<div dir="ltr">Andreas:<div><br></div><div>Thanks for your response.</div><div>Need to explain about the 127.0.0.1.</div><div>I am running this on a raspberry pi along with PiHole. Pihole answered the initial inquiry and forwards to Unbound if it doesnt have the info.</div><div>From what I had read, I thought that I could configure Unbound to talk DoH to upstream DNS.</div><div>Looks like it isnt an option at this point.</div><div><br></div><div>Ron</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Feb 22, 2021 at 1:44 PM A. Schulze via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl">unbound-users@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
Am 22.02.21 um 17:36 schrieb Ronald Nutter via Unbound-users:<br>
> #configuring unbound to use DoH<br>
> server:<br>
> interface: 127.0.0.1@443<br>
> tls-service-key "key.pem"<br>
> tls-service-pem: "cert.pem"<br>
No, unbound don't magically "use" DoH with this configuration.<br>
This set up a DoH **server**. As you selected 127.0.0.1, it will be reachable only from DoH clients running on localhost.<br>
It's not what you want ...<br>
<br>
<br>
> # Adapted from TLS/DoT instructions, so not sure about this<br>
> forward-zone:<br>
> name: "."<br>
> forward-tls-upstream: yes<br>
note the "-tls-" It enable unbound acting as DoT client<br>
<br>
> # Cloudflare DNS<br>
> forward-addr: 2606:4700:4700::1111@443#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
> forward-addr: 1.1.1.1@443#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
> forward-addr: 2606:4700:4700::1001@443#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
> forward-addr: 1.0.0.1@443#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
you've configured unbound to talk TLS with a DoH Server<br>
<br>
> <br>
> Is this correct ?<br>
no<br>
<br>
> Would appreciate any pointers in helping get this to work<br>
I'm not aware, unbound (up to 13.1) can act as DoH client <br>
<br>
Stay with DoT to CF for now.<br>
<br>
Andreas<br>
<br>
<br>
</blockquote></div>