dns over tls with unbound on openwrt

Havard Eidnes he at uninett.no
Fri Feb 7 10:10:16 UTC 2020

> Dear unbound users,
> i did now setup unbound to use tls encryption on my openwrt router.
> the setup is documented here:
> https://openwrt.org/docs/guide-user/services/dns/dot_unbound
> like this:
> config zone
> 	option enabled '1'
> 	option zone_type 'forward_zone'
> 	option tls_upstream '1'
> 	option tls_index 'dns.google'
> 	list zone_name '.'
> 	list server ''
> 	list server ''
> 	list server '2001:4860:4860::8888'
> 	list server '2001:4860:4860::8844'
> unfortunately they use only google dns servers. afaik unbound uses
> root dns servers per default.

Concept confusion alert!

By default unbound does not do query forwarding, and instead does its
own recursive query resolution, caching results, nesting its way down
the name hierarchy, and speaking directly to the publishing name
servers for each domain in the naming hierarchy in order to resolve a
given query.

Query forwarding relies on *other* recursive resolvers to perform
this function.

However, please do note that the root name servers do not provide
recursive resolution to *ANYONE*!  They are publishing name servers,
not recursive resolvers!

> my question is 1. are the root dns servers able to do dns over tls?

Not that it matters, given the above, but I would think "no"; the root
name servers typically require the efficiency provided by the reduced
number of packets and the statelessness provided by the UDP-based DNS

> 2.  where do i get a list of the root dns servers to be able to add
> them to this config so that i am not dependant on google only.

This question does not make sense, given the above.  You cannot
configure unbound to do "query forwarding" to the root name servers
and expect to get a useful result.

Best regards,

- Håvard

More information about the Unbound-users mailing list