Redirect dns http/s to unbound

[FredFresh]

Hi,

I would like to redirect any dns query going from a client to external dns service (both https and https) to the internal unbound DNS, how should I proceed?

I tried to redirect everything to the IP/port actually used by Unbound, but (correctly) the https queries aren't managed.

Before you ask, I have devices like PV inverter or wifi switches that have a dns already defined within the firmware and I can't change it. But I want full control over the dns server used because they a weak security.

Any help?

[newsense]

This is easier to do in Adguardhome, unbound can't help much with DoH.

Also, your devices with fixed DNS most likely can be maipulated, and even though they have DoH by default they must have a fallback to regular DNS.

My recommendation is this:

Install AdguardHome, whether directly on the FW or somewhere else.

Redirect regular TCP/UDP53 from any (v)lan to the port AGH is listening on.

From AGH, use the list that blocks DoH/DoT traffic.

Leave Unbound unchanged running on the FW. You'll be doing a redirect for all DNS traffic to AGH anyway, however in case you lose AGH sometime in the future, until you restore the service the FW would still be operational with unbound.


P.S. Use your chosen DoH,DoT,DoQ servers as upstream for AGH

[FredFresh]

Thank you for the reply. I already have a working unbound DNS and created the rules to block the access to external DNS addresses (aside a few I accept).
My question is IF there is way to redirect dns queries, born as DOH requests, to the internal unbound DNS port 53 (that should instead accept only HTTP requests).

To summarize: the unbound dns port 53 can accept internal queries both in HTTP and HTTPS format?

Thanks

[newsense]

To summarize: the unbound dns port 53 can accept internal queries both in HTTP and HTTPS format?

No.

DNS-over-HTTPS in Unbound