Unbound/BIND config for DNS over TLS to 1.1.1.1
|
options { |
|
directory "/tmp"; |
|
|
|
listen-on-v6 { none; }; |
|
|
|
forwarders { |
|
127.0.0.1 port 2053; |
|
}; |
|
|
|
auth-nxdomain no; # conform to RFC1035 |
|
notify yes; # notify slave server(s) |
|
}; |
|
forward-zone: |
|
name: "." |
|
forward-addr: 1.1.1.1@853 # Cloudflare primary |
|
forward-addr: 1.0.0.1@853 # Cloudflare secondary |
|
forward-addr: 9.9.9.9@853 # quad9.net primary |
|
forward-addr: 149.112.112.112@853 # quad9.net secondary |
|
forward-ssl-upstream: yes |
|
do-tcp: yes |
|
prefetch: yes |
|
qname-minimisation: yes |
|
rrset-roundrobin: yes |
|
use-caps-for-id: yes |
|
do-ip6: no |
|
do-not-query-localhost: no #leftover from using Unbound in front of BIND |
|
port: 2053 |
This comment has been minimized.
da2x commentedJun 3, 2018
You're not verifying the certificates of the forwarders with this setup.