Solved dnscrypt-proxy2 and local-unbound error on startup

[Yampress]

I installed the dnscrypt-proxy2 package then configured according to the the creators of the port recipe:

# pkg install dnscrypt-proxy2

then add into /etc/rc.conf:

dnscrypt_proxy_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
local_unbound_enable="YES"

  set skip on lo0
  rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353

[unbound]

     /var/unbound/unbound.conf:
    server:
      interface: 127.0.0.1
      do-not-query-localhost: no

  /var/unbound/forward.conf:
    forward-zone:
      name: "."
      forward-addr: 127.0.0.1@5353

I put # in /etc/resolv.conf

#nameserver 1.1.1.1
#nameserver 9.9.9.9

And after restarting my computer, the following errors appear during startup:

Starting local_unbound.
Waiting for nameserver to start...[1566486201] unbound-control[94333:0] warning: control-enable is 'no' in the config file.
[1566486201] unbound-control[94333:0] error: connect: Connection refused for 127.0.0.1 port 8953
.[1566486202] unbound-control[94648:0] warning: control-enable is 'no' in the config file.
[1566486202] unbound-control[94648:0] error: connect: Connection refused for 127.0.0.1 port 8953
.[1566486203] unbound-control[95159:0] warning: control-enable is 'no' in the config file.
[1566486203] unbound-control[95159:0] error: connect: Connection refused for 127.0.0.1 port 8953
.[1566486204] unbound-control[95205:0] warning: control-enable is 'no' in the config file.
[1566486204] unbound-control[95205:0] error: connect: Connection refused for 127.0.0.1 port 8953
.[1566486205] unbound-control[95831:0] warning: control-enable is 'no' in the config file.
[1566486205] unbound-control[95831:0] error: connect: Connection refused for 127.0.0.1 port 8953
giving up

Despite the pop-up error, the programs can connect to the internet, so the connection probably works.

How to get rid of the above errors during startup?
Possibly what I configured wrongly ?

 

[SirDice]

rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353

This is never going to work. Firstly you have a set skip on lo0 so the rule is ignored. Secondly you cannot redirect packets this way, you cannot "bounce" packets out the same interface they came in on.

     set skip on <ifspec>
           List interfaces for which packets should not be filtered.  Packets
           passing in or out on such interfaces are passed as if pf was
           disabled, i.e. pf does not process them in any way.  This can be
           useful on loopback and other virtual interfaces, when packet
           filtering is not desired and can have unexpected effects.  For
           example:

                 set skip on lo0

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.

The error:

[1566486205] unbound-control[95831:0] error: connect: Connection refused for 127.0.0.1 port 8953

Shows a failure to connect to port 8953. What's listening on that port? What should be listening there?

 

[Yampress]

After installing the dnscrypt-proxy2 package, instructions appeared in the console:

root@freebsd # cat /usr/ports/dns/dnscrypt-proxy2/files/pkg-message.in

[
{ type: install
message: <<EOM
Version 2 of dnscrypt-proxy is written in Go and therefore isn't capable
of dropping privileges after binding to a low port on FreeBSD.

By default, this port's daemon will listen on port 5353 (TCP/UDP) as the
%%USER%% user.

It's possible to bind it and listen on port 53 (TCP/UDP) with mac_portacl(4)
kernel module (network port access control policy). For this add
dnscrypt_proxy_mac_portacl_enable=YES in your rc.conf. The dnscrypt-proxy
startup script will load mac_portacl and add a rule where %%USER%% user will
be able to bind on port 53 (TCP/UDP). This port can be changed by
dnscrypt_proxy_mac_portacl_port variable in your rc.conf. You also need to
change dnscrypt-proxy config file to use port 53.

Below are a few examples on how to redirect local connections from port
5353 to 53.

[ipfw]

ipfw nat 1 config if lo0 reset same_ports \
redirect_port tcp 127.0.0.1:5353 53 \
redirect_port udp 127.0.0.1:5353 53
ipfw add nat 1 ip from any to 127.0.0.1 via lo0

/etc/rc.conf:
firewall_enable="YES"
firewall_nat_enable="YES"

/etc/sysctl.conf:
net.inet.ip.fw.one_pass=0

[pf]

set skip on lo0
rdr pass on lo0 proto { tcp udp } from any to port 53 -> 127.0.0.1 port 5353

/etc/rc.conf:
pf_enable="YES"

[unbound]

/etc/rc.conf:
local_unbound_enable="YES"

/var/unbound/unbound.conf:
server:
interface: 127.0.0.1
do-not-query-localhost: no

/var/unbound/forward.conf:
forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

If you are using local_unbound, DNSSEC is enabled by default. You should
comment the "auto-trust-anchor-file" line or change dnscrypt-proxy to use
servers with DNSSEC support only.
EOM
}
]

And I configured dnscrypt-proxy2 according to this instruction,
I just modified without instructions, /etc/resolv.conf with hash dns servers 1.1.1.1 and 9.9.9.9

root@freebsd ~ # sockstat -4 |grep 8953
root@freebsd ~ #

and full sockstat

root@freebsd ~ # sockstat  -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
unbound  local-unbo 75367 3  udp4   127.0.0.1:53          *:*
unbound  local-unbo 75367 4  tcp4   127.0.0.1:53          *:*
root@freebsd ~ #

 

[SirDice]

Oh, duh....

Waiting for nameserver to start...[1566486201] unbound-control[94333:0] warning: control-enable is 'no' in the config file.
[1566486201] unbound-control[94333:0] error: connect: Connection refused for 127.0.0.1 port 8953

       control-port: <port number>
            The port number to listen on for IPv4 or IPv6 control interfaces,
            default is 8953.  If you change this and permissions have been
            dropped, you must restart the server for the change to take
            effect.

Because you appear to have turned off the control by setting control-enable to no, that port 8953 never becomes active and thus the service script (/etc/rc.d/local_unbound) itself is never able to check if the service is started or not.

 

[Yampress]

Is there another way to configure dnscrypt-proxy2 without local_unbound??

 

[Yampress]

I've solved my problem myself

pkg install  dnscrypt-proxy2

then compile unbound from ports

/usr/ports/dns/unbound should be compiled with option DNSCRYPT=on

next add to file /usr/local/etc/unbound/unbound.conf

server:
do-not-query-localhost: no

forward-zone:
name:"."
forward-addr:127.0.0.1@5353

and start unbound and dnscrypt-proxy2 service with /etc/rc.conf and under terminal

sysrc dnscrypt_proxy_enable="YES"
sysrc  unbound_enable="YES"
service dnscrypt_proxy onestart
service  unbound onestart

checking if the service works

root@freebsd / # sockstat -4 |grep 5353
_dnscrypt-proxy dnscrypt-p93100 5 udp4 127.0.0.1:5353 *:*
_dnscrypt-proxy dnscrypt-p93100 6 tcp4 127.0.0.1:5353 *:*
root@freebsd /#

Now run tcpdump on interface to sniff on udp/53 and tcp/443 ports ....

# tcpdump -i network_interface udp port 53

now everything is working
thats all.
]:>