[RESOLVED]DNS over TLS doesn't work

[Massimo1993]

I've tried the new DNS over TLS function present in Miscelaneous but with 1.1.1.1@853 and 1.0.0.1@853 it doesn't work, there is no request on the 853 port and everything in port 53 is clear.

Then i've tried to use this custom config that should work but still same thing, no DNS over TLS and nothing on 853

Code Select Expand

server:
  minimal-responses: yes
  qname-minimisation: yes
  rrset-roundrobin: yes
  use-caps-for-id: yes
  tls-cert-bundle: /etc/ssl/cert.pem

forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853
  forward-addr: 1.0.0.1@853
  forward-ssl-upstream: yes

Here there are my settings https://postimg.cc/gallery/fM2mBRh i've also disabled the rewrite of DNS in general config.

[mimugmail]

can you disable custom settings, enable dot via view and post content of /var/unbound/unbound.conf

[Massimo1993]

can you disable custom settings, enable dot via view and post content of /var/unbound/unbound.conf

I've removed the custom settings, saved, added the 1.1.1.1@853 and 1.0.0.1@853 to the DNS over TLS form in miscellaneous, saved and restarted unbound

Here is the unbound.conf
https://pastebin.com/Gqt8vitF

[Massimo1993]

Apparently https://cloudflare-dns.com/help/ isn't accurate. I've tried spoofing on port udp 53 and tcp 853 and indeed it works.
Strangely any online test like this or tenta tells me it isn't covered by TLS, can't understand why.

[mimugmail]

I thought you were not seeing packets on port 853 on WAN??

[Massimo1993]

I thought you were not seeing packets on port 853 on WAN??

Sorry i did check udp on 853 at first that's why i didn't see anything. Because the normal query where on udp on port 53

[aimdev]

Hi
I am also having issues getting this to work.
Commenting out all forwarders in the Custom options pane, and then putting an ip address as such
in the Dns over TLS field on the Miscellaneous page
9.9.9.9
or
9.9.9.9@853
and saving, make no change to /var/unbound/unbound.conf, and resolving does not work.
Q1 which is the correct format 9.9.9.9 or 9.9.9.9@853?
Q2 why no change to the /var/unbound/unbound.conf file, are the entries held elsewhere?
Q3 Am I doing something stupid?

Thanks

[mimugmail]

9.9.9.9@853 is correct. The file is called dot.conf

[aimdev]

Hi
Thanks for that.
I have tried it earlier today, not working.
I did
enter ip address @853 on the miscellaneous page
Saved
Commented out all other server entries in the custom options
Saved
restarted unbound.
Does it need a reboot?

[mimugmail]

Can you do a packet capture in port 853 on WAN? As previously said the online check doesnt work

[aimdev]

Pre change (using servers in unbound.conf), traffic detected, sites resolved.
Post change, unbound.conf server's commented out.
A working dns added, checked in dot.conf.
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 217.169.20.22@853
No traffic observed, no resolving.

[mimugmail]

And what was the content in unbound conf previously?

[aimdev]

Contents on unbound.conf, this works


server:
tls-cert-bundle: /etc/ssl/cert.pem

forward-zone:
name: "."

forward-tls-upstream: yes

#AandA
forward-addr:217.169.20.22@853

[mimugmail]

Hm, I dont see any difference  :o Can you post the full content of unbound.conf when custom removed and restart couple of time the daemon?

Maybe one of the apply buttons need some more push.

[aimdev]

OK, but it will be a few hours until I can get some downtime.
Can you confirm you want all of the custom entries removed, ie empty, and then add in the miscellaneous page the server ip@port.
Then do a few restarts of unbound and optionally a reboot, then post the complete unbound.conf.