dns over tls with unbound on openwrt

Elmar Stellnberger estellnb at gmail.com
Wed Feb 12 14:23:38 UTC 2020

What is the difference between recursive and forward DNS?

Am 12.02.20 um 01:50 schrieb Eric Luehrsen via Unbound-users:
> On 2/7/20 8:59 AM, Havard Eidnes via Unbound-users wrote:
>>> ok maybe i do not understand how unboud or even any DNS server 
>>> works. let
>>> me rephrase my questions:
>>> in default unbound config i do not define any DNS servers.
>> Right.  You can specify the hints for where to find the root name
>> servers in the DNS via the "root-hints:" unbound.conf option, but
>> unbound has a built-in default list corresponding to the list of
>> root name servers on the public Internet.
>>> in the openwrt/luci config for unbound i had to define and
>>> tls_index to google.
>>> is there any way to configure this to use unbound with the
>>> default config + dns over tls but not to define google dns servers?
>> The correct address to send that question to must be to those who
>> put the "config framework" on top of unbound for openwrt.
>> Unbound itself does not require another external recursive name
>> server, as unbound can itself act as a recursive name server.
>> Unbound's ability to do so, of course, relies on unbound not
>> being prevented to talk the DNS protocol directly to the outside
>> world via e.g. an ACL.
>> Regards,
>> - Håvard
> Please use OpenWrt forum (https://forum.openwrt.org/) or OpenWrt 
> issues manager at github (https://github.com/openwrt/packages). 
> Unbound package use of OpenWrt UCI frame work is documented on github 
> also 
> (https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md).
> Unbound can do both recursive and forward DNS. DNS-over-TLS is most 
> (only?) used for forwarding configurations, because authoritative 
> servers will not like the TCP load. DoT is a highly desirable feature. 
> Because it may be difficult for some to configure at first, Google's 
> example is provided ready to use but disabled. You can change that 
> forward zone section or replace it entirely (cloudflare, quad9, ...). 
> You can also choose to make such forwarding exclusive, or allow 
> Unbound to fall back on recursion, if forward destinations do not 
> respond.
> After you give that a read through and maybe a few tries, I will be 
> happy to help you further.
> Your Unbound for OpenWrt maintainer,
> Eric

More information about the Unbound-users mailing list