DNS over TLS and ESNI in Unbound

Havard Eidnes he at uninett.no
Tue Nov 2 20:02:52 UTC 2021

> Unbound user since some time (associated with pi-hole) and I'm trying
> to make a proper configuration for DoT and ESNI. I have some questions:
> The howtos I found on enabling DNS over TLS all prescribe to forward
> DoT queries to public resolvers (e.g Cloudflare, Quad9); the interest
> of using Unbound is precisely to not have to use these public resolvers
> but to directly contact the authoritative servers.

Right.  There may be several reasons for this.

One could be that if the purpose is to twart your ISP from
sniffing your DNS traffic, either on their own recursive name
server or on your access, sending the DNS queries to some remote
server entity using TLS will accomplish that goal.  It will,
though, expose your query pattern to the remote server operator.
Then you need to decide if you wish to trust the remote server

If you wish to do your own recursion, that is possible, but it's
incompatible with query-forwarding.  With "qname-minimisation"
turned on, you won't expose your entire query to the publication
name servers in the higher levels in the delegation hierarchy.

However, if your ISP is sniffing your DNS traffic (I don't think
that is very common(?)), it can still see the query pattern, even
though it's split up over several packets, and of course when the
"last-level" query is done, the entire query will be in that

> What exactly is forwarded?

That is decided by the "forward-zone" configuration in unbound's
case.  However, it's decided that a query name matches a
forwarding spec, the entire query is forwarded to the remote
recursive server -- unbound will in that case just appear as a
client of a recursive DNS server, and will not split up the query
into several "smaller" queries.  With

name: "."

in a forward-zone section, every name will match and will be
forwarded as directed.  This is in some sense incompatible with
the goal of running your own recursive resolver.

> Is it the entire query on only a TLS key exchange?

I'm not able to parse that question and make sense of the result,
sorry.  Ask again with different words?

> Why can't we contact directly authoritative servers in DoT?

Because...  DNS publication servers have historically not been
and are still to this day typically not configured to provide DoT
service.  DNS over UDP is quite a bit more light-weight both in
terms of "number of round-trips to complete a query", and "state
consumed at the server to complete a query".  There's also the
unresolved question of how you announce in the DNS that a
publication name server provides DoT service, I don't even think
we have a mechanism for that.  You could query opportunistically,
and waste time and (network) resources trying for more than 99%
of queries, with obvious negative consequences.


- Håvard

More information about the Unbound-users mailing list