Skip to content

Instantly share code, notes, and snippets.

@cpswan
Last active October 20, 2020 17:47
Show Gist options
  • Save cpswan/6a7333df9c31e7b7972d39d958fcf126 to your computer and use it in GitHub Desktop.
Save cpswan/6a7333df9c31e7b7972d39d958fcf126 to your computer and use it in GitHub Desktop.
Unbound/BIND config for DNS over TLS to 1.1.1.1
options {
directory "/tmp";
listen-on-v6 { none; };
forwarders {
127.0.0.1 port 2053;
};
auth-nxdomain no; # conform to RFC1035
notify yes; # notify slave server(s)
};
forward-zone:
name: "."
forward-addr: 217.169.20.22@853#dns.aa.net.uk
forward-addr: 1.1.1.1@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 1.0.0.1@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#rpz-public-resolver1.rrdns.pch.net
forward-ssl-upstream: yes
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip6: no
do-not-query-localhost: no #leftover from using Unbound in front of BIND
port: 2053
@da2x
Copy link

da2x commented Jun 3, 2018

You're not verifying the certificates of the forwarders with this setup.

@aztec102
Copy link

server: do-tcp: yes prefetch: yes qname-minimisation: yes rrset-roundrobin: yes use-caps-for-id: yes do-ip6: no do-not-query-localhost: no #leftover from using Unbound in front of BIND port: 2053

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment