Project

General

Profile

Feature #8388

Add DNS over TLS for upstream forwarders to the DNS Resolver

Added by Joe Gassner 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
DNS Resolver
Target version:
Start date:
04/04/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)

Description

GUI options to set DNS over TLS.

Currently you can do this by adding a stanza to the custom options on unbound.

server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
    name: "." 
    # Below 3 addresses are Quad9 resolvers
    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853
    forward-addr: 2620:fe::fe@853

Subtasks

Feature #8431: Add DNS over TLS checkbox for Domain Override entriesResolvedJim Pingle

Associated revisions

Revision cd738219 (diff)
Added by Jim Pingle 7 months ago

Add GUI option for DNS over TLS. Implements #8388

History

#1 Updated by Jim Pingle 7 months ago

  • Status changed from New to Duplicate

Duplicate of #8030

#2 Updated by Jim Pingle 7 months ago

  • Category set to DNS Resolver
  • Status changed from Duplicate to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.4.4

On second thought, this is different. The other ticket is for providing DNS over TLS to local clients, this is for upstream forwarders. Reopening.

See also: #8415

#3 Updated by Jim Pingle 7 months ago

  • Subject changed from DNS over TLS to Add DNS over TLS for upstream forwarders to the DNS Resolver

#4 Updated by Jim Pingle 7 months ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#5 Updated by Jim Pingle 7 months ago

  • % Done changed from 100 to 0

Of note, a couple changes compared to other examples:

1. We already set do-tcp: yes, so adding it again was unnecessary
2. Using ssl-upstream will cause all outgoing queries to use TLS, not just forwards, which could break Domain Overrides, so I used forward-tls-upstream instead inside the '.' zone which will only apply the TLS setting to that forwarding zone.
3. Unbound is moving the ssl keywords to tls instead, so the patch will only work as-is on 2.4.4 which has Unbound 1.7. For 2.4.3 and before, use forward-ssl-upstream

#6 Updated by Jim Pingle 6 months ago

  • Status changed from Feedback to Resolved

Works.

Also available in: Atom PDF