stubby+unbound as local caching DNS resolver with DoT upstream

README.md

$ unbound-control-setup
$ systemctl enable stubby unbound
$ systemctl start stubby unbound

Unbound dumps statistics to syslog every six hours:

server stats for thread 0: 2481 queries, 2402 answers from cache, 79 recursions, 0 prefetch, 0 rejected by ip ratelimiting
server stats for thread 0: requestlist max 3 avg 0.341772 exceeded 0 jostled 0
average recursion processing time 0.075745 sec
histogram of recursion processing times
[25%]=0.03072 median[50%]=0.0646737 [75%]=0.10058
lower(secs) upper(secs) recursions
   0.000000    0.000001 3
   0.008192    0.016384 8
   0.016384    0.032768 10
   0.032768    0.065536 19
   0.065536    0.131072 36
   0.131072    0.262144 2
   0.524288    1.000000 1

Why cloudflare? I wanted to use a large anycast service, so I looked at the following:

• 1.1.1.1 (Cloudflare): fine
• 8.8.8.8 (Google): Uses EDNS Client Subnet
• 9.9.9.9 (Quad9): Either uses EDNS Client Subnet or has a domain blocklist (wtf?)

resolv.conf

nameserver ::1
options edns0

stubby.yml

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private : 1
round_robin_upstreams: 0
idle_timeout: 9000
listen_addresses:
  - 127.0.0.1@8053
  - 0::1@8053
appdata_dir: "/var/cache/stubby"
upstream_recursive_servers:
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

unbound.conf

server:
	trust-anchor-file: /etc/unbound/trusted-key.key
	do-not-query-localhost: no

	statistics-interval: 21600
	extended-statistics: yes

remote-control:
	control-enable: yes

forward-zone:
	name: "."
	forward-addr: ::1@8053