Can DNSSEC resolvers pass through all mangling CPEs?

Stephane Bortzmeyer bortzmeyer at
Mon Jan 4 14:35:37 UTC 2016

On Mon, Jan 04, 2016 at 01:50:21PM +0100,
 Rick van Rein via Unbound-users <unbound-users at> wrote 
 a message of 9 lines which said:

> What I am wondering is if the approach of recursive resolution, not
> explicitly going through the CPE, suffices to avoid mangling.  The
> CPE *could* still force control over DNS traffic on account of
> target port 53, and I am wondering if this happens.

Yes. In China, for instance, it is quite common. Also, port 53 is
sometimes blocked. In these cases, the only solution is to reach the
upstream resolver through DNS-over-TLS (Unbound supports it) or your

More information about the Unbound-users mailing list