What's new

Unbound Making Unbound into a DoT/DoH (rather than plain dns) for clients

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

gspannu

Senior Member
Could anyone please assist in modifying the unbound.conf file to enable DoT/DoH for downstream clients?

I am guessing, the lines I need to add are something like the following:
Code:
interface: 127.0.0.1@853
tls-service-key: "path/to/privatekeyfile.key"
tls-service-pem: "path/to/publiccertfile.pem"
tls-port: 853
https-port: 443

Some background
  • I have unbound installed on the router (RTAX88u, v386.8) and it servers as a DNS server to local clients as well as some of my remote clients.
  • If all my clients were local (like router DHCP clients), I would have been OK with unbound receiving plain dns requests as everything is contained within the router.
  • Since I have some remote clients, I would want to enable DoT/DoH for these remote remote clients.
  • Some of these remote clients are connected via a VPN to the router (again, I would be OK with plain dns) but I have a few remote clients that are not coming in via VPN, and these clients just use my router as a DNS server. Hence, I need to publish a DoT server.
  • I understand that opening up the router as a DNS server to public addresses has its risks, but I plan to secure the access by only allowing these specific remote clients.

I think I need to use the above lines in my unbound.conf file.
I think I will also use other port numbers (rather than 853 and 443 defaults) as my remote clients can specify different ports.

a) Can someone provide some guidance on the tis-service-key and pem values to use ? b) What else would I need to change in the unbound.conf file or elsewhere?
3) And other recommendations?
 
Last edited:
I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.
 
I don’t know how to setup DoT in Unbound, but I’m pretty sure that Entware’s Unbound package is compiled without DoH support, so focus on DoT.
Thanks for the update.

DoT will work for me... but I am unable to get DoT working either.

Are you aware of the version of Unbound is included in the package? Or how to manually update the Unbound files (not Unbound Manager) to the latest version ?
 
Go straight to the source:
Maybe make your router a WireGuard Server?
I have gone through the documentation...

What I cannot figure out is what values to use for the tls-service-key and pem.
I have tried using my LetsEncrypt cert and key (/jffs/.le/mydomain.com/fullchain.pem and /jffs/.le/mydomain.com/mydomain.com.key) but it does not seem to work.

Code:
interface: 127.0.0.1@853
tls-service-key: "???????"
tls-service-pem: "???????????"
tls-port: 853

Also, how can I check on the router whether tls://127.0.0.1:853 is working or not?
Is there any dig command to verify this?


WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.
 
WireGuard does not help... as my clients do not use a VPN - they only need to connect to the router for resolving their DNS via DoT.
consider: using wireguard for those clients to connect to your router (DNS server) through an encrypted tunnel is just like DoT
 
Have you looked into the unbound_manager advanced ( Then click on #3 for Advanced tools) There you can find some advanced items(DoT)

You can use this tool to see in real time
 

Attachments

  • Screen Shot 2022-09-16 at 3.13.46 PM.png
    Screen Shot 2022-09-16 at 3.13.46 PM.png
    169.8 KB · Views: 272
Last edited:
I know that this is an old thread, but has anyone configured a dot/doh (I know they are different) using unbound? I have unbound manager installed, so that part is easy.

I tried to get a certificate on the device but that failed. (i am sure that i did something wrong) i have ddns setup through asus, but that address didn't work for lets encrypt (assuming i didn't really mess up)


any hints??
 
Hello,
Sorry, I am also doing some archeology, just as the person before me. Maybe it will help, as this post appeared in the top results and seems read two years after being created.
I already configured a functional DoT resolver with Unbound. Regarding this certificate generation, I used the command line
Bash:
openssl req -x509 -newkey rsa:4096 -keyout privatekeyfile.key -out publiccertfile.pem -days 1000 -noenc
, which I read and adapted from this blog. I changed the -nodes to -noenc as the former was deprecated in OpenSSL 3.0. Also, you may remove the days limit if you do not want your certificate to expire.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top