exposing unbound over dns-over-https (doh)

Stuart Henderson stu at spacehopper.org
Sat Jan 18 20:49:07 UTC 2020

On 2020/01/18 08:42, Martin Monperrus via Unbound-users wrote:
> Hi all,
> What's the recommended way to expose an unbound instance with the dns-over-https (doh) protocol?
> Thanks!
> --Martin

Front-ending with dnsdist works great. Here's a basic config:


newServer({address="", name="unbound-upstream"})

addDOHLocal("", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
addDOHLocal("[2001:db8::1]:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})

pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})

More info at https://dnsdist.org/guides/dns-over-https.html

More information about the Unbound-users mailing list