DNS over TLS not working

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri May 4 06:30:25 UTC 2018


Hi Raymond,

On 03/05/18 22:43, Raymond Bannan via Unbound-users wrote:
> I've spent several hours trying various permutations of the following
> config, but no matter what I do I can't get unbound to forward a DNS
> request over TLS:

This config looks correct.  It should be connecting with TLS.  Unless
you have other options in unbound.conf that negate the lines you pasted
here.  Perhaps enable verbosity: 4 and logfile: "C:\unbound.log" and
log-time-ascii: yes and then you have a logfile in plain text with
details about what unbound is doing.

Best regards, Wouter

> 
> server:
>     tls-cert-bundle: "C:\Program Files\Unbound\cabundle.crt"
> forward-zone:
>     name: "."
>     forward-ssl-upstream: yes
>     forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> 
> I'm on windows 10, unbound v1.7.1.  I've been using nslookup to test:
> 
> C:\Users\Me>nslookup - 127.0.0.1
> Default Server:  localhost
> Address:  127.0.0.1
> 
>> google.com
> Server:  localhost
> Address:  127.0.0.1
> 
> *** localhost can't find google.com: Server failed
>>
> 
> Following this request in wireshark, unbound is accurately requesting
> DNS to the cloudflare server on tcp port 853, but is attempting to do
> this without negotiating a TLS connection, which cloudflare
> appropriately rejects.
> 
> Anyone have any ideas?
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180504/198fd466/attachment.bin>


More information about the Unbound-users mailing list