Feature #8388
closed
Add DNS over TLS for upstream forwarders to the DNS Resolver
100%
Description
GUI options to set DNS over TLS.
Currently you can do this by adding a stanza to the custom options on unbound.
server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
name: "."
# Below 3 addresses are Quad9 resolvers
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
forward-addr: 2620:fe::fe@853
Updated by Jim Pingle over 6 years ago
- Category set to DNS Resolver
- Status changed from Duplicate to Assigned
- Assignee set to Jim Pingle
- Target version set to 2.4.4
On second thought, this is different. The other ticket is for providing DNS over TLS to local clients, this is for upstream forwarders. Reopening.
See also: #8415
Updated by Jim Pingle over 6 years ago
- Subject changed from DNS over TLS to Add DNS over TLS for upstream forwarders to the DNS Resolver
Updated by Jim Pingle over 6 years ago
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
Applied in changeset cd73821986dd854afbff4b1f63c7fa2bc88ed9a2.
Updated by Jim Pingle over 6 years ago
- % Done changed from 100 to 0
Of note, a couple changes compared to other examples:
1. We already set do-tcp: yes, so adding it again was unnecessary
2. Using ssl-upstream will cause all outgoing queries to use TLS, not just forwards, which could break Domain Overrides, so I used forward-tls-upstream instead inside the '.' zone which will only apply the TLS setting to that forwarding zone.
3. Unbound is moving the ssl keywords to tls instead, so the patch will only work as-is on 2.4.4 which has Unbound 1.7. For 2.4.3 and before, use forward-ssl-upstream