There are some caveats here, but the scope of those is beyond the point of this writing.
First, you'll need to install dnscrypt-proxy. If you don't have PKG_PATH defined, you can simply pull it directly like this:
pkg_add -v http://ftp.openbsd.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/dnscrypt-proxy
If you find you want the latest version of dnscrypt-proxy (1.9.4 as of this writing), follow this script:
# groupadd -g 688 _dnscrypt-proxy
# useradd -g _dnscrypt-proxy -s /sbin/nologin -u 688 -d /var/empty -c "dnscrypt-proxy user" -L daemon _dnscrypt-proxy
# cd /tmp
# ftp https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-proxy-1.9.4.tar.gz
# tar -zxvpf dnscrypt-proxy-1.9.4.tar.gz
# cd dnscrypt-proxy-1.9.4
# ./configure
# make
# make install
Next, start dnscrypt-proxy as user _dnscrypt-proxy (automatically added via pkg installation or script above) with the following command:
/usr/local/sbin/dnscrypt-proxy -l /var/log/dnscrypt-proxy.log -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas
This will allow us to monitor /var/log/dnscrypt-proxy.log for errors during the testing sequences. Once any errors have been located and resolved, you can switch the -l to /dev/null. Personally, I prefer to keep a log file, but that's your decision to make.
Now edit the default unbound configuration at /var/unbound/etc/unbound.conf, you'll obviously need to change your local interface IP if you plan to allow the rest of your network to access it. Mine is 172.16.18.1/24.
server:
interface: 172.16.18.1
interface: 127.0.0.1
access-control: 172.16.18.0/24 allow
do-not-query-localhost: no
hide-identity: yes
hide-version: yes
forward-zone:
name: "."
forward-addr: 127.0.0.1@54
Edit your /etc/resolv.conf to point to 127.0.0.1, then start unbound (/etc/rc.d/unbound -f).
To test, I use tcpdump to examine outbound packets on port 5678 (you'll need to examine the line in the CSV file mentioned above to find the correct port). If you make a DNS request, and see traffic on that port to the server listed in the /var/log/dnscrypt-proxy.log, you're probably set. (as long as the request returns a valid lookup, naturally!)
[NOTICE] Starting dnscrypt-proxy 1.4.3
[INFO] Initializing libsodium for optimal performance
[INFO] Generating a new key pair
[INFO] Done
[INFO] Server certificate #808464433 received
[INFO] This certificate looks valid
[INFO] Chosen certificate #808464433 is valid from [2014-10-32] to [2015-10-32]
[INFO] Server key fingerprint is 5499:C1EE:97DD:889A:AD9E:C59B:80BD:365A:B38D:B125:25B5:5896:9CE0:5881:7792:8237
[NOTICE] Proxying from 127.0.0.1:54 to 80.90.43.162:5678
You can also monitor /var/log/messages to ensure that unbound started, or at least isn't complaining about one or more of your configuration directives.
To prevent all other outbound DNS queries, a few PF rules might not hurt, but that is, once again, beyond the scope of this unilaterally-focused discussion.
For those who want to round-robin amongst a group of encrypted DNS transports, this is what I've found works well:
Start 6 instances of dnscrypt-proxy, each on lo0 with a unique port:
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:54 -R adamas
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:55 -R opendns
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:56 -R cypherpunk
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:57 -R dnscrypt.org-fr
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:58 -R okturtles
/usr/local/sbin/dnscrypt-proxy -l /dev/null -u _dnscrypt-proxy -d -a 127.0.0.1:59 -R opennic-ca-ns3
Then simply modify your /var/unbound/etc/unbound.conf and list all 6 under the forward-zone as forward-addr you previously configured:
forward-zone:
name: "."
forward-addr: 127.0.0.1@54
forward-addr: 127.0.0.1@55
forward-addr: 127.0.0.1@56
forward-addr: 127.0.0.1@57
forward-addr: 127.0.0.1@58
forward-addr: 127.0.0.1@59
/etc/rc.d/unbound -f reload
To confirm, you can tcpdump on ports 443 and 5678 to see which servers are getting distributed hits. This should offer a level of redundancy/reliability to the process, as long as unbound remains running.
Enjoy!
Continued... Since I got a few (ha!) replies to this shortly after posting the previous information, I thought I'd go ahead and wrap up a DNSSEC unbound config while I'm at it.
