest2"
dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid"
dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log"
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
dnscrypt_proxy_flags='-a 127.0.0.2'
local_unbound_enable="YES"
```

Note that local_unbound is not running.

```
# service local_unbound status 
local_unbound is not running.
```

Here is the error message from unbound, but the port actually is in use, so it is not really an error:

```
# service local_unbound start
Starting local_unbound.
[1500687204] unbound[3923:0] error: bind: address already in use
[1500687204] unbound[3923:0] fatal error: could not open ports
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
```

Here is where I declare the nameserver on 127.0.0.2:

```
# cat resolv.conf
nameserver 127.0.0.2
# nameserver 8.8.8.8
#nameserver 8.8.8.4
#nameserver 208.67.222.222
#nameserver 208.67.220.220
options edns0
#
```

I made sure that no dnscrypt-proxy.conf is used:

```
# pwd
/usr/local/etc
# ls dnscrypt-proxy.*
dnscrypt-proxy.conf.example     dnscrypt-proxy.conf.save
```

Perhaps of use:

```
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 138.68.45.241.ssh      172.58.36.119.25726    ESTABLISHED
udp4       0      0 127.0.0.2.domain       *.*                    
udp4       0      0 10.8.0.1.domain        *.*                    
udp4       0      0 localhost.domain       *.*
```


```
# uname -a
FreeBSD peets 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:48:40 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
#
```

So again, the mystery (at least to me) is how is dns provided on 127.0.0.1?


----------



## gariac (Jul 22, 2017)

This is a good idea. It looks like local_unbound, while not running, does seem to be enabling 127.0.0.1. Here are the results of the experiment. First verify resolve.conf is changed to 127.0.0.1.

```
# cd /etc
# cat resolv.conf
nameserver 127.0.0.1
# nameserver 8.8.8.8
#nameserver 8.8.8.4
#nameserver 208.67.222.222
#nameserver 208.67.220.220
options edns0
```

Now I commented out local_unbound in rc.conf, even though in theory it never started. And to be really sure, I rebooted. This is the relevant part of rc.conf

```
dnscrypt_proxy_enable="YES"
dnscrypt_proxy_resolver="cs-uswest2"
dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid"
dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log"
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff"
dnscrypt_proxy_flags='-a 127.0.0.2'
#local_unbound_enable="YES"
#unbound_enable="YES"
```

So we have dnscrypt-proxy working, but nothing on 127.0.0.1.

```
# host cnn.com
;; connection timed out; no servers could be reached
# hostip -r 127.0.0.1 cnn.com
[request timed out]
# hostip -r 127.0.0.2 cnn.com
151.101.193.67
151.101.65.67
151.101.1.67
151.101.129.67
```

Now change rc.conf to allow local_unbound, even though it won't start. Then reboot.

```
dnscrypt_proxy_enable="YES" 
dnscrypt_proxy_resolver="cs-uswest2" 
dnscrypt_proxy_pidfile="/var/run/dnscrypt-proxy.pid" 
dnscrypt_proxy_logfile="/var/log/dnscrypt-proxy.log" 
ifconfig_lo0_alias0="inet 127.0.0.2 netmask 0xffffffff" 
dnscrypt_proxy_flags='-a 127.0.0.2' 
local_unbound_enable="YES"
```

Similar results:

```
# host cnn.com
;; connection timed out; no servers could be reached
# hostip -r 127.0.0.1 cnn.com
[request timed out]
# hostip -r 127.0.0.2 cnn.com
151.101.1.67
151.101.129.67
151.101.65.67
151.101.193.67
```

Now attempt to start local_unbound:

```
# service local_unbound status
local_unbound is not running.
# service local_unbound start
Starting local_unbound.
Waiting for nameserver to start...[1500758699] unbound-control[1722:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34385646984:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:402:fopen('/var/unbound/unbound_control.pem','r')
34385646984:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:404:
34385646984:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:701:
.[1500758700] unbound-control[1728:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34385646984:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:402:fopen('/var/unbound/unbound_control.pem','r')
34385646984:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:404:
34385646984:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:701:
.[1500758701] unbound-control[1731:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34385646984:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:402:fopen('/var/unbound/unbound_control.pem','r')
34385646984:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:404:
34385646984:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:701:
.[1500758702] unbound-control[1734:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34385646984:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:402:fopen('/var/unbound/unbound_control.pem','r')
34385646984:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:404:
34385646984:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:701:
.[1500758703] unbound-control[1737:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34385646984:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:402:fopen('/var/unbound/unbound_control.pem','r')
34385646984:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:404:
34385646984:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:701:
 giving up
# host cnn.com
cnn.com has address 151.101.193.67
cnn.com has address 151.101.1.67
cnn.com has address 151.101.129.67
cnn.com has address 151.101.65.67
cnn.com has IPv6 address 2a04:4e42::323
cnn.com has IPv6 address 2a04:4e42:400::323
cnn.com has IPv6 address 2a04:4e42:600::323
cnn.com has IPv6 address 2a04:4e42:200::323
cnn.com mail is handled by 10 mxb-000c6b02.gslb.pphosted.com.
cnn.com mail is handled by 10 mxa-000c6b02.gslb.pphosted.com.
# service local_unbound status
local_unbound is not running.
#
```

So to some degree, attempting to start local_unbound has changed the system. Now I'm still not sure if this is a FreeBSD issue or an issue with unbound since FreeBSD comes with unbound installed, though I haven't figured out exactly the nature of what it is doing.

For completeness:

```
# netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 138.68.45.241.ssh      172.56.38.103.46638    ESTABLISHED
udp4       0      0 10.8.0.1.domain        *.*                    
udp4       0      0 localhost.domain       *.*                    
udp4       0      0 127.0.0.2.domain       *.*
```

So nothing seen on 127.0.0.1, yet I have DNS.

So unbound does get a PID.

```
# ps aux | grep -e "unbound"
unbound         1721   0.0  0.9 33128 9336  -  Is   21:24    0:00.02 /usr/sbin/unbound -c /var/unbound/unbound.conf
root            1758   0.0  0.0   404  320  0  R+   21:35    0:00.00 grep -e unbound
```


----------



## gariac (Jul 23, 2017)

Dig was replaced by drill.

Yeah, there is something wrong in the setup. The first run has all those error messages. 

I see two separate issues here. One is to get openvpn to use unbound. But first you need unbound to run normally. That fact that it "runs" (gets a pid) but the service status says it is not running is a problem. I'm going to see what the unbound forum says. 

https://forums.freebsd.org/threads/48966/

is a thread on local_unbound, though running in a jail. But parts of the thread should be applicable.


----------



## gariac (Jul 26, 2017)

A bit of a follow up here. I haven't solved everything, but have fixed a few things. I installed unbound from ports. That means you should "invoke" (or the appropriate term) unbound instead of local_unbound in rc.conf.

```
unbound_enable="YES"
```

When you build unbound from the port, it includes three other programs.

```
# pwd
/usr/sbin
# ls unbound*
unbound                 unbound-anchor          unbound-checkconf       unbound-control
#
```

Unbound-checkconf is very handy as it does exactly what the name implies. Missing was roots.hint.

```
wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/root.hints
```
Surfing the interwebs, it is suggested that this file gets updated at least every six months. Hence a cron job needs to be set up.

My unbound seems to run fine. I'm still working on getting it to feed DNS to the vpn. However it occurred to me that

```
hostip -r 10.8.0.1 cnn.com
```
may won't work on the server. It is designed to work on the openvpn client. This rule does generate some traffic in the firewall, but something else is required.

```
#${fwcmd} add  444 allow log udp from 10.8.0.0/24 to 10.8.0.1 dst-port 53
```
Basically you need to establish a link from the client to the DNS.


----------

