DoT and UDP requirements

George Thessalonikefs george at nlnetlabs.nl
Wed Jul 24 12:26:26 UTC 2019 

Hi Ray,

Havard is right about the DNS ecosystem and the use of UDP.

However I want to clarify the unbound behavior in regards to what you
are trying to do:

Setting `do-udp: no` will disable UDP for unbound all together. That
means both upstream and downstream communication.
You can verify that by running the same dig commands but with the extra
`+tcp` option. This will force dig to use TCP to unbound and unbound
will answer normally.
Although you will get an answer because you forced your client to
connect via TCP, this cannot be guaranteed by other clients on your
system. That's why I don't advise on having `do-udp: no`.

>From your configuration you should have something like
forward-zone:
  name: "."
  forward-addr: ...
  forward-tls-upstream: yes

If you don't have any other conflicting forward-zone or stub-zone
directives then all your upstream traffic goes to the defined DNS
servers above over TLS over TCP.

The only other caveat is the use of `forward-first: yes` inside
`forward-zone`. In your case you shouldn't use it because what it tries
to do is first try to get an answer from the configured dns resolver and
if that fails it falls back to it's own resolution.

I hope this is clear enough.

Best regards,
-- George

On 24/07/2019 13:15, RayG via Unbound-users wrote:
> Hi,
> 
>  
> 
> More questions on DoT…
> 
>  
> 
> Having setup DoT and got it all working, I was under the impression that
> all DNS queries would now use TLS over TCP. With that in mind I set:
> 
>  
> 
> do-udp: no
> 
>  
> 
> having changed that setting unbound will not answer any queries at all.
> 
>  
> 
> Either local-data
> 
> C:\>dig -x 192.168.1.20
> 
> ; <<>> DiG 9.14.4 <<>> -x 192.168.1.3
> 
> ;; global options: +cmd
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> Or external
> 
>  
> 
> C:\>dig www.microsoft.com
> 
> ; <<>> DiG 9.14.4 <<>> www.microsoft.com
> 
> ;; global options: +cmd
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> With UDP enabled there are no problems.
> 
>  
> 
> So the question is:
> 
>  
> 
> Why does UDP have to be enabled?
> 
>  
> 
> How can I be certain that ALL forwarded queries are over TCP if UDP is
> enabled?
> 
>  
> 
> Regards
> 
> Ray
> 
>  
> 
>  
>

More information about the Unbound-users mailing list