You'll first need to run /usr/sbin/unbound-anchor, I do it as follows - this MUST be writable by the _unbound user:
# sudo -u _unbound /usr/sbin/unbound-anchor -vvvv -F
/var/unbound/db/root.key does not exist
debug cert update forced
last successful probe: Fri May 8 21:43:42 2015
the last successful probe is recent
/var/unbound/etc/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
trusted certificates (0/1)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
85:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
Signature Algorithm: sha256WithRSAEncryption
0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
e7:40:61:a4
resolved server address 72.21.81.189
resolved server address 2606:2800:11f:bb5:f27:227f:1bbf:a0e
connect to 2606:2800:11f:bb5:f27:227f:1bbf:a0e
connect: No route to host
connect to 72.21.81.189
server SSL certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Validity
Not Before: Oct 22 12:00:01 2013 GMT
Not After : Dec 8 12:00:00 2015 GMT
Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:
c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:
71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:
fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:
ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:
7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:
06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:
26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:
af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:
03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:
91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:
12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:
7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:
6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:
05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:
72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:
1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:
29:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:
14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51
X509v3 Subject Alternative Name:
DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ha-server-g4.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ha-server-g4.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:
94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:
0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:
83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:
50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:
8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:
e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:
47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:
8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:
a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:
11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:
0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:
e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:
e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:
55:b0:cd:8c
SSL_write: GET /root-anchors/root-anchors.xml HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.2
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=604800'
header: 'Content-Type: text/xml'
header: 'Date: Sat, 09 May 2015 02:43:43 GMT'
header: 'Etag: "64192-1a2-512c93b68be80"'
header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'
header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'
header: 'Server: ECAcc (dfw/562B)'
header: 'X-Cache: HIT'
header: 'Content-Length: 418'
at 0/418
read 418 data
