How DoH settings should work

Vladimir Lomov lomov.vl at
Tue May 16 08:07:52 UTC 2023


I have installed and configured unbound on some of my hosts and wanted to try
DNS-over-HTTPS provided by unbound.

I figured out how to configure unbound (`interface`, `outgoing-interface` and
`access-control`) to use it on the local host and from the local network.

To use DoH, I generated a certificate for DoH and put this in `unbound.conf`:

   tls-service-key: "/etc/cert/hosts/doh.key"
   tls-service-pem: "/etc/cert/hosts/doh.crt"
   https-port: 3053

But it didn't work, when I did

$ dig +https -p 3053 @::1

I got 'connection refused'.

I re-read the documentation carefully and found the following:

https-port: <number>

   The port number on which to provide DNS-over-HTTPS service. Only interfaces
   configured with that port number as @number get the HTTPS service.

   Default: 443

If get it right, then besides these lines (example!):

   interface: ::1

I also need these

   interface: ::1 at 3053
   interface: at 3053

I added the appropriate lines on three hosts and now `dig +https` works!  But
on the fourth host it works even without these lines! This puzzles me. The
hosts have different network settings, but the fourth host doesn't have a
public IPv6 address, only a ULA one.

So how should DoH be configured? If I change `https-port`, I MUST add
something like
   interface: ::1 at PORT
or is the `https-port` setting enough?

WBR, Vladimir Lomov

You will not censor me through bug terrorism.
		-- James Troup
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <>

More information about the Unbound-users mailing list