Unbound Making Unbound into a DoT/DoH (rather than plain dns) for clients

gspannu

Senior Member
Could anyone please assist in modifying the unbound.conf file to enable DoT/DoH for downstream clients?

I am guessing, the lines I need to add are something like the following:
Code:
interface: [email protected]
tls-service-key: "path/to/privatekeyfile.key"
tls-service-pem: "path/to/publiccertfile.pem"
tls-port: 853
https-port: 443

Some background
  • I have unbound installed on the router (RTAX88u, v386.8) and it servers as a DNS server to local clients as well as some of my remote clients.
  • If all my clients were local (like router DHCP clients), I would have been OK with unbound receiving plain dns requests as everything is contained within the router.
  • Since I have some remote clients, I would want to enable DoT/DoH for these remote remote clients.
  • Some of these remote clients are connected via a VPN to the router (again, I would be OK with plain dns) but I have a few remote clients that are not coming in via VPN, and these clients just use my router as a DNS server. Hence, I need to publish a DoT server.
  • I understand that opening up the router as a DNS server to public addresses has its risks, but I plan to secure the access by only allowing these specific remote clients.

I think I need to use the above lines in my unbound.conf file.
I think I will also use other port numbers (rather than 853 and 443 defaults) as my remote clients can specify different ports.

a) Can someone provide some guidance on the tis-service-key and pem values to use ? b) What else would I need to change in the unbound.conf file or elsewhere?
3) And other recommendations?
 
Last edited:

dave14305

Part of the Furniture
I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.
 

gspannu

Senior Member
I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.
Thanks for the update.

DoT will work for me... but I am unable to get DoT working either.

Are you aware of the version of Unbound is included in the package? Or how to manually update the Unbound files (not Unbound Manager) to the latest version ?
 

gspannu

Senior Member
Go straight to the source:
Maybe make your router a WireGuard Server?
I have gone through the documentation...

What I cannot figure out is what values to use for the tls-service-key and pem.
I have tried using my LetsEncrypt cert and key (/jffs/.le/mydomain.com/fullchain.pem and /jffs/.le/mydomain.com/mydomain.com.key) but it does not seem to work.

Code:
interface: [email protected]
tls-service-key: "???????"
tls-service-pem: "???????????"
tls-port: 853

Also, how can I check on the router whether tls://127.0.0.1:853 is working or not?
Is there any dig command to verify this?


WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.
 

heysoundude

Part of the Furniture
WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.
consider: using wireguard for those clients to connect to your router (DNS server) through an encrypted tunnel is just like DoT
 

New2This

Senior Member
Have you looked into the unbound_manager advanced ( Then click on #3 for Advanced tools) There you can find some advanced items(DoT)

You can use this tool to see in real time
 

Attachments

  • Screen Shot 2022-09-16 at 3.13.46 PM.png
    Screen Shot 2022-09-16 at 3.13.46 PM.png
    169.8 KB · Views: 103
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top