# How to make local_unbound using DNS from the tor network, which is heavily encrypted.



## StephanieJones (May 17, 2022)

By following these instructions, is possible to obtain an encrypted DNS connection for internal local network or local computer running FreeBSD. The local_unbound package allows to hash DNS queries on the local machine, this prevents DNS from querying the site addresses, which is another security feature.

*What is needed:*
Computer with local unbound package. It is installed by default, so is not nessesy to install it.
TOR package

First, we install the tor package

```
pkg install tor
```

Because tor requires a packet filter to operate, and most importantly, it checks the permissions of, after installing the tor package, is nessesry to enable the _tor group to use Packet Filer (pf). Without this it will not work.
For this purpose in the file /etc/devfs.conf

Paste at the end of the file

```
# Allow members of group _tor to using packet filter
own /dev/pf root:_tor
perm /dev/pf 0660
```

Now that we have TOR installed, we can prepare it for inclusion. For this purpose in the file
/etc/rc.conf
Add the following entrie, but don't turn it on yet.


```
...
tor_enable="YES"
...
```

Because permissions are given and we have added an entry in rc.conf, can configure the tor client to work as a transparent proxy. Since we are advanced users, we delete the file called torrc.

```
rm /usr/local/etc/tor/torrc
```

Paste the following configuration in its place.
I use ee so

```
ee /usr/local/etc/tor/torrc
```

and paste:

```
SOCKSPort 0
TransPort 9050
DNSPort 9053
UseEntryGuards 1
GuardLifetime 1
```

Save the changes with the esc key > leave editor > save changes.
The permissions should be the default, it is not necessary to impose them.

Be sure to explain what each command does.
_SOCKSPort 0_ - disables SOCKSport. SOCKSport is used when we want to bundle TOR, with the browser. No packet filter permissions are required here.

_TransPort 9050_ - Transparent proxies, programs don't know they are using a proxy. To run this, is needed permissions for the packet filter.

_DNSPort 9053_ - DNS port.

_UseEntryGuards 1_ - If this option is set to 1, we pick a few long-term entry servers, and try to stick with them. This is desirable because constantly changing servers increases the odds that an adversary who owns some servers will observe a fraction of your paths.

_GuardLifetime 1 -_ should change the first server that TOR connects to every day. I don't know if it works, I got it from somewhere, it's not in the manual.



> +**GuardLifetime**  __N__ **days**|**weeks**|**months**::
> If nonzero, and UseEntryGuards is set, minimum time to keep a guard before
> picking a new one. If zero, we use the GuardLifetime parameter from the
> consensus directory.  No value here may  be less than 2 months or greater
> ...



I'm gonna stop here for a second.
Tor allows to enable two instances by default. But it is possible to set them up to ten. If someone needs it very badly, and I always need it very badly it can be changed.
The scheme for running more than one isance is as follows :
On file /etc/rc.conf add as many entries as needed of instances in the range of nothing to nine.

```
...
tor_enable="YES"
tor_instances="2"
...
tor_instances="9"
...
```

The first instance is the default and is defaulted as one. Therefore, subsequent instances are numbered from two.
Configuration files are in the same directory as the main configuration file, with @2 @3 @4 ... @9 added and so on. Just remember to change the port number in the next instance. For example /usr/local/etc/tor/torrc@2 has with me the following entries.

```
SOCKSPort 0
TransPort 9150
DNSPort 9153
UseEntryGuards 1
GuardLifetime 1
```

For subsequent instances @3 @4 ... @9 a daemon edit is required. For this purpose, in the file
/usr/local/etc/rc.d/tor
we find the following

```
...
if [ -z "${instance}" -a -n "${tor_instances}" ]; then
  inst_only="$2"
  inst_done=0
...
```
and we change the

```
inst_only="$2"
```
at

```
inst_only="$9"
```

Because it is already configured with TOR, to work as a Transparent Proxy, proceed to configure local_unbound and pairing it with TOR. On file:

/var/unbound/unbound.conf

Paste and customize entries.


```
server:
        interface: igb0
        access-control: 127.0.0.1 allow
        access-control: 10.1.1.0/24 allow

forward-zone:
        name: "Router"
        forward-addr: 127.0.0.1@9053
        forward-first: yes

remote-control:
        control-enable: yes
        control-use-cert: no
        control-interface: 127.0.0.1
```

_server: - _Server configuration
_interface: igb0 - _Access to the server from the interface. Another interface in a separate entry (I think)
_access-control: 127.0.0.1 allow -_permit access from selected groups of IP addresses.
_access-control: 10.1.1.0/24 allow -_permit access from selected groups of IP addresses.

_forward-zone:
name: "Router" - Name
forward-addr: 127.0.0.1@9053 - _DNS server address and port. Another address in a separate entry.
_forward-first: yes - _I don't know.
To start the unbound server on startup in /etc/rc.conf add an entry:
_


		Code:
	

local_unbound_enable="YES"

_
But that's not all. Because, the library required by the program at system startup loads later than unbound, it does not start.
Because, there is an added entry in /etc/rc.conf It is possible and generally necessary to use /etc/crontab. For this purpose is needed to make a bash script file. It can be made anywhere, I made it in the root directory.
So we make a new file

```
ee /root/local_unbound.sh
```

In this file, paste the following


```
#!/bin/bash
service local_unbound start
```

Privileges must be granted:

```
chmod +x /root/local_unbound.sh
```

Then add an entry at the end of the /etc/crontab file

```
@reboot root /bin/sh /root/local_unbound.sh
```

To take advantage of the created, there are two ways. If someone wants to use it locally, on the computer they are working on adds an entry to /etc/resolv.conf


```
nameserver 127.0.0.1
options edns0
```

But if someone wants to use it on the server, as I do, it should not be done. Due to the samba problems that are occurring.
The second way is to redirect traffic from lan to local_unbound, to do this, leave in the file /etc/resolv.conf some other DNS address.
The best choice of DHCP server is named. Install and add interfaces...


```
pkg install isc-dhcp44-server-4.4.2P1_1
```

/etc/rc.conf


```
dhcpd_enable="YES"
dhcpd_ifaces="igb0 wlan0"
```

Configuring it and modify it according to our needs:
/usr/local/etc/dhcpd.conf


```
default-lease-time 3600;
max-lease-time 86400;
ddns-update-style none;

subnet 10.1.1.0 netmask 255.255.255.0 {
        option domain-name "router";
        option domain-name-servers 10.1.1.1;
        range 10.1.1.2 10.1.1.200;
        option routers 10.1.1.1;
}

subnet 10.1.2.0 netmask 255.255.255.0 {
        option domain-name "router";
        option domain-name-servers 10.1.2.1;
        range 10.1.2.2 10.1.2.200;
        option routers 10.1.2.1;
}
```

In which option domain-name-servers is the address at which the network gateway is located.

Set up NAT
/etc/pf.conf


```
ext_if="re0"
int_if="igb0"
wifi="wlan0"

set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
```

Important TOR ports: 9001 and 9030 tcp on external interface.
The loopback is completely unlocked at my place, so I don't want to check it now, but there was something important there.

If anyone has any useful commands for checking what sites are stored in local_unbound please feel free to comment. If anyone knows how to set the storage time for saved pages, also please comment.

If everything is ok, this page should show us one DNS server address as the IP address we are using.








						IP/DNS Detect
					

What is your IP, what is your DNS, check your torrent IP, what informations you send to websites.



					ipleak.net
				






*External links:*
https://www.youtube.com/watch?v=1OkpvQsdm24
https://unixcop.com/how-to-install-dhcp-server-on-freebsd
https://wiki.archlinux.org/title/Unbound
Personal work.


----------

