I have a server which has to get its DNS through TCP via a
redsocks transparent proxy. Queries first go to unbound which is listening on localhost on port 53, and then are either sent to
redsocks or to Tor’s DNS server on another system.
Domains do not resolve properly, and for this server that is bad, as it is a mail server. It needs to resolve the MX records for each domain so mail can sent to it. Tor can’t resolve MX records, so I have unbounds sending requests for everything else to
redsocks then to a SOCKS proxy.
The problem is not just unbound but also attempts to reach Google or Rackspace DNS in general. It shows a result and the correct address but also fails with NOTIMP.
# host google.com 188.8.131.52 Using domain server: Name: 184.108.40.206 Address: 220.127.116.11#53 Aliases: google.com has address 18.104.22.168 google.com has IPv6 address 2607:f8b0:4007:808::200e Host google.com not found: 4(NOTIMP)
Requests to unbound instead send SERVFAIL…
# host google.com google.com has address 22.214.171.124 google.com has IPv6 address 2607:f8b0:4007:808::200e Host google.com not found: 2(SERVFAIL)
Here is my unbound config…
server: verbosity: 3 interface: 127.0.0.1 port: 53 username: "unbound" # Harden the referral path by performing additional queries for private-domain: "onion" do-not-query-localhost: no domain-insecure: "onion" local-zone: "onion." nodefault python: remote-control: forward-zone: name: "torbox3uiot6wchz.onion" forward-addr: 127.0.0.1@55353 forward-zone: name: "qlb2y46sizmxbfrv.onion" forward-addr: 127.0.0.1@55353 forward-zone: name: "onion" forward-addr: 192.168.47.1@53 forward-zone: name: "." forward-addr: 126.96.36.199@53 forward-addr: 188.8.131.52@53
I am hoping at the very least that unbound’s configuration can be modified to pretend things are working, or something like that.