exposing unbound over dns-over-https (doh)
Stuart Henderson
stu at spacehopper.org
Sat Jan 18 20:49:07 UTC 2020
On 2020/01/18 08:42, Martin Monperrus via Unbound-users wrote:
> Hi all,
>
> What's the recommended way to expose an unbound instance with the dns-over-https (doh) protocol?
>
> Thanks!
>
> --Martin
Front-ending with dnsdist works great. Here's a basic config:
--snip----
addACL('0.0.0.0/0')
addACL('::/0')
newServer({address="127.0.0.1", name="unbound-upstream"})
addDOHLocal("192.0.2.1:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
addDOHLocal("[2001:db8::1]:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
--snip----
More info at https://dnsdist.org/guides/dns-over-https.html
More information about the Unbound-users
mailing list