DoT and UDP requirements

rgsub1 at rgsub1 at
Wed Jul 24 13:47:49 UTC 2019

I wish I was more up to speed on how all this worked. I am getting there...
So apologies for the apparent ignorance.

I have unbound running on a PC. It has the local network defined as
private-domain: - local-zone:, local-data, local-data-ptr: localhost: etc.

All other queries are forwarded to servers that support DoT.

  name: "."
  forward-tls-upstream: yes
  # Quad9
  forward-addr: 2620:fe::fe at
  forward-addr: at
  forward-addr: 2620:fe::9 at
  #forward-addr: at
  # Cloudflare DNS
  forward-addr: 2606:4700:4700::1111 at
  forward-addr: at
  forward-addr: 2606:4700:4700::1001 at
  forward-addr: at

There are no other DNS servers that rely on this one for any services
whatsoever its 100% standalone.

All queries to the internet go via the forward server which supports DoT so
that should be doing the donkeywork to the wider internet and returning the
results. Unbound from the log file does many queries to that server (all
using TLS authenticated over TCP) to gather all the information it requires
to either return the queried name as either insecure or if it has been
signed it checks that the signature can be validated.

If DNSSEC fails you get a SRVFAIL an no useful data returned (e.g. no IP
address in the A or AAA record)

If its not been signed you get the data whatever, its then up to you if you
think where you are sent is valid (e.g. when using a browser)

So at this point I can't see where UDP would be used? As far as I can see
there are no queries that go to other servers on the internet that are NOT
those defined in the forward list.

What am I missing?


-----Original Message-----
From: Havard Eidnes <he at> 
Sent: 24 July 2019 12:49
To: rgsub1 at
Cc: unbound-users at
Subject: Re: DoT and UDP requirements

> Having setup DoT and got it all working, I was under the impression 
> that all DNS queries would now use TLS over TCP.

Where?  Between your client and your unbound recursor (where you have
control and can enable DNS-over-TLS-over-TCP), or outwards from your unbound
recursor to the rest of the net?  For the latter to work, each and every
publishing name server out there would have to have deployed
DNS-over-TLS-over-TCP.  To put it mildly, "we're not there yet", and I'm
doubtful we ever will be.

Even if you dropped "TLS", and only wanted to do TCP, I think that would
also work poorly, since still too many publishing name servers either don't
do DNS-over-TCP or there are firewalls on the path which prohibit it from


- Håvard

More information about the Unbound-users mailing list