Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
[Solved] Unbound DNS over TLS not working
« previous
next »
Print
Pages: [
1
]
Author
Topic: [Solved] Unbound DNS over TLS not working (Read 3072 times)
dinguz
Sr. Member
Posts: 275
Karma: 13
[Solved] Unbound DNS over TLS not working
«
on:
June 19, 2021, 02:19:13 pm »
I have tried to enable DoT in unbound by setting one or more servers in the 'DNS over TLS Servers' entry on the 'miscellaneous' page, as described in several tutorials found on the www. Unfortunately, as soon as anything is in that field, unbound fails to start. I have increased the log level to give me clues, but the only thing that is logged is 'daemonize unbound dhcpd watcher.', and nothing after that.
Otherwise my setup is working perfectly, just as soon as anything is entered in the 'DNS over TLS Servers' field, unbound fails to start.
Any ideas as to what I'm doing wrong, or where to start to investigate this further? Are there any prerequisites in the configuration to be able to use DoT, as in do I need to enable/disable certain other settings for it to work?
«
Last Edit: July 03, 2021, 05:33:34 pm by dinguz
»
Logged
In theory there is no difference between theory and practice. In practice there is.
ArminF
Full Member
Posts: 205
Karma: 11
Re: Unbound DoT not working
«
Reply #1 on:
June 19, 2021, 03:14:26 pm »
Hi
i used this guide which make it work for me.
Log Level 2 will show #853 connections (DoT)
for DNSBL whitelisting i used
http://www.regexlab.com/wild2regex
to create the whitelist entries.
So you can enable blocklists and exclude pages you still want.
Did not configure anything on the WAN side related to Firewalls.
Locally i forward my pot 53 to localhost.
Logged
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
dinguz
Sr. Member
Posts: 275
Karma: 13
Re: Unbound DNS over TLS not working
«
Reply #2 on:
July 03, 2021, 05:30:21 pm »
If anyone stumbles upon this: it had to do with the sequence in which the configuration files are read.
When enabling DoT, the second-last part of the configuration that is loaded is the DoT config file, which is a zone declaration. This leads to anything in the Custom Options field (which makes the last part the config file) also being treated as a zone statement. The solution is to provide context in the custom options field, like this:
Code:
[Select]
server:
do-ip6: no
aggressive-nsec: yes
Logged
In theory there is no difference between theory and practice. In practice there is.
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.1 Legacy Series
»
[Solved] Unbound DNS over TLS not working