Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] how do I set up unbound DNS-over-TLS #40

Open
Veraellyunjie opened this issue Aug 23, 2024 · 3 comments
Open

[QUESTION] how do I set up unbound DNS-over-TLS #40

Veraellyunjie opened this issue Aug 23, 2024 · 3 comments

Comments

@Veraellyunjie
Copy link

Here is a howto on setting up unbound on OpenBSD
https://www.jwillikers.com/dns-over-tls-with-unbound
unbound.conf excerpt:

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
forward-zone:
	name: "."
	forward-tls-upstream: yes		# use DNS-over-TLS forwarder
	forward-first: no			# do NOT send direct
#	# the hostname after "#" is not a comment, it is used for TLS checks:
	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
	forward-addr: 1.1.1.1@853#cloudflare-dns.com
	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
	forward-addr: 1.0.0.1@853#cloudflare-dns.com

forward-addr: consists of 3 parts:

  • IPv4/IPv6
  • @ delimiter
  • port, usually 853
  • # delimiter
  • address name

https://blahdns.com/ config data:

DNS-over-TLS

IP address:
78.46.244.143
2a01:4f8:c17:ec67::1

tls_auth_name:
dot-de.blahdns.com

port: 853, 443 (Strict SNI, without SNI will drop)

All 3 parts present, I can understand it and apply in unbound.conf

https://dnswarden.com/ config data:
adblock.dns.dnswarden.com or uncensored.dns.dnswarden.com or adultfilter.dns.dnswarden.com

1 part present, 2 parts missing, I can't understand it and can't apply in unbound.conf

What unbound.conf forward-addr: line should look like for dnswarden? Thank you
@bhanupratapys
Copy link
Owner

Hello, i think this should work.

forward-addr: 149.248.217.117@853#adblock.dns.dnswarden.com
forward-addr: 2a09:8280:1:0:0:0:1:da1b@853#adblock.dns.dnswarden.com

You can also play around with custom filter where you can choose your own blocklists. You can copy the domain name identifier from that page and replace it in above unbound config after #

forward-addr: 149.248.217.117@853#n000000080000g0000000g.dns.dnswarden.com

@Veraellyunjie
Copy link
Author

Veraellyunjie commented Sep 2, 2024
edited
Loading

Thank you, @bhanupratapys

I asked another DNS resolution provider a similar question
m0zgen/openbld.net#2
Here is their reply, adapted to dnswarden:

Check with nslookup or dig commands:

> nslookup -port=53 adblock.dns.dnswarden.com 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
adblock.dns.dnswarden.com       canonical name = dns.dnswarden.com.
Name:   dns.dnswarden.com
Address: 149.248.217.117

Check the service is working on port 853:

> telnet 149.248.217.117 853
Trying 149.248.217.117...
Connected to 149.248.217.117.
Escape character is '^]'.
Connection closed by foreign host.

Use 149.248.217.117@853#adblock.dns.dnswarden.com in config

@Veraellyunjie
Copy link
Author

it doesn't work:
forward-addr: 149.248.217.117@853#adblock.dns.dnswarden.com
is what I put into my unbound.conf, then run rcctl reload unbound,
then try pinging/opening some websites and run dns test at https://dnsleaktest.com/

With other DNS resolution services, it works.
With dnswarden, ping: no address associated with name, browser: ERR_NAME_NOT_RESOLVED

same with uncensored.dns.dnswarden.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bhanupratapys @Veraellyunjie