How DoH settings should work

George (Yorgos) Thessalonikefs george at nlnetlabs.nl
Tue May 16 10:25:50 UTC 2023


Hi Vladimir,

'https-port:' makes sure that DoH is used for listening sockets using 
that specific port.

In order to use the port you need to explicitly define it with 'interface:'.

The port in 'interface:' is optional and will default to 53, or the 
value of 'port:' if that is changed.

For example, if you set 'https-port: 53', and don't define a port in 
'interface:', Unbound will only listen for DoH.

In your case with the following configuration:
     interface: ::1
     interface: 127.0.0.1
     interface: ::1 at 3053
     interface: 127.0.0.1 at 3053
     https-port: 3053

Unbound will listen for plain DNS on port 53 and for DoH on port 3053 on 
127.0.0.1 and ::1.

Best regards,
-- Yorgos

On 16/05/2023 10:07, Vladimir Lomov via Unbound-users wrote:
> Hello.
> 
> I have installed and configured unbound on some of my hosts and wanted 
> to try
> DNS-over-HTTPS provided by unbound.
> 
> I figured out how to configure unbound (`interface`, 
> `outgoing-interface` and
> `access-control`) to use it on the local host and from the local network.
> 
> To use DoH, I generated a certificate for DoH and put this in 
> `unbound.conf`:
> 
> ```
>    tls-service-key: "/etc/cert/hosts/doh.key"
>    tls-service-pem: "/etc/cert/hosts/doh.crt"
>    https-port: 3053
> ```
> 
> But it didn't work, when I did
> 
> ```
> $ dig +https -p 3053 @::1 google.com
> ```
> 
> I got 'connection refused'.
> 
> I re-read the documentation carefully and found the following:
> 
> ```
> https-port: <number>
> 
>    The port number on which to provide DNS-over-HTTPS service. Only 
> interfaces
>    configured with that port number as @number get the HTTPS service.
> 
>    Default: 443
> ```
> 
> If get it right, then besides these lines (example!):
> 
> ```
>    interface: ::1
>    interface: 127.0.0.1
> ```
> 
> I also need these
> 
> ```
>    interface: ::1 at 3053
>    interface: 127.0.0.1 at 3053
> ```
> 
> I added the appropriate lines on three hosts and now `dig +https` 
> works!  But
> on the fourth host it works even without these lines! This puzzles me. The
> hosts have different network settings, but the fourth host doesn't have a
> public IPv6 address, only a ULA one.
> 
> So how should DoH be configured? If I change `https-port`, I MUST add
> something like
> ```
>    interface: ::1 at PORT
> ```
> or is the `https-port` setting enough?
> 
> ---
> WBR, Vladimir Lomov
> 


More information about the Unbound-users mailing list