Project

General

Profile

Actions

Feature #8388

closed

Add DNS over TLS for upstream forwarders to the DNS Resolver

Added by Joe Gassner over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
DNS Resolver
Target version:
Start date:
04/04/2018
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Plus Target Version:
Release Notes:

Description

GUI options to set DNS over TLS.

Currently you can do this by adding a stanza to the custom options on unbound.

server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
    name: "." 
    # Below 3 addresses are Quad9 resolvers
    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853
    forward-addr: 2620:fe::fe@853

Subtasks 1 (0 open1 closed)

Feature #8431: Add DNS over TLS checkbox for Domain Override entriesResolvedJim Pingle04/04/2018

Actions
Actions #1

Updated by Jim Pingle over 6 years ago

  • Status changed from New to Duplicate

Duplicate of #8030

Actions #2

Updated by Jim Pingle over 6 years ago

  • Category set to DNS Resolver
  • Status changed from Duplicate to Assigned
  • Assignee set to Jim Pingle
  • Target version set to 2.4.4

On second thought, this is different. The other ticket is for providing DNS over TLS to local clients, this is for upstream forwarders. Reopening.

See also: #8415

Actions #3

Updated by Jim Pingle over 6 years ago

  • Subject changed from DNS over TLS to Add DNS over TLS for upstream forwarders to the DNS Resolver
Actions #4

Updated by Jim Pingle over 6 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Jim Pingle over 6 years ago

  • % Done changed from 100 to 0

Of note, a couple changes compared to other examples:

1. We already set do-tcp: yes, so adding it again was unnecessary
2. Using ssl-upstream will cause all outgoing queries to use TLS, not just forwards, which could break Domain Overrides, so I used forward-tls-upstream instead inside the '.' zone which will only apply the TLS setting to that forwarding zone.
3. Unbound is moving the ssl keywords to tls instead, so the patch will only work as-is on 2.4.4 which has Unbound 1.7. For 2.4.3 and before, use forward-ssl-upstream

Actions #6

Updated by Jim Pingle over 6 years ago

  • Status changed from Feedback to Resolved

Works.

Actions

Also available in: Atom PDF