exposing unbound over dns-over-https (doh)

Stuart Henderson stu at spacehopper.org
Sat Jan 18 20:49:07 UTC 2020


On 2020/01/18 08:42, Martin Monperrus via Unbound-users wrote:
> Hi all,
> 
> What's the recommended way to expose an unbound instance with the dns-over-https (doh) protocol?
> 
> Thanks!
> 
> --Martin

Front-ending with dnsdist works great. Here's a basic config:

--snip----
addACL('0.0.0.0/0')
addACL('::/0')

newServer({address="127.0.0.1", name="unbound-upstream"})

addDOHLocal("192.0.2.1:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})
addDOHLocal("[2001:db8::1]:53", "/etc/ssl/fullchain.pem", "/etc/ssl/private/server.key", "/", {doTCP=true, reusePort=true})

pc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool(""):setCache(pc)
--snip----

More info at https://dnsdist.org/guides/dns-over-https.html



More information about the Unbound-users mailing list