Unbound DoH port 443, Port to forward DoH traffic to SSH tunneling and SOCKS

[NoRainfallDuckDog]

This is about previous closed post #1216

I was using Google to search and the results stated previously were from Generative AI.

I would say this issue is not really a bug or a problem. It is more of an inquiry into how any attributes can be added to unbound.conf to forward the DoH traffic through SSH tunneling. I didn't see a discussion forum to post inquiries.

There is a reply from here https://superuser.com/questions/1811267/does-dns-over-https-hide-domain-name-of-websites-from-packet-analyzers about VPN. I would prefer not to use a commercial VPN to hide and mask my traffic. Creating SSH tunneling and SOCKS is actually creating one's own VPN. The SOCKS settings are on the Librewolf side, the SSH tunneling is to forward the traffic to the Virtual Machine.

So when I use dnscheck.tools and dnsleaktest.com to check for my ISP IP, it should say the Virtual Machine's IP and not my ISP IP.

This could be an issue out of scope as to what Unbound is offering to users, but I installed Unbound on my PC running Linux Mint 22 and now wanting to see how unbound.conf could be configured to forward the DoH traffic through SSH tunneling to the Virtual Machine.

The below stated previously from Google Generative AI seems to be similar to forwarding the Unbound DoH traffic through the SSH tunneling and SOCKS:

To direct Unbound DNS-over-HTTPS (DoH) traffic through an SSH tunneling port, configure your system to use a SOCKS proxy on the SSH tunnel's local port, then set Unbound to use that SOCKS proxy for outbound DoH connections by specifying it in the "proxy-out" option within your Unbound configuration file; essentially, all DoH requests will be routed through the SSH tunnel.

Key steps:
Establish SSH Tunnel with SOCKS Proxy:
• Open an SSH connection to your remote server using the -D flag to enable dynamic port forwarding.
• Example command: ssh -D 8888 user@server
• This creates a SOCKS proxy accessible on port 8888 on your local machine.

Configure Unbound:
• Edit your Unbound configuration file (usually located at /etc/unbound/unbound.conf)
• Add the following line under the "interface:" section to specify the SOCKS proxy => proxy-out: 127.0.0.1:8888;socks
• Important: Ensure your firewall rules allow outbound traffic on port 8888.
• Restart Unbound:
• Restart the Unbound service to apply the changes.

There are 2 ports Unbound uses; they are ports 53 (HTTP) and 443 (DoH-HTTPS).

Using port 443 to SSH could interfere with regular HTTPS traffic on the same port; it's generally better to use a separate port for SSH tunneling. This is something also from Google Generative AI :).

I was asking about what port number to use, but I guess any HTTPS port could be tested. Would you happen to know what port would be for this and what would you suggest about this inquiry?

Since you have experience with Unbound and thorough knowledge of the attributes, what other attributes would be required besides this one, "https-port: ", to forward traffic to SSH tunneling?

Thanks for taking the time out of your busy schedule to read and reply to my inquiries :)!

[wcawijngaards]

If you are looking for discussion, there is a user mailing list for having conversation. It is on https://nlnetlabs.nl/projects/unbound/about/ at the 'Mailing List' link. That links to https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users . That is a place for user conversation.

Unbound does not have the option 'proxy-out'. Also not outgoing DoH traffic. That would also not be needed because it goes to the VM via a SSH connection.

Useful to configure is the option tcp-upstream: yes. This sets unbound to make all queries over TCP. This is good because it can then at least in theory move over the SSH connection, since that is a stream socket. Most authoritatives support TCP, but not all, so it would likely work for the most queries. Only a very small, fractional percentage has a problem with TCP lookups.

To direct the upstream traffic from Unbound to a particular traffic route, the line outgoing-interface: 127.0.0.3 could be used. That makes unbound bind to that ip address before sending upstream traffic. Then it would need route configuration or firewall configuration to move the connection with this source address through the ssh tunnel on the port 8888 that has been created. I guess possibly by creating an interface with that IP address. Unbound does not itself have the option to move the traffic to the port 8888 as proxy traffic.

It may be possible to set unbound to use a forward-zone, with one forward-addr, to a port on the VM. Then it could be set to use dns over tls. Then on the VM make another unbound, this is going to accept the dns over tls traffic from the first unbound, and that is then going to make DNS resolution, like normal, from the VM, and send the results back on the dns over tls connection. Could also set the forward address to local port 8888, but that is not proxy traffic, it would need to be set to have the SSH tunnel connect that to a port on the VM, if it can do that, where the unbound on the VM resolves queries, with like tcp-upstream: yes on the local unbound to make that traffic TCP.

Unbound can support DoH traffic on any port number you want to configure. Also for DNS TCP traffic, that can be on any port number you like.