Instantly share code, notes, and snippets.

@cpswan /named.conf
Created Apr 2, 2018

Embed
What would you like to do?
Download ZIP
Unbound/BIND config for DNS over TLS to 1.1.1.1
Raw
named.conf
options {
directory "/tmp";
listen-on-v6 { none; };
forwarders {
127.0.0.1 port 2053;
};
auth-nxdomain no; # conform to RFC1035
notify yes; # notify slave server(s)
};
Raw
unbound_ext.conf
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 # Cloudflare primary
forward-addr: 1.0.0.1@853 # Cloudflare secondary
forward-addr: 9.9.9.9@853 # quad9.net primary
forward-addr: 149.112.112.112@853 # quad9.net secondary
forward-ssl-upstream: yes
Raw
unbound_srv.conf
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip6: no
do-not-query-localhost: no #leftover from using Unbound in front of BIND
port: 2053
@da2x

This comment has been minimized.

Sign in to view
Copy link

da2x commented Jun 3, 2018

You're not verifying the certificates of the forwarders with this setup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment