I setup my Pi-Hole with Unbound to use DNS over TLS to connect to Quad9 and Cloudflare per this post on Reddit
DNSleaktest.com variously returns WoodyNet (Quad9) and Cloudflare.
When I # out the Quad9 info in the Unbound config file and try https://1.1.1.1/help, Cloudflare shows as connected, but not over TLS.
Is there an easy way to verify that Unbound is, in fact, connecting over TLS to Quad9 and Cloudflare?
Thanks in advance.
James
My first thought would be to change the verbosity of unbound to 5 and see if it logs the TLS conection to the upstream server.
Thanks, @jfb.
It looks like it's working – this is very verbose:
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: SSL DNS connection ip4 1.1.1.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point listen_for_rw 14 1
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point stop listening 14
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point start listening 14
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: Reading ssl tcp query of length 105
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point stop listening 11
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: outnettcp cb
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: measured TCP-time at 224 msec
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: svcd callbacks start
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: worker svcd callback for qstate 0x10abdd8
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: mesh_run: start
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: iterator operate: query pbs.twimg.com. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: iterator operate: chased to cs2-wac-us.8315.ecdns.net. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: process_response: new external response event
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: scrub for . NS IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: sanitize: removing extraneous answer RRset: cs45.wac.edgecastcdn.net. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: response for pbs.twimg.com. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: reply from <.> 149.112.112.112#853
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; QUESTION SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: cs2-wac-us.8315.ecdns.net.#011IN#011A
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; ANSWER SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: cs2-wac-us.8315.ecdns.net.#0113600#011IN#011CNAME#011cs45.wac.edgecastcdn.net.
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; AUTHORITY SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; ADDITIONAL SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; MSG SIZE rcvd: 78
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: query response was CNAME
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: cname msg ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; QUESTION SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: cs2-wac-us.8315.ecdns.net.#011IN#011A
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; ANSWER SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: cs2-wac-us.8315.ecdns.net.#0113600#011IN#011CNAME#011cs45.wac.edgecastcdn.net.
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; AUTHORITY SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; ADDITIONAL SECTION:
Mar 10 19:05:04 raspberrypi unbound[1101]: ;; MSG SIZE rcvd: 78
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: cleared outbound list for query restart
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: iter_handle processing q with state INIT REQUEST STATE
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: resolving pbs.twimg.com. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: request has dependency depth of 0
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: forwarding request
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: processQueryTargets: pbs.twimg.com. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: ip4 1.0.0.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: ip4 1.1.1.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: ip4 149.112.112.112 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: ip4 9.9.9.9 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: attempt to get extra 3 targets
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: servselect ip4 9.9.9.9 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: rtt=814
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: servselect ip4 149.112.112.112 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: rtt=833
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: rtt=331
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: servselect ip4 1.0.0.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: rtt=408
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: selrtt 331
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: sending query: cs45.wac.edgecastcdn.net. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: sending to target: <.> 1.1.1.1#853
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: dnssec status: not expected
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point start listening 12
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: mesh_run: iterator module exit state is module_wait_reply
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: mesh_run: end 3 recursion states (2 with reply, 0 detached), 2 waiting replies, 18 recursion replies sent, 0 replies dropped, 0 states jostled out
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: average recursion processing time 0.238582 sec
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: histogram of recursion processing times
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: [25%]=5e-07 median[50%]=1e-06 [75%]=0.643216
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: lower(secs) upper(secs) recursions
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 0.000000 0.000001 9
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 0.131072 0.262144 2
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 0.262144 0.524288 1
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 0.524288 1.000000 6
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 0vRDCD mod1 io. DNSKEY IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 1RDd mod1 rep pbs.twimg.com. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: 2RDdc mod0 rep firewalla.encipher.io. A IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: cache memory msg=35716 rrset=42805 infra=2236 val=36817
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: svcd callbacks end
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: close fd 11
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point listen_for_rw 12 0
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: SSL DNS connection ip4 1.1.1.1 port 853 (len 16)
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point listen_for_rw 12 1
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point stop listening 12
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point start listening 12
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: Reading ssl tcp query of length 1404
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: comm point stop listening 14
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: outnettcp cb
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: measured TCP-time at 101 msec
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: svcd callbacks start
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: worker svcd callback for qstate 0x10a3dc8
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: mesh_run: start
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: iterator operate: query io. DNSKEY IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] debug: process_response: new external response event
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: scrub for . NS IN
Mar 10 19:05:04 raspberrypi unbound[1101]: [1552269903] unbound[1101:0] info: response for io. DNSKEY IN
MaI'm no unbound expert, but that looks like it established a connection on port 853 to Cloudflare.
I agree.
I ended up with what I was shooting for on Friday – redundant encrypted upstream DNS resolvers.
Thanks for your help, @jfb!
Don't forget to turn down the verbosity, or the unbound log will grow quickly.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.