DNS over TLS not working

Yuri yvoinov at gmail.com
Fri May 4 23:01:58 UTC 2018 

I can confirm this issue.

1.7.1 64bit does not work with DoT on Win10.

Verbosity 4 log and service config attached.

See no anomalies in log, however no resolve.

SImplified config (OpenDNS, no DNSSEC etc.) - works.

-- 
"C++ seems like a language suitable for firing other people's legs."

*****************************
* C++20 : Bug to the future *
*****************************

-------------- next part --------------
# Unbound configuration file on windows.
# See example.conf for more settings and syntax

server:
	# verbosity level 0-4 of logging
	verbosity: 0

	# if you want to log to a file use
	# logfile: "C:\unbound.log"

	# on Windows, this setting makes reports go into the Application log
	# found in ControlPanels - System tasks - Logs 
	use-syslog: yes
	log-time-ascii: yes
	num-threads: 4
	cache-max-ttl: 14400
	cache-min-ttl: 900
	cache-max-negative-ttl: 60
	infra-host-ttl: 60
#	root-hints: "C:\Program Files\Unbound\named.root"

	do-ip6: no

	tls-cert-bundle: "C:\Squid\etc\squid\ca-bundle.crt"
	tcp-upstream: yes

	# Harden against very small EDNS buffer sizes. 
	harden-short-bufsize: yes

	# Harden against unseemly large queries.
	harden-large-queries: yes

	# Harden against out of zone rrsets, to avoid spoofing attempts. 
	harden-glue: yes

	# Harden against queries that fall under dnssec-signed nxdomain names.
	# Default is no
	harden-below-nxdomain: yes
	# 1.5.7 feature. Yes recommended.
	qname-minimisation: yes

	low-rtt: 50
	low-rtt-pct: 900

	unwanted-reply-threshold: 10000000
	do-not-query-localhost: no
	prefetch: yes
	prefetch-key: yes
	rrset-roundrobin: yes
	minimal-responses: yes

# true to disable DNSSEC lameness check in iterator.
# disable-dnssec-lame-check: no

module-config: "validator iterator"
#val-permissive-mode: no

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow_snoop
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: ::ffff:127.0.0.1 allow

#include: "C:\Program Files\Unbound\unbound_local" 
include: "C:\Program Files\Unbound\unbound_ad_servers" 

# Remote control config section. 
remote-control:
	# Enable remote control with unbound-control(8) here.
	# set up the keys and certificates with unbound-control-setup.
	control-enable: yes
        control-use-cert: no

forward-zone:
  name: "."
#  forward-addr: 208.67.222.222 at 53
#  forward-addr: 208.67.220.220 at 53
  forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
  forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
  forward-addr: 9.9.9.9 at 853#dns.quad9.net
  forward-addr: 149.112.112.112 at 853#dns.quad9.net
  forward-tls-upstream: yes

# OpenDNS is NOT DNSSEC enabled
server: auto-trust-anchor-file: "C:\Program Files\Unbound\root.key"
#server: dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.zip
Type: application/x-zip-compressed
Size: 115003 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180505/8ce7194b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180505/8ce7194b/attachment-0001.bin>

More information about the Unbound-users mailing list