unbound + doh + curl + firefox (was: Unbound 1.12.0rc1 pre-release)

A. Schulze sca at andreasschulze.de
Mon Oct 5 16:54:07 UTC 2020

reply on-list again...

Am 05.10.20 um 09:34 schrieb Alexander Moentjens:
> Could you please elaborate on how DoH in Unbound is working with Firefox for you?


		interface: at 443
        	interface: ::@443
        	https-port: 443
        	tls-service-pem: "/path/to/cert+intermediate.pem"
        	tls-service-key: "/path/to/key.pem"

use a recent version of curl, for now 7.64.0
curl -I -v --doh-url https://your.unbound.example/dns-query https://nlnetlabs.nl

use a recent version of Firefox, for now 81.0.1

settings -> proxy
 -> enable "DNS over HTTPS"
 -> custom
 -> https://your.unbound.example/dns-query

use "https://your.unbound.example:port/dns-query" if running DoH not on 443

close firefox
start firefox

access some random websites

 -> check that "trr" is shown as yes
 -> see "false" for your.unbound.example

Now, Firefox will use DoH if available or Do53. Whatever works. You will not notice any fallback to Do53.
But disabling Do53 at all is possible:
- https://wiki.mozilla.org/Trusted_Recursive_Resolver
- https://support.mozilla.org/de/kb/firefox-dns-%C3%BCber-https

 network.trr.mode = 3

as no "classical" resolver should be used, you've to provide some glue:
the address of your.unbound.example...

 network.trr.bootstrapAddress = IPv4 or IPv6 of your.unbound.example

close firefox
start firefox

access some other random websites

check about:networking#dns again
notice no entry for your.unbound.example
notice no traffic on Do53


More information about the Unbound-users mailing list