How DoH settings should work
Vladimir Lomov
lomov.vl at bkoty.ru
Tue May 16 08:07:52 UTC 2023
Hello.
I have installed and configured unbound on some of my hosts and wanted to try
DNS-over-HTTPS provided by unbound.
I figured out how to configure unbound (`interface`, `outgoing-interface` and
`access-control`) to use it on the local host and from the local network.
To use DoH, I generated a certificate for DoH and put this in `unbound.conf`:
```
tls-service-key: "/etc/cert/hosts/doh.key"
tls-service-pem: "/etc/cert/hosts/doh.crt"
https-port: 3053
```
But it didn't work, when I did
```
$ dig +https -p 3053 @::1 google.com
```
I got 'connection refused'.
I re-read the documentation carefully and found the following:
```
https-port: <number>
The port number on which to provide DNS-over-HTTPS service. Only interfaces
configured with that port number as @number get the HTTPS service.
Default: 443
```
If get it right, then besides these lines (example!):
```
interface: ::1
interface: 127.0.0.1
```
I also need these
```
interface: ::1 at 3053
interface: 127.0.0.1 at 3053
```
I added the appropriate lines on three hosts and now `dig +https` works! But
on the fourth host it works even without these lines! This puzzles me. The
hosts have different network settings, but the fourth host doesn't have a
public IPv6 address, only a ULA one.
So how should DoH be configured? If I change `https-port`, I MUST add
something like
```
interface: ::1 at PORT
```
or is the `https-port` setting enough?
---
WBR, Vladimir Lomov
--
You will not censor me through bug terrorism.
-- James Troup
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230516/4e15457e/attachment.bin>
More information about the Unbound-users
mailing list