DoT with unbound-plus in 20.1.5

tokade · April 24, 2020, 12:48:13 PM

Hi all,

after upgrading to 20.1.5 the unbound-plus plugin should have "Add DNS over TLS (DoT) support" as the changelog says. In the WebGui are new fields for private domains and DNS over TLS Servers.

I got the following settings in the custom field of unbound:

Code Select

server:
    private-domain: "dbl.spamhaus.org"
    private-domain: "sbl.spamhaus.org"
    private-domain: "xbl.spamhaus.org"
    private-domain: "zen.spamhaus.org"
    private-domain: "bl.spamcop.net"
    private-domain: "XXXXX"
    private-domain: "YYYYY"
    private-domain: "ZZZZ"
    do-not-query-localhost: no
forward-zone:
    name: "."
        forward-addr: 1.1.1.1@853 # cloudflare
        forward-addr: 2606:4700:4700::1001@853 # cloudflare
         forward-addr: 185.49.141.37@853 #getdnsapi.net
         forward-addr: 2a04:b900:0:100::38@853 #getdnsapi.net 
         forward-addr: 2a03:b0c0:0:1010::e9a:3001@853 # SecureDNS.eu
          forward-ssl-upstream: yes

How can I convert this to the new fields and what standard unbound parameters have to be set or unset to use DoT with the plus plugin? Have I to keep any parameter still in the custom field? Is there any documentation?

Kind regards
Torsten

stefanpf · April 24, 2020, 04:01:15 PM

I guess you have to remove the custom options first and enter private-domains and Forwarder after that.

It generates two config files that are included in the main config:

Code Select


root@gw:/var/unbound/etc # less miscellaneous.conf
server:
private-domain: dbl.spamhaus.org
root@gw:/var/unbound/etc # less dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-ssl-upstream: yes
  forward-addr: 1.1.1.1@853

But there seems to be a bug at the validation of "DNS over TLS Servers".
I'm not able to enter more than one value at the moment.

chemlud · April 24, 2020, 05:31:06 PM

Same here, I tried CSV of three DoT servers, but get a validation error.

I only updated my testing machine yet to find the correct DNS settings in this unbound plus... Apparently nothing in the documentation on the plugin yet.

tokade · April 24, 2020, 05:40:03 PM

Thx for your answers, so I gonna wait with changing my configuration, since it is a production system.

mimugmail · April 24, 2020, 07:35:35 PM

Theres an error in validation which only allows one server. I will Push an update

chemlud · April 25, 2020, 03:11:26 PM

Many thanks! btw: is there any tick box for DoT? Do I need to tick forwarding (I guess: yes)? Which other options should be passed to unbound for DoT?

I currently use these settings:

Code Select

do-tcp: yes
do-ip6: no
qname-minimisation: yes
qname-minimisation-strict: yes
harden-below-nxdomain: yes

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr:159.69.198.101@853
forward-addr: 46.182.19.48@853
forward-addr: 146.185.167.43@853
forward-addr: 89.233.43.71@853

mimugmail · April 25, 2020, 05:36:29 PM

I will rewrite the menu again next week :)

chemlud · April 29, 2020, 03:35:03 PM

...will you post an update here when you're done? :-)

agh1701 · April 29, 2020, 04:19:50 PM

You you should update your system. I did and it looks like i got the update but, it still will not take more than one address.

mimugmail · April 29, 2020, 04:58:30 PM

20.1.6 will ship it

DoT with unbound-plus in 20.1.5

tokade

April 24, 2020, 12:48:13 PM

stefanpf

April 24, 2020, 04:01:15 PM #1

chemlud

April 24, 2020, 05:31:06 PM #2

tokade

April 24, 2020, 05:40:03 PM #3

mimugmail

April 24, 2020, 07:35:35 PM #4

chemlud

April 25, 2020, 03:11:26 PM #5

mimugmail

April 25, 2020, 05:36:29 PM #6

chemlud

April 29, 2020, 03:35:03 PM #7

agh1701

April 29, 2020, 04:19:50 PM #8

mimugmail

April 29, 2020, 04:58:30 PM #9