Unbound DNS Upstream TLS option

[SecAficionado]

Hello,

As stated in the unbound.conf page (https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/), there is an option to turn on upstream TLS. I always assumed that by entering data into Unbound DNS/Miscelaneous/DNS over TLS Servers, this option would be turned on, but I spent some time examining the config files and I don't see an entry to enable it.

Code Select Expand

server:
   tls-upstream: yes
I believe the statement above would be needed to actually turn the feature on, in addition to the path to the certificates and the servers/ports. The latter two options are added in /usr/local/unbound/miscelaneous.conf, but I don't think the traffic is actually encrypted unless the tls-upstream option is used.

Can someone a) verify that my understanding is correct, and if so, b) direct me to the proper way to file this as a bug in the interface?

Thanks!

[mimugmail]

It works for me, can you Check if your DNS is encrypted first?

[Fright]

its in dot.conf, not in miscelaneous afaik
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf

[koushun]

https://www.cloudflare.com/en-gb/ssl/encrypted-sni/

Check your browser. What does it say (Secure DNS)?

[iBROX]

Works for me, Services > Unbound DNS > Misc > DNS over TLS servers, put them in as 1.1.1.1@853 and 1.0.0.1@853

I also had to uncheck the box in Service > Unbound DNS > General (DNS Query forwarding).