Unbound never listens to TCP/853 despite being explicitely told to do so

Daniel Ryšlink daniel.ryslink at quantcom.cz
Tue Jan 7 23:16:58 UTC 2025 

Hello,

I have run into immense trouble getting DNS-over-TLS working, basically 
although I have everything set up, the process never listens on 853/TCP, 
never logs any failures or problems, just ignores the whole TLS portion 
of the configuration. Below is my unbound.conf file. All the key and 
cert files mentioned are directly in /usr/local/etc/unbound folder, 
owned and readable by the 'undbound' user the server uses to run.

Any ideas are welcome, thanks in advance.


-- 
Daniel Ryšlink
System Administrator


-----------------------------------------------

server:
         tls-port: 853
         tls-cert-bundle: "ca-root-nss.crt"
	tls-service-key: "privkey.pem"
         tls-service-pem: "fullchain.pem"
	verbosity: 3
	statistics-interval: 600
	statistics-cumulative: no
	extended-statistics: yes
	num-threads: 4
	interface: 0.0.0.0 at 53
	interface: ::00 at 53
         interface: 0.0.0.0 at 853
         interface: ::00 at 853
	interface-automatic: yes
	port: 53
	outgoing-range: 8192
	outgoing-num-tcp: 20
	incoming-num-tcp: 20
	so-reuseport: yes
	edns-buffer-size: 1480
	max-udp-size: 4096
	msg-buffer-size: 65552
	msg-cache-size: 1000m
	msg-cache-slabs: 8
	num-queries-per-thread: 4096
	jostle-timeout: 200
	delay-close: 10
	rrset-cache-size: 16G
	rrset-cache-slabs: 8
	cache-min-ttl: 600
	cache-max-ttl: 86400
	cache-max-negative-ttl: 3600
	infra-host-ttl: 900
	infra-cache-min-rtt: 50
	infra-cache-slabs: 8
	do-ip4: yes
	do-ip6: yes
	do-udp: yes
	do-tcp: yes
	do-daemonize: yes
         include: "/usr/local/etc/unbound/acl_our_networks"
	include: "/usr/local/etc/unbound/acl_exceptions"
	chroot: "/usr/local/etc/unbound"
	username: "unbound"
	directory: "/usr/local/etc/unbound"
	logfile: "/var/log/unbound.log"
	use-syslog: yes
	log-time-ascii: yes
	log-queries: no
	log-replies: no
	log-local-actions: yes
	log-servfail: yes
	pidfile: "/var/run/unbound/unbound.pid"
	root-hints: "root.hints"
	hide-identity: no
	hide-version: no
	identity: ""
	version: "Unbound"
	harden-short-bufsize: yes
	harden-large-queries: yes
	harden-glue: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	harden-algo-downgrade: no
	prefetch: yes
	auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
	domain-insecure: "cesta."
	key-cache-size: 40m
	key-cache-slabs: 8
	neg-cache-size: 10m
	ratelimit: 4000
	ratelimit-below-domain: ultra.brightmail.com. 100
python:
remote-control:
	control-enable: yes
	control-interface: 127.0.0.1
	control-interface: ::1

More information about the Unbound-users mailing list