DoT and UDP requirements

rgsub1 at btinternet.com rgsub1 at btinternet.com
Thu Jul 25 15:00:29 UTC 2019 

Hi George,

OK I understand. 

The use of UDP by Windows clients to "talk" to Unbound was not something I
had considered. 

Thanks for clearing it up for me.

Ray

-----Original Message-----
From: George Thessalonikefs <george at nlnetlabs.nl> 
Sent: 24 July 2019 13:26
To: unbound-users at nlnetlabs.nl
Subject: Re: DoT and UDP requirements

Hi Ray,

Havard is right about the DNS ecosystem and the use of UDP.

However I want to clarify the unbound behavior in regards to what you are
trying to do:

Setting `do-udp: no` will disable UDP for unbound all together. That means
both upstream and downstream communication.
You can verify that by running the same dig commands but with the extra
`+tcp` option. This will force dig to use TCP to unbound and unbound will
answer normally.
Although you will get an answer because you forced your client to connect
via TCP, this cannot be guaranteed by other clients on your system. That's
why I don't advise on having `do-udp: no`.

>From your configuration you should have something like
forward-zone:
  name: "."
  forward-addr: ...
  forward-tls-upstream: yes

If you don't have any other conflicting forward-zone or stub-zone directives
then all your upstream traffic goes to the defined DNS servers above over
TLS over TCP.

The only other caveat is the use of `forward-first: yes` inside
`forward-zone`. In your case you shouldn't use it because what it tries to
do is first try to get an answer from the configured dns resolver and if
that fails it falls back to it's own resolution.

I hope this is clear enough.

Best regards,
-- George

On 24/07/2019 13:15, RayG via Unbound-users wrote:
> Hi,
> 
>  
> 
> More questions on DoT

> 
>  
> 
> Having setup DoT and got it all working, I was under the impression 
> that all DNS queries would now use TLS over TCP. With that in mind I set:
> 
>  
> 
> do-udp: no
> 
>  
> 
> having changed that setting unbound will not answer any queries at all.
> 
>  
> 
> Either local-data
> 
> C:\>dig -x 192.168.1.20
> 
> ; <<>> DiG 9.14.4 <<>> -x 192.168.1.3
> 
> ;; global options: +cmd
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> Or external
> 
>  
> 
> C:\>dig www.microsoft.com
> 
> ; <<>> DiG 9.14.4 <<>> www.microsoft.com
> 
> ;; global options: +cmd
> 
> ;; connection timed out; no servers could be reached
> 
>  
> 
> With UDP enabled there are no problems.
> 
>  
> 
> So the question is:
> 
>  
> 
> Why does UDP have to be enabled?
> 
>  
> 
> How can I be certain that ALL forwarded queries are over TCP if UDP is 
> enabled?
> 
>  
> 
> Regards
> 
> Ray
> 
>  
> 
>  
>

More information about the Unbound-users mailing list