read data: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 54 72 75 73 74 41 6e 63 68 6f 72 20 69 64 3d 22 41 44 34 32 31 36 35 46 2d 33 42 31 41 2d 34 37 37 38 2d 38 46 34 32 2d 44 33 34 41 31 44 34 31 46 44 39 33 22 20 73 6f 75 72 63 65 3d 22 68 74 74 70 3a 2f 2f 64 61 74 61 2e 69 61 6e 61 2e 6f 72 67 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2f 72 6f 6f 74 2d 61 6e 63 68 6f 72 73 2e 78 6d 6c 22 3e 0a 3c 5a 6f 6e 65 3e 2e 3c 2f 5a 6f 6e 65 3e 0a 3c 4b 65 79 44 69 67 65 73 74 20 69 64 3d 22 4b 6a 71 6d 74 37 76 22 20 76 61 6c 69 64 46 72 6f 6d 3d 22 32 30 31 30 2d 30 37 2d 31 35 54 30 30 3a 30 30 3a 30 30 2b 30 30 3a 30 30 22 3e 0a 3c 4b 65 79 54 61 67 3e 31 39 30 33 36 3c 2f 4b 65 79 54 61 67 3e 0a 3c 41 6c 67 6f 72 69 74 68 6d 3e 38 3c 2f 41 6c 67 6f 72 69 74 68 6d 3e 0a 3c 44 69 67 65 73 74 54 79 70 65 3e 32 3c 2f 44 69 67 65 73 74 54 79 70 65 3e 0a 3c 44 69 67 65 73 74 3e 34 39 41 41 43 31 31 44 37 42 36 46 36 34 34 36 37 30 32 45 35 34 41 31 36 30 37 33 37 31 36 30 37 41 31 41 34 31 38 35 35 32 30 30 46 44 32 43 45 31 43 44 44 45 33 32 46 32 34 45 38 46 42 35 3c 2f 44 69 67 65 73 74 3e 0a 3c 2f 4b 65 79 44 69 67 65 73 74 3e 0a 3c 2f 54 72 75 73 74 41 6e 63 68 6f 72 3e 0a
fetched root-anchors/root-anchors.xml (418 bytes)
connect to 72.21.81.189
server SSL certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:e1:04:33:b3:bb:e4:3e:9b:d1:5c:07:6e:15:ea:9f
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
Validity
Not Before: Oct 22 12:00:01 2013 GMT
Not After : Dec 8 12:00:00 2015 GMT
Subject: C=US, ST=California, L=Santa Monica, O=EdgeCast Networks, Inc., CN=s2.wpc.edgecastcdn.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:52:16:b5:4f:04:fe:a4:57:b6:04:c5:3f:50:
c9:10:0b:ee:7f:fe:ae:dd:ef:ba:50:c7:5e:2f:aa:
71:f5:e3:29:0e:72:62:3e:52:3c:d0:05:66:fa:e4:
fc:57:38:cc:3d:78:15:e1:52:da:3d:f2:2e:c5:aa:
ef:4a:e1:24:a4:cd:e2:9e:83:a3:84:2b:a8:1f:02:
7f:9c:94:8c:a8:8d:57:5b:ea:2c:ad:fd:92:75:7c:
06:86:c4:27:52:1b:cd:31:50:86:af:eb:41:24:ee:
26:b3:ac:4b:27:0c:3f:d2:ef:16:dd:0b:9e:06:61:
af:94:04:c8:00:30:e4:8d:55:2b:ef:ac:89:8a:9f:
03:d6:b1:65:ac:29:7b:e6:1d:50:78:0f:55:53:3f:
91:bd:2d:49:2c:98:05:6a:eb:66:9b:0c:97:f0:b2:
12:b0:1e:3e:96:6a:ae:ed:ae:05:1b:59:ff:22:08:
7d:f8:94:3f:fe:91:3f:13:b4:ac:26:3d:4a:fb:2e:
6d:62:76:4d:9e:8d:4b:c0:19:2f:32:d6:83:28:de:
05:5d:b8:86:ea:5e:f0:51:fb:df:76:e4:24:ff:f8:
72:70:ab:68:d7:eb:00:a7:ed:00:77:bd:27:24:a0:
1d:13:84:77:3d:f4:39:a5:55:53:57:a6:72:76:c4:
29:e9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:51:68:FF:90:AF:02:07:75:3C:CC:D9:65:64:62:A2:12:B8:59:72:3B
X509v3 Subject Key Identifier:
14:BB:9C:34:3C:67:7A:C5:CE:23:24:9B:86:D6:98:4A:82:C0:56:51
X509v3 Subject Alternative Name:
DNS:s2.wpc.edgecastcdn.net, DNS:data.iana.org, DNS:videos.grovo.com, DNS:portal.netoptimize.telekom.net
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl3.digicert.com/sha2-ha-server-g4.crl
Full Name:
URI:http://crl4.digicert.com/sha2-ha-server-g4.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114412.1.1
CPS: https://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
X509v3 Basic Constraints: critical
CA:FALSE
Signature Algorithm: sha256WithRSAEncryption
9b:80:88:3b:e5:17:f8:55:53:5c:21:0a:e9:d6:4e:54:d3:63:
94:e3:b1:04:31:e9:79:4f:6a:52:79:3b:28:33:d3:dd:80:c4:
0d:20:5e:92:45:8f:3c:57:5f:6d:69:26:05:ab:28:c0:ac:69:
83:0b:33:95:85:57:2c:e5:73:cd:2d:44:bd:9c:31:38:9d:3d:
50:99:e5:bd:9d:0f:2a:48:75:3c:7b:b1:85:b5:df:dd:cf:a1:
8c:d1:67:c3:df:63:67:8f:09:78:1f:a1:73:32:05:9a:ed:ff:
e9:07:17:cf:71:fa:2d:a9:ce:52:e4:f6:a5:20:8c:80:69:ba:
47:20:e1:81:55:be:50:64:0b:0e:43:10:35:68:73:5e:77:7e:
8f:1d:ae:48:d4:d5:53:5d:ba:0f:1a:fb:73:9d:64:f9:76:eb:
a0:28:c0:b4:23:98:67:7c:67:ce:d7:ce:a1:d7:ee:90:24:c0:
11:ef:31:fd:64:45:1b:e4:56:67:18:75:02:06:ee:e9:6f:9c:
0a:69:09:33:46:49:46:b5:8d:ff:d0:98:e7:a9:1e:06:51:9b:
e3:bf:35:bf:ee:60:ad:91:a3:79:0f:9c:7c:87:6e:14:83:15:
e9:3b:0a:b1:9a:22:0d:f1:c7:7a:b0:46:39:22:de:80:69:9a:
55:b0:cd:8c
SSL_write: GET /root-anchors/root-anchors.p7s HTTP/1.1
SSL_write: Host: data.iana.org
SSL_write: User-Agent: unbound-anchor/1.5.2
SSL_write:
header: 'HTTP/1.1 200 OK'
header: 'Accept-Ranges: bytes'
header: 'Cache-Control: max-age=604800'
header: 'Content-Type: text/plain; charset=UTF-8'
header: 'Date: Sat, 09 May 2015 02:43:43 GMT'
header: 'Etag: "64191-1389-512c93b68be80"'
header: 'Expires: Sat, 16 May 2015 02:43:43 GMT'
header: 'Last-Modified: Fri, 03 Apr 2015 03:06:18 GMT'
header: 'Server: ECAcc (dfw/56D0)'
header: 'X-Cache: HIT'
header: 'Content-Length: 5001'
at 0/5001
at 4095/5001
read 5001 data
read data: 30 82 13 85 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 13 76 30 82 13 72 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 0b 06 09 2a 86 48 86 f7 0d 01 07 01 a0 82 11 44 30 82 03 6d 30 82 02 55 a0 03 02 01 02 02 01 06 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 1e 17 0d 31 34 30 36 31 31 31 38 34 33 33 32 5a 17 0d 31 37 30 36 31 30 31 38 34 33 33 32 5a 30 4a 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 0c 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 31 1e 30 1c 06 09 2a 86 48 86 f7 0d 01 09 01 16 0f 64 6e 73 73 65 63 40 69 61 6e 61 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a5 2b f7 9a d8 9c 48 a6 d8 bb f3 7c db f5 4e 9d 44 19 ce 23 9f 7f 65 81 0a c6 b3 05 32 ec f5 9c cd 61 34 c0 75 dd 8d ce 0b 52 4c f4 08 bd 3c c5 a4 c8 13 a6 70 93 92 0f ca 40 cd 8b 61 03 d2 79 2e ff 17 74 ba 6d b4 20 f0 be 9f 89 15 49 6d 45 69 dc a7 d3 7b eb 82 23 12 d8 c4 7f 57 11 6a c0 a7 ef 96 18 e6 7c 3c 1d b5 23 ce fe 72 dd bb fb ec d4 62 50 4a 73 32 b6 f4 9f bc 12 b3 21 c5 62 78 eb b0 5c 32 db 8f 83 b7 87 b6 db 26 d3 ca 9a 0c 4a ce d1 42 1f 7c ec ad 32 d1 fc ac d9 7c c5 90 03 3d a9 3c 73 ed 45 d9 15 b1 7e 5d 4c 83 44 b1 98 4a 54 ad 3a fd d4 da 08 7c a2 c6 51 b1 36 75 6e 6f 8f 0e 88 f5 12 64 3f 6b 19 31 57 55 75 ad 7d bc 8a 92 07 98 06 d6 ad ff 68 54 1e de af d6 9e 61 f5 a7 c0 51 77 fe 76 eb 81 bd a0 1a 5e 9c 68 d8 e5 3a 28 c0 50 cb cb 98 4f f5 ac e9 49 02 03 01 00 01 a3 7f 30 7d 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 00 a0 30 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 04 06 08 2b 06 01 05 05 07 03 02 30 1f 06 03 55 1d 23 04 18 30 16 80 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 1d 06 03 55 1d 0e 04 16 04 14 a6 3a 41 2f a5 69 a4 95 7c 9b 1f 7d 4f 60 c9 ea 95 94 cf eb 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f b8 90 03 78 a9 45 49 81 e5 49 18 58 92 91 e6 84 59 54 3a 81 8f a2 d8 1b 20 a7 17 29 3d ee 55 f2 8d 05 20 3a e3 3e 49 ee 7a a7 52 be e1 47 ec 31 77 8e 24 bf 51 93 b3 5b 4c 2c 29 41 53 6f 9c 35 2c aa fe 6f 88 3b 0e 5d 4a b1 bb e7 1c 04 64 a9 ad d4 e1 26 f8 57 b2 df 4b 6f b9 c3 fd 16 7a 40 34 f9 1c 54 f1 42 5f 06 8c 97 1d c7 4d c9 22 d1 fe ab 8b 7d 12 ab b5 04 91 af f1 f9 4a 96 d9 0c 56 31 44 8a 10 dc f2 b2 45 60 52 27 79 b8 31 81 d6 9d 04 09 3c 44 a9 37 57 c6 87 c1 e3 98 23 be 77 01 27 70 af d3 32 0b 48 a6 dc 00 ec c9 ea 04 f7 e6 45 17 05 f5 36 00 4d b7 a1 df 0d da 15 f8 3d c2 0c d8 ba 8c ec 76 89 9a 9b 8f 2f 18 28 2e af a3 57 e9 ee 99 d7 0a cf d5 a0 2d 5b f5 18 82 42 c4 48 d5 7e d3 08 2a 07 08 51 d3 ff 6c f1 d3 42 0e c7 8e b1 89 ee ff 26 d3 59 76 cb ab af 30 82 03 77 30 82 02 5f a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 30 39 31 32 32 33 30 34 31 39 31 32 5a 17 0d 32 39 31 32 31 38 30 34 31 39 31 32 5a 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 a0 db 70 b8 4f 34 da 9c d4 d0 7e bb ea 15 bc e9 c9 11 2a 1f 61 2f 6a b9 bd 3f 3d 76 a0 9a 0a f7 ee 93 6e 6e 55 53 84 8c f2 2c f1 82 27 c8 0f 9a cf 52 1b 54 da 28 d2 2c 30 8e dd fb 92 20 33 2d d6 c8 f1 0e 10 21 88 71 fa 84 22 4b 5d 47 56 16 7c 9b 9f 5d c3 11 79 9c 14 e2 ff c0 74 ac dd 39 d7 e0 38 d8 b0 73 aa fb d1 db 84 af 52 22 a8 f6 d5 9b 94 f4 e6 5d 5e e8 3f 87 90 0b c7 1a 77 f5 2e d3 8f 1a ce 02 1d 07 69 21 47 32 da 46 ae 00 4c b6 a5 a2 9c 39 c1 c0 4a f6 d3 1c ae d3 6d bb c7 18 f0 7e ed f6 80 ce d0 01 2e 89 de 12 ba ee 11 cb a6 7a d7 0d 7c f3 08 8d 72 9d bf 55 75 13 70 bb 31 22 4a cb e8 c0 aa a4 09 aa 36 68 40 60 74 9d e7 19 81 43 22 52 fe c9 2b 52 0f 41 13 36 09 72 65 95 cc 89 ae 6f 56 17 16 34 73 52 a3 04 ed bd 88 82 8a eb d7 dc 82 52 9c 06 e1 52 85 41 02 03 01 00 01 a3 42 30 40 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 fe 30 1d 06 03 55 1d 0e 04 16 04 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f f1 e9 82 a2 0a 87 9f 2d 94 60 5a b2 c0 4b a1 2f 2b 3b 47 d5 0a 99 86 38 b2 ec c6 3b 89 e4 6e 07 cf 14 c7 c7 e8 cf 99 8f aa 30 c3 19 70 b9 e6 6d d6 3f c8 68 26 b2 a0 a5 37 42 ca d8 62 80 d1 a2 5a 48 2e 1f 85 3f 0c 7b c2 c7 94 11 5f 19 2a 95 ac a0 3a 03 d8 91 5b 2e 0d 9c 7c 1f 2e fc e9 44 e1 16 26 73 1c 45 4a 65 c1 83 4c 90 f3 f2 28 42 df db c4 e7 04 12 18 62 43 5e bc 1f 6c 84 e6 bc 49 32 df 61 d7 99 ee e4 90 52 7b 0a c2 91 8a 98 62 66 b1 c8 e0 b7 5a b5 46 7c 76 71 54 8e cc a4 81 5c 19 db d2 6f 66 b5 bb 2b ae 6b c9 74 04 a8 24 de e8 c5 d3 fc 2c 1c d7 8f db 6a 8d c9 53 be 5d 50 73 ac cf 1f 93 c0 52 50 5b a2 4f fe ad 65 36 17 46 d1 2d e5 a2 90 66 05 db 29 4e 5d 50 5d e3 4f da a0 8f f0 6b e4 16 70 dd 7f f3 77 7d b9 4e f9 ec c3 33 02 d7 e9 63 2f 31 e7 40 61 a4 30 82 03 86 30 82 02 6e a0 03 02 01 02 02 01 09 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 31 32 31 5a 17 0d 31 39 30 36 31 30 31 38 34 31 32 31 5a 30 4b 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 18 30 16 06 03 55 04 03 13 0f 49 43 41 4e 4e 20 44 4e 53 53 45 43 20 43 41 31 1f 30 1d 06 09 2a 86 48 86 f7 0d 01 09 01 13 10 64 6e 73 73 65 63 40 69 63 61 6e 6e 2e 6f 72 67 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c0 bf e2 b4 ee 12 46 36 3b 7c d2 46 21 64 5a 93 e1 e3 02 10 25 bb a5 30 70 19 89 98 7e 9e db 8e 0f ac c8 48 66 0e 1a f8 81 e5 2d 3c 7b 39 39 76 28 8f ee 0a a7 dd 64 e9 5f 87 25 b1 64 e5 59 03 fc bc 29 3b 63 37 c8 d7 46 9a b6 ce 87 55 cd cf e2 ab e9 c7 8a 53 2e 25 87 b0 98 d6 20 a3 a8 ec 87 b0 39 a3 c4 c5 75 59 3c fb 91 03 fa ee 7f e9 2b b6 70 88 69 2c e6 f1 4f fc d0 47 b4 e9 a0 2c fa 0c c3 84 eb be 73 5a bc 16 ed d0 83 02 2d eb 6a 21 02 51 70 29 1e 4f c9 69 03 9f 91 32 5c 2c 1a 9f 5e 45 48 2a 50 ee 72 14 ec 17 29 fc 20 95 7d 22 6a c6 6f 83 a2 58 8e b1 64 c8 73 23 54 6c 69 1d 66 1f df f8 4f 24 a1 a8 ae 00 7f e9 89 41 a6 e3 88 1d 3a e1 b3 3a ef 29 45 32 9b 94 2e b7 6c 1e fe 31 40 13 e1 bd 52 67 d0 d8 c3 3e 03 84 48 72 9d bd 8a 48 a0 f2 72 35 b6 03 4b c6 e9 05 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 8f b2 42 69 c3 9d e4 3c fa 13 b9 ff f2 c0 a4 ef d8 0f e8 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 47 75 12 ff 99 c1 95 a7 41 71 d2 bd 08 98 d4 55 28 f8 52 78 9e d9 88 bf f8 0d fd ba 7d bb 55 19 f1 17 39 26 99 a5 ee 0b b2 26 a3 b7 31 f6 56 48 ec 53 17 b1 32 ab 32 2d a5 e7 15 1d 03 d1 66 ec 8d 8c 2a 3f 74 bd b2 0e 9b 73 43 93 ed c5 d4 eb 1f 33 23 a7 ef fa 8e 27 35 8f 58 1d 6b b1 fe 85 42 c6 ac 66 87 3b d1 58 f5 95 ef d3 f9 4a 65 e6 27 aa d6 4f 22 5e 7f 6f dd ae 33 63 b5 8d cf d0 18 8c ad 16 dc 63 ba c8 49 f9 ea fc 3d 02 64 b9 9d d8 3c 19 43 21 5e 92 6a cf 08 e9 00 eb 75 ac d8 c2 43 70 9d 9b 6c 50 7b 3e 72 ba 56 b7 32 3e 67 9e 7d 39 f6 a6 8f a8 49 a0 a7 6f cf 66 74 b1 59 08 07 bf 5a 19 f5 e5 88 e8 51 7c 33 45 79 5a ad b5 08 15 33 61 e8 56 fd 03 04 48 02 8b fb bf 07 59 71 ad 81 05 7c 16 7a 7e 00 30 a0 c9 fd 44 f4 f7 1e 05 d1 da 4f 14 6f a7 bd ab 99 57 d6 5d 30 82 03 64 30 82 02 4c a0 03 02 01 02 02 01 07 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 33 38 31 33 5a 17 0d 31 39 30 36 31 30 31 38 33 38 31 33 5a 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 d2 19 1e 22 69 33 f6 a4 d2 76 c5 80 11 75 8e d0 e8 6f bf 89 f8 2a 6a da 8a 85 28 40 ba c5 23 5f 47 ed 72 e2 8e d3 5c c8 8a 3a 99 a9 57 2c 0a 2b 22 f3 54 7b 8b f7 8c 21 a2 50 01 4f 8b af 34 df 72 fc 78 31 d0 1d eb bc 9b e6 fa c1 84 d0 05 07 8a 74 53 a5 60 9e eb 75 9e a8 5d 32 c8 02 32 e4 bf cb 97 9b 7a fa 2c f6 6a 1d b8 57 ad e3 03 22 93 d0 f4 4f a8 b8 01 db 82 33 98 b6 87 ed 3d 67 40 00 27 2e d5 95 d2 ad 36 46 14 c6 17 79 65 7f 65 f3 88 80 65 7c 22 67 08 23 3c cf a5 10 38 72 30 97 92 6f 20 4a ba 24 4c 4a c8 4a a5 dc 2a 44 a1 29 78 b4 9f fe 84 ff 27 5b 3a 72 ea 31 c1 ad 06 22 d6 44 a0 4a 57 32 9c f2 46 47 d0 89 6e 20 23 2c ea b0 83 7e c1 f3 ea da dd e3 63 59 97 21 fa 1b 11 39 27 cf 82 8b 56 15 d4 36 92 0c a5 7e 80 e0 18 c9 50 08 42 0a df 97 3c 9c b8 0a 4d b1 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 7b 3f ba ce a1 b3 a6 13 2e 5a 82 84 d4 d2 ea a5 24 f1 cd b4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 94 e7 2b 2b 25 6f 3b 26 dd f9 aa 83 b8 14 2b a8 1f 4d 09 6e 56 44 68 15 01 29 d2 92 7e 75 bb 7b a9 40 98 4f fe f6 80 fe 69 02 0e 18 72 01 c0 74 73 e3 00 e2 87 a8 1f 79 5d 7a b8 8a aa 22 b0 4d 1f 56 85 98 40 97 72 4c b1 4e 38 6e ba 4c 12 af 2f 7c ef 48 03 5f 13 f7 4d d5 17 6f 5d 38 e9 7a 8f f6 82 ee 4f 09 4c 85 a6 88 eb 7d 62 ba 13 34 dc 2d 6d 86 94 35 69 bc 9f 7d c8 89 97 3a a4 81 e5 2b a3 6d 49 cb b6 57 97 86 97 3f 3e 07 8a 3b 55 d4 9f 95 63 0c 5f 8a 95 84 fc 3c 37 f1 e5 a1 f1 e5 0c d5 86 d8 3f a6 79 4d c5 a9 10 8e d1 38 a3 05 36 eb 2c 37 fb 70 bb 98 67 25 6d e9 d3 9c de b6 b7 32 7c 4c 98 be 4d 45 02 cb 93 de ce e7 64 a9 e8 5d ef d1 ed ee 8f c9 92 98 3a 46 75 ee 5a 84 82 25 56 ee 50 2f 63 62 70 5b 1b 7d 23 79 50 b5 b6 9c 5f c4 ba 27 e1 9a dc 71 74 81 26 f9 30 82 03 62 30 82 02 4a a0 03 02 01 02 02 01 08 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 5d 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 26 30 24 06 03 55 04 0b 13 1d 49 43 41 4e 4e 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 16 30 14 06 03 55 04 03 13 0d 49 43 41 4e 4e 20 52 6f 6f 74 20 43 41 31 0b 30 09 06 03 55 04 06 13 02 55 53 30 1e 17 0d 31 34 30 36 31 31 31 38 34 30 33 32 5a 17 0d 31 39 30 36 31 30 31 38 34 30 33 32 5a 30 27 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 15 30 13 06 03 55 04 03 13 0c 49 43 41 4e 4e 20 53 53 4c 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 dd c6 ab bf 7c 66 9d b3 2b 96 00 14 c7 60 7a 8d 62 5b 26 4b 30 d7 b3 4c 82 69 c6 4d 4d 73 f3 d4 91 21 5d ab 35 f0 c8 04 0e f4 a3 35 e2 e1 18 a9 98 12 03 58 f8 9f eb 77 54 5b 89 81 26 c9 aa c2 f4 c9 0c 82 57 2a 5e 05 e9 61 17 cc 19 18 71 eb 35 83 c1 86 9d ec f1 6b ca dd a1 96 0b 95 d4 e1 0f 9e 24 6f dc 3c d0 28 9e f2 53 47 2b a1 ad 32 03 c8 3f 0d 80 80 7d f0 02 d2 6e 5a 2c 44 21 9b 09 50 15 3f a1 3d d3 c9 c8 24 e7 ea 4e 92 2f 94 90 2e de e7 68 f6 c6 b3 90 1f bc c9 7b a2 65 d7 11 e9 8b f0 3a 5a b7 17 07 df 69 e3 6e b9 54 6a 8e 3a aa 94 7f 2c 0a a1 ad ba b7 d9 60 62 27 a7 71 40 3b 8e b0 84 7b b8 c8 67 ef 66 ba 3d ac c3 85 e5 86 bb a7 9c fd b6 e1 c0 10 53 3d d4 7e 1b 09 e6 9f 22 5c a7 27 09 7e 27 12 33 fa df 9b 20 2f 14 f7 17 c0 e4 1e 07 91 1f f9 9a cd a8 e2 c5 02 03 01 00 01 a3 63 30 61 30 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 01 06 30 1f 06 03 55 1d 23 04 18 30 16 80 14 ba 52 e9 49 83 24 86 52 2f c7 99 cd fc 8d 6b 69 08 4d c0 50 30 1d 06 03 55 1d 0e 04 16 04 14 6e 77 a8 40 10 4a d8 9c 0c f2 b7 5a 3a a5 2f 79 4a 61 14 d8 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 0f 7d cd f4 fc 33 b2 b9 47 68 a8 c1 1e 52 73 6f cc 72 1f 53 59 0a c6 ba 91 58 23 4c b2 a3 97 36 9a 0a 9a 9a 03 43 ee 7b b1 61 f4 59 ab e3 ab 9f 1f 93 8f 52 36 b5 6a f7 f8 92 f2 ee cb bc 31 9a 1a 70 01 f7 4b c4 65 9f 25 8b 15 77 62 2c f1 63 21 c2 18 04 77 35 4c 64 fc 20 1a 49 24 05 c3 fc 44 1f ff 26 ea 42 97 fe 77 ca cd 58 40 d3 fa ce 2e 35 47 d5 33 45 11 76 81 ec 37 b6 fe 15 c7 74 f9 49 ef 4e 8a da 70 ec 9c 0b 38 79 05 8c 5b 66 3e e5 5f 32 a9 55 5e ca b6 00 fe 12 17 cb 39 7a 91 44 77 42 25 f3 13 56 12 e3 7b 82 62 24 8c dd 24 bd 6b 74 8c 47 9d 90 ad 6c 31 93 12 54 fa 8d 95 b0 9a eb b8 1f 99 dd 7e 65 ed a4 69 b8 6b 59 a0 78 8b 73 f5 f5 ea f8 9c 9a 07 8a eb 84 d5 43 65 6b a2 1e 71 6c 78 aa b3 4a 05 c5 46 3d 44 66 87 d3 91 27 25 9f 48 50 51 32 cb 5e 55 1c 1a 7b 31 82 02 09 30 82 02 05 02 01 01 30 2e 30 29 31 0e 30 0c 06 03 55 04 0a 13 05 49 43 41 4e 4e 31 17 30 15 06 03 55 04 03 13 0e 49 43 41 4e 4e 20 45 4d 41 49 4c 20 43 41 02 01 06 30 09 06 05 2b 0e 03 02 1a 05 00 a0 81 b1 30 18 06 09 2a 86 48 86 f7 0d 01 09 03 31 0b 06 09 2a 86 48 86 f7 0d 01 07 01 30 1c 06 09 2a 86 48 86 f7 0d 01 09 05 31 0f 17 0d 31 35 30 33 33 31 31 38 33 37 31 35 5a 30 23 06 09 2a 86 48 86 f7 0d 01 09 04 31 16 04 14 9b b8 17 68 fb 30 95 58 40 96 99 96 93 41 8f cd b1 3d 7b 9c 30 52 06 09 2a 86 48 86 f7 0d 01 09 0f 31 45 30 43 30 0a 06 08 2a 86 48 86 f7 0d 03 07 30 0e 06 08 2a 86 48 86 f7 0d 03 02 02 02 00 80 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 40 30 07 06 05 2b 0e 03 02 07 30 0d 06 08 2a 86 48 86 f7 0d 03 02 02 01 28 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 04 82 01 00 1b 03 d6 c6 8f 9e 81 cb 6d 21 60 6e e7 89 2f 46 2a f8 47 ae 48 ad 43 6c 77 76 ca a5 ad e9 a3 ed db 8c 03 2a e5 9d 41 45 d9 ea 0a ee d0 d3 ce d7 25 9d 2c 53 7a a9 9a 4e 6a 21 f7 4e d1 2b 98 63 40 aa 15 59 ed 84 76 bd c6 2d 6f 46 b6 0c e0 37 50 af b7 d7 65 e6 8a 6c d1 ea 5b 4f c8 f3 f3 37 28 c9 93 8c 7e b4 8f 5a b4 16 77 68 0e 3a cf b3 f4 ef 82 a3 83 8c 1f 30 63 45 69 6d 64 06 2b fa 4f 81 4d 94 c7 f1 f7 9f e7 1e cb c8 59 70 fc 02 f4 d7 63 7c f4 09 b8 d3 1d b0 7d 6a 71 70 e7 ad e0 44 48 e3 7a 72 51 4b f6 68 21 74 89 dd da e8 be 5e 29 38 e1 31 da 92 ad 28 36 f2 d9 ae 26 18 26 e8 53 18 62 29 77 88 5a 59 a9 19 74 46 c0 98 cf 6e 1b 81 2a 2b 2d 77 2b 74 bd c5 44 de be e5 7a aa 1b df 1e b4 dd ac 0a c4 8e 5f 68 59 07 ac ec 65 48 73 68 bc 3f b6 81 9f bf 16 01 e1 3c fb
fetched root-anchors/root-anchors.p7s (5001 bytes)
parsed the PKCS7 signature
setup the X509_STORE
signer 0: Subject: /O=ICANN/CN=dnssec@iana.org/emailAddress=dnssec@iana.org
commonName: dnssec@iana.org
emailAddress: dnssec@iana.org
keyUsage: Digital Signature, Key Encipherment
the PKCS7 signature verified
xml tag start 'TrustAnchor'
id='AD42165F-3B1A-4778-8F42-D34A1D41FD93'
source='http://data.iana.org/root-anchors/root-anchors.xml'
TrustAnchor charhandle: '
'
xml tag start 'Zone'
Zone charhandle: '.'
xml tag end 'Zone'
xml tag start 'KeyDigest'
id='Kjqmt7v'
validFrom='2010-07-15T00:00:00+00:00'
use KeyDigest charhandle: '
'
xml tag start 'KeyTag'
use KeyTag charhandle: '19036'
xml tag end 'KeyTag'
xml tag start 'Algorithm'
use Algorithm charhandle: '8'
xml tag end 'Algorithm'
xml tag start 'DigestType'
use DigestType charhandle: '2'
xml tag end 'DigestType'
xml tag start 'Digest'
use Digest charhandle: '49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5'
xml tag end 'Digest'
xml tag end 'KeyDigest'
xml tag end 'TrustAnchor'
XML was parsed successfully, 1 keys
got DS bio 139: '; created by unbound-anchor on Fri May 8 21:43:43 2015
. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
'
success: the anchor has been updated using the certThis will create /var/unbound/db/root.key. You should probably run unbound-anchor once a week or in /etc/rc.local on every reboot. It's your choice.
Next, modify /var/unbound/etc/unbound.conf and uncomment the following line:
auto-trust-anchor-file: "/db/root.key"
We may as well also grab the latest root.hints file from Internic... You can configure this to pull once a month in root's crontab for good measure.
# ftp -o /var/unbound/db/root.hints "ftp://ftp.internic.net/domain/named.cache"
Place this in your /var/unbound/etc/unbound.conf:
root-hints: "/db/root.hints"
Finally, restart unbound:
# /etc/rc.d/unbound -f restart
To test, dig a few domains. I start with a root and go from there. You're looking for the 'ad' flag as follows:
# dig . SOA +dnssec
; <<>> DiG 9.4.2-P2 <<>> . SOA +dnssec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- 14023="" font="" id:="" noerror="" opcode:="" query="" status:="">
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015050801 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20150518170000 20150508160000 48613 . VJxXmFUi8HIwg+G8neEQFJ2r9h6ceIuWS7kSLN3ON/St7+id6bYh2QKt M4FQ6JM/1ZrebeMrXps8lM0wVsMtKkqvJkJfazYAFyo75EZ2GSAr/yXW sS12scSLp1mSb6sIva5KtKmvVL71bjoZfusJCPmAmoxtKceoyNOQWwTX ZDA=
;; AUTHORITY SECTION:
. 518400 IN NS d.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20150518170000 20150508160000 48613 . X5CTpGRiUiNCzYHHYA/UcKDLmk9Cm8Kx2PXiIbDFTb9yGeiu3uRUkwoX rlyJ2zNuokGgec58AnJFiXOOlKcfZ11dgXeKbY2IR7JYocAP4CqXhNjh KaYiuxhtdnjYEzYhyUV4j6i35N9HURMsSgX2ipuItaq7l2I8fywcG6Xg sXo=
;; Query time: 2223 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 8 21:47:28 2015
;; MSG SIZE rcvd: 612
Ad blocking: Yes, I'll add this soon as well. I've seen so many inept ways to do it that I'd rather take a little more time to make a few scripts I personally use take on a more readable shape.
Where most fail are pointing ad servers DNS records to localhost (do I really need to explain why that doesn't work on a firewall?), force downloads of software or modules /not/ included in the base operating system, or enabling unprotected, unvetted network services to serve the single pixel file, i.e. some socket-based perl/php/python/etc.. script that runs as root from the base system. I'll avoid all that, you should as well.
not one step in this gude works
ReplyDeletegroupadd -g 688 _dnscrypt-proxy
ReplyDelete# useradd -g _dnscrypt-proxy -s /sbin/nologin -u 688 -d /var/empty -c "dnscrypt-proxy user" -L daemon _dnscrypt-proxy
errors out
attempting to compile from source also errors out
why does every article of this nature have to be like this, it is infuriating
/usr/local/sbin/dnscrypt-proxy doesn't exist even if the pjkg is installed from the openbsd package repositories