Instantly share code, notes, and snippets.

Embed
What would you like to do?
Unbound/BIND config for DNS over TLS to 1.1.1.1
options {
directory "/tmp";
listen-on-v6 { none; };
forwarders {
127.0.0.1 port 2053;
};
auth-nxdomain no; # conform to RFC1035
notify yes; # notify slave server(s)
};
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 # Cloudflare primary
forward-addr: 1.0.0.1@853 # Cloudflare secondary
forward-addr: 9.9.9.9@853 # quad9.net primary
forward-addr: 149.112.112.112@853 # quad9.net secondary
forward-ssl-upstream: yes
do-tcp: yes
prefetch: yes
qname-minimisation: yes
rrset-roundrobin: yes
use-caps-for-id: yes
do-ip6: no
do-not-query-localhost: no #leftover from using Unbound in front of BIND
port: 2053
@da2x

This comment has been minimized.

da2x commented Jun 3, 2018

You're not verifying the certificates of the forwarders with this setup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment