Unbound: Add support for DNS over TLS to internal clients
Add support for DNS over TLS to internal clients.
A description of the feature can be found here.
Unbound has supported it for a while. I don't see much value in enabling this for internal clients, so I am making this mostly to document what would need to be done to include support to clients.
Add a checkbox to the Advanced settings:
Label: DNS over TLS
Description: Provide DNS over TLS port 853 to internal clients. Uses webConfigurator Cert.
If checked, add the following to unbound's config under the server section:
ssl-service-key: "<path to key used in webConfigurator>"
ssl-service-pem: "<path to cert used in webConfigurator>"
#2 Updated by Mathew Keith over 3 years ago
I did some more research on this. A simple checkbox that adds the following lines to the config should do the trick:
#EDIT - needed to accept tcp 853
As far as a use case goes I can only imagine this being useful over an open WIFI AP. Android has added the option to enable DNS over TLS to the AOSP here:
This should mean that a connected android device will utilize the service if available at some point down the line. The rest of DNS over TLS implementation will happen in the unbound development.
#3 Updated by Mathew Keith over 3 years ago
Edit: I was able to get this to work. info posted below.
#4 Updated by Mathew Keith over 3 years ago
I'd like to request that this FR be closed. When I created it I did so because I didn't think it was possible to do through the Custom Options due to the certificate. Since this is stored on the drive and has a static path this really should be done through the Custom Options for the foreseeable future. Particularly while implementation is still being worked on.
If I find a way to get it working I'll post the custom options to the forum for anyone who wants to try it.
#5 Updated by Jim Pingle over 3 years ago
Also it would need significantly more logic here than you've shown thus far. For instance, you can't always assume that the GUI is set to HTTPS, it would need a dedicated ca/certificate selection. Plus, you would have to have additional binding options. You could assume the same binding options as the main unbound service, but you can't always bind it to any/all unless that's what the user chose to do.
No harm in keeping it open without a target though, so it can remain as-is.
#6 Updated by Mathew Keith over 3 years ago
I was able to get this to work using the following:
#this prevents port 853 tcp from working. Not sure why? Turning off
As you noted, that cert is only present if https is enabled. I could add the above to the web config and unbound.inc file to be used, and work with the interface selection, but the cert drop down selector (and writing to disk) is beyond my ability.