Add DNS over TLS for upstream forwarders to the DNS Resolver
GUI options to set DNS over TLS.
Currently you can do this by adding a stanza to the custom options on unbound.
server: ssl-upstream: yes do-tcp: yes forward-zone: name: "." # Below 3 addresses are Quad9 resolvers forward-addr: 18.104.22.168@853 forward-addr: 22.214.171.124@853 forward-addr: 2620:fe::fe@853
#2 Updated by Jim Pingle 12 months ago
- Category set to DNS Resolver
- Status changed from Duplicate to Assigned
- Assignee set to Jim Pingle
- Target version set to 2.4.4
On second thought, this is different. The other ticket is for providing DNS over TLS to local clients, this is for upstream forwarders. Reopening.
See also: #8415
#5 Updated by Jim Pingle 12 months ago
- % Done changed from 100 to 0
Of note, a couple changes compared to other examples:
1. We already set
do-tcp: yes, so adding it again was unnecessary
ssl-upstream will cause all outgoing queries to use TLS, not just forwards, which could break Domain Overrides, so I used
forward-tls-upstream instead inside the '.' zone which will only apply the TLS setting to that forwarding zone.
3. Unbound is moving the ssl keywords to tls instead, so the patch will only work as-is on 2.4.4 which has Unbound 1.7. For 2.4.3 and before, use