TLS certificate question about Unbound 1.9.2

rollingonchrome rollingonchrome at gmail.com
Tue Apr 2 16:36:10 UTC 2019


Thank you, Yuri.

The certificate bundle does exist in the assumed path.

Any other suggestions would be appreciated. Below is my config file. Also,
here is the error from the log file:

Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
'tls-cert-bundle'
Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray ':'
Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'
Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: unknown keyword
'/etc/ssl/certs/ca-certificates.crt'
Apr  2 09:25:13 raspberrypi_pi-hole unbound[6522]:
/etc/unbound/unbound.conf.d/pi-hole.conf:96: error: stray '"'

Apologies for partially posting this message twice. I wasn't sure exactly
how to edit the subject to properly thread my reply.

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent,
the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC
issues sometimes
    # see
https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for
further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly
problems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic
spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

# New configuration items
qname-minimisation: yes
# fallback-enabled: yes

# DNS over TLS:
https://www.reddit.com/r/pihole/comments/969vhh/any_downside_to_using_unbound_with_dns_over_tls/

access-control: 10.0.0.0/8 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
hide-identity: yes
hide-version: yes
minimal-responses: yes
rrset-roundrobin: yes
ssl-upstream: yes
forward-zone:
  name: "."
  # Quad9
  # forward-addr: 2620:fe::fe at 853#dns.quad9.net
  forward-addr: 9.9.9.9 at 853#dns.quad9.net
  # forward-addr: 2620:fe::9 at 853#dns.quad9.net
  forward-addr: 149.112.112.112 at 853#dns.quad9.net
  # Cloudflare DNS
  # forward-addr: 2606:4700:4700::1111 at 853#cloudflare-dns.com
  forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
  # forward-addr: 2606:4700:4700::1001 at 853#cloudflare-dns.com
  forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
  # Google Public DNS
  # forward-addr: 2001:4860:4860::8888 at 853#dns.google
  # forward-addr: 8.8.8.8 at 853#dns.google
  # forward-addr: 2001:4860:4860::8844 at 853#dns.google
  # forward-addr: 8.8.4.4 at 853#dns.google
  # Cleanbrowsing Security Filter
  # forward-addr: 2a0d:2a00:1::2 at 853#security-filter-dns.cleanbrowsing.org
  forward-addr: 185.228.168.9 at 853#security-filter-dns.cleanbrowsing.org
  # forward-addr: 2a0d:2a00:2::2 at 853#security-filter-dns.cleanbrowsing.org
  forward-addr: 185.228.169.9 at 853#security-filter-dns.cleanbrowsing.org
  # Tenta DNS
  # ICANN
  forward-addr: 99.192.182.200 at 853#iana.tenta.io
  forward-addr: 99.192.182.201 at 853#iana.tenta.io
  # OpenNIC
  forward-addr: 99.192.182.100 at 853#opennic.tenta.io
  forward-addr: 99.192.182.101 at 853#opennic.tenta.io
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
# tls-cert-bundle feature not available until Unbound 1.7.1
# Actually secure DNS over TLS in Unbound
https://www.ctrl.blog/entry/unbound-tls-forwarding
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190402/36fdbf91/attachment.htm>


More information about the Unbound-users mailing list