DOT

LuMiWa lumiwa at dismail.de
Thu Apr 4 21:49:09 UTC 2024 

Hi!

I am using DNS over TLS caching DNS, port 853 on Unbound 1.19.3 It
works but it doesnt work with Quad9.
My unbound.conf:

# DNS Over TLS, Simple ENCRYPTED recursive caching DNS, TCP port 853
## FreeBSD 14 unbound config
#

server:
  port: 53
  directory: "/usr/local/etc/unbound"
  username: unbound
  chroot: "/usr/local/etc/unbound"
  
  module-config: "validator iterator"
  access-control: 127.0.0.1/8  allow
# access-control: 192.168.0.0/16 allow
# access-control: fddd::/48 allow
# unblock-lan-zones: yes
# insecure-lan-zones: yes
  aggressive-nsec: yes
  cache-max-ttl: 14400
  cache-min-ttl: 1200
# root-hints: /usr/local/etc/unbound/root.hints
# auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
  
  include: /usr/local/etc/unbound/voidZones
  logfile: /usr/local/etc/unbound/unbound.log
  verbosity: 1
  log-queries: yes
  log-time-ascii: yes
  val-log-level: 2
  use-syslog: no
  
  do-ip4: yes
  do-ip6: yes
  do-tcp: yes
  do-udp: yes
  hide-identity: yes
  hide-version: yes
  qname-minimisation: no
# minimal-responses: yes
harden-glue: yes
harden-dnssec-stripped: yes
# disable-dnssec-lame-check: yes
  
  interface: 127.0.0.1
  interface: ::0
  
  pidfile: /var/run/unbound.pid
  prefetch: yes
  prefetch-key: yes
  rrset-roundrobin: yes
        so-reuseport: yes 
  val-clean-additional: yes
  unwanted-reply-threshold: 10000
  tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
  use-caps-for-id: yes
  
  # Unbound from pkg built with libevent; increase threads and slabs to
the # number of real cpu cores to reduce lock contention. Increase
cache size to # store more records and allow each thread to serve an
increased number of # concurrent client requests.
  num-threads: 4
  msg-cache-slabs: 8
  rrset-cache-slabs: 8
  infra-cache-slabs: 8
  key-cache-slabs: 8
  msg-cache-size: 128M
  rrset-cache-size: 256M
  outgoing-range: 950
  num-queries-per-thread: 512

 # forward-addr format must be ip "@" port number "#" followed by the
 valid public hostname # in order for unbound to use the
 tls-cert-bundle to validate the dns server certificate. forward-zone:
   name: "."
   forward-tls-upstream: yes
   forward-first: no
   forward-addr: 116.203.32.217 at 853#fdns1.dismail.de
   forward-addr: 159.69.114.157 at 853#fdns2.dismail.de
 #  forward-addr: 9.9.9.9 at 853#dns.quad9.net
 #  forward-addr: 149.112.112.112 at 853#dns.quad9.net
       
and in resolve.conf I have:
nameserver 127.0.0.1
options edns0
DNSSEC=no

No errors.

Thank you.

LuMiWa
-- 
"If you can't explain it to a six year old, you don't understand it
yourself." — Albert Einstein

More information about the Unbound-users mailing list