dns over tls with unbound on openwrt
Eric Luehrsen
ericluehrsen at gmail.com
Wed Feb 12 00:50:24 UTC 2020
On 2/7/20 8:59 AM, Havard Eidnes via Unbound-users wrote:
>> ok maybe i do not understand how unboud or even any DNS server works. let
>> me rephrase my questions:
>>
>> in default unbound config i do not define any DNS servers.
>
> Right. You can specify the hints for where to find the root name
> servers in the DNS via the "root-hints:" unbound.conf option, but
> unbound has a built-in default list corresponding to the list of
> root name servers on the public Internet.
>
>> in the openwrt/luci config for unbound i had to define 8.8.8.8 and
>> tls_index to google.
>> is there any way to configure this to use unbound with the
>> default config + dns over tls but not to define google dns servers?
>
> The correct address to send that question to must be to those who
> put the "config framework" on top of unbound for openwrt.
>
> Unbound itself does not require another external recursive name
> server, as unbound can itself act as a recursive name server.
> Unbound's ability to do so, of course, relies on unbound not
> being prevented to talk the DNS protocol directly to the outside
> world via e.g. an ACL.
>
> Regards,
>
> - Håvard
Please use OpenWrt forum (https://forum.openwrt.org/) or OpenWrt issues
manager at github (https://github.com/openwrt/packages). Unbound package
use of OpenWrt UCI frame work is documented on github also
(https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md).
Unbound can do both recursive and forward DNS. DNS-over-TLS is most
(only?) used for forwarding configurations, because authoritative
servers will not like the TCP load. DoT is a highly desirable feature.
Because it may be difficult for some to configure at first, Google's
example is provided ready to use but disabled. You can change that
forward zone section or replace it entirely (cloudflare, quad9, ...).
You can also choose to make such forwarding exclusive, or allow Unbound
to fall back on recursion, if forward destinations do not respond.
After you give that a read through and maybe a few tries, I will be
happy to help you further.
Your Unbound for OpenWrt maintainer,
Eric
More information about the Unbound-users
mailing list