dns over tls with unbound on openwrt

Erik Dobák erik.dobak at gmail.com
Fri Feb 7 13:07:06 UTC 2020 

On Fri, 7 Feb 2020 at 11:10, Havard Eidnes <he at uninett.no> wrote:

> > Dear unbound users,
> >
> > i did now setup unbound to use tls encryption on my openwrt router.
> > the setup is documented here:
> >
> > https://openwrt.org/docs/guide-user/services/dns/dot_unbound
> >
> > like this:
> >
> > config zone
> >       option enabled '1'
> >       option zone_type 'forward_zone'
> >       option tls_upstream '1'
> >       option tls_index 'dns.google'
> >       list zone_name '.'
> >       list server '8.8.8.8'
> >       list server '8.8.4.4'
> >       list server '2001:4860:4860::8888'
> >       list server '2001:4860:4860::8844'
> >
> >
> > unfortunately they use only google dns servers. afaik unbound uses
> > root dns servers per default.
>
> Concept confusion alert!
>
> By default unbound does not do query forwarding, and instead does its
> own recursive query resolution, caching results, nesting its way down
> the name hierarchy, and speaking directly to the publishing name
> servers for each domain in the naming hierarchy in order to resolve a
> given query.
>
> Query forwarding relies on *other* recursive resolvers to perform
> this function.
>
> However, please do note that the root name servers do not provide
> recursive resolution to *ANYONE*!  They are publishing name servers,
> not recursive resolvers!
>
> > my question is 1. are the root dns servers able to do dns over tls?
>
> Not that it matters, given the above, but I would think "no"; the root
> name servers typically require the efficiency provided by the reduced
> number of packets and the statelessness provided by the UDP-based DNS
> service.
>
> > 2.  where do i get a list of the root dns servers to be able to add
> > them to this config so that i am not dependant on google only.
>
> This question does not make sense, given the above.  You cannot
> configure unbound to do "query forwarding" to the root name servers
> and expect to get a useful result.
>
> Best regards,
>
> - Håvard
>

ok maybe i do not understand how unboud or even any DNS server works. let
me rephrase my questions:

in default unbound config i do not define any DNS servers.
in the openwrt/luci config for unbound i had to define 8.8.8.8 and
tls_index to google.
is there any way to configure this to use unbound with the default config +
dns over tls but not to define google dns servers?

Yours sincerely

E
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200207/386f3e3a/attachment.htm>

More information about the Unbound-users mailing list