shell-things/etc/unbound/unbound.conf.d/dns-over-tls.conf

# NOTE! Requires Unbound 1.7.3 or newer! Debian 9 has 1.6.0
# cp of forwards.conf updated to DNS over TLS time with  a lot took from
# https://www.ctrl.blog/entry/unbound-tls-forwarding.html

server:
  # Debian ca-certificates location
  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
  # ctrl.blog says this is the Fedora location
  #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

# Forward queries to
forward-zone:
    name: "."
    forward-tls-upstream: yes

    ## DNS-over-TLS on port 443, no filtering

    # https://appliedprivacy.net/services/dns/ - Vienna, Austria
    forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net

    # https://dnswarden.com/ - Germany
    forward-addr: 2a01:4f8:1c1c:5e77::1@443#uncensored-dot.dnswarden.com
    forward-addr: 2a01:4f8:1c1c:75b4::1@443#uncensored-dot.dnswarden.com
    forward-addr: 116.203.35.255@443#uncensored-dot.dnswarden.com
    forward-addr: 116.203.70.156@443#uncensored-dot.dnswarden.com

    ## DNS-over-TLS on port 853, no filtering

    # uncensoreddns.org / censurfridns.dk - Anycast (Copenhagen?)
    forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk
    forward-addr: 91.239.100.100@853#anycast.censurfridns.dk

    # Cloudflare DNS - anycast
    # warning: for-profit business (and too big in my opinion), USA based
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

    # https://securedns.eu/ - The Netherlands
    forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#dot.securedns.eu
    forward-addr: 146.185.167.43:853@853#dot.securedns.eu

    ## Malicious domain filtering

    # Quad9 - warning: uncommenting others simultaneously will break
    # malicious domain blocking. - Anycast, USA based
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net

    # AdBlocking DNS

    # AdGuard DNS - warning: for-profit business which task is to lie (to
    # block ads) - anycast (Cyprus based)
    #forward-addr: 176.103.130.130@853#dns.adguard.com
    #forward-addr: 176.103.130.131@853#dns.adguard.com

    # BlahDNS.com - uncommented due to 443, so even with blocked queries
    # something might work on a restricted network
    # TODO

    # dnswarden.com - Germany
    # note: short blacklist
    forward-addr: 2a01:4f8:1c1c:5e77::1@443#adblock-dot.dnswarden.com
    forward-addr: 2a01:4f8:1c1c:75b4::1@443#adblock-dot.dnswarden.com
    forward-addr: 116.203.35.255@443#adblock-dot.dnswarden.com
    forward-addr: 116.203.70.156@443#adblock-dot.dnswarden.com

    # https://securedns.eu/ - The Netherlands
    forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#ads-dot.securedns.eu
    forward-addr: 146.185.167.43:853@853#ads-dot.securedns.eu

    ## Hopefully in the future

    # DNS.WATCH (German) - PROBLEM: NO DOT AS OF 2019-07-22 but in hope
    # they will have it I am leaving these here.
    #forward-addr: 2001:1608:10:25::1c04:b12f@853#resolver1.dns.watch
    #forward-addr: 2001:1608:10:25::9249:d69b@853#resolver2.dns.watch
    #forward-addr: 84.200.69.80@853#resolver1.dns.watch
    #forward-addr: 84.200.70.40@853#resolver2.dns.watch
unbound/dns-over-tls: note version requirement 1.7.3 Debian 9 has 1.6.0 with which I am stuck for now. Debian 10 has 1.9.0 2019-07-22 15:52:07 +02:00			`# NOTE! Requires Unbound 1.7.3 or newer! Debian 9 has 1.6.0`
unbound: replace forwards.conf with dns-over-tls.conf Simultaneously rm puntcat, their DNS appears to be down at the moment and I didn't find their own homepage. 2019-07-22 15:05:05 +02:00			`# cp of forwards.conf updated to DNS over TLS time with a lot took from`
			`# https://www.ctrl.blog/entry/unbound-tls-forwarding.html`

			`server:`
			`# Debian ca-certificates location`
			`tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt`
			`# ctrl.blog says this is the Fedora location`
			`#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`

			`# Forward queries to`
			`forward-zone:`
			`name: "."`
			`forward-tls-upstream: yes`
unbound dot: move things around 2019-08-16 23:26:36 +02:00
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00			`## DNS-over-TLS on port 443, no filtering`
unbound dot: move things around 2019-08-16 23:26:36 +02:00
unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# https://appliedprivacy.net/services/dns/ - Vienna, Austria`
unbound/dns-over-tls: add two port 443 resolvers 2019-08-16 23:10:32 +02:00			`forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net`
unbound dot: move things around 2019-08-16 23:26:36 +02:00
unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# https://dnswarden.com/ - Germany`
unbound/dns-over-tls: add two port 443 resolvers 2019-08-16 23:10:32 +02:00			`forward-addr: 2a01:4f8:1c1c:5e77::1@443#uncensored-dot.dnswarden.com`
			`forward-addr: 2a01:4f8:1c1c:75b4::1@443#uncensored-dot.dnswarden.com`
			`forward-addr: 116.203.35.255@443#uncensored-dot.dnswarden.com`
			`forward-addr: 116.203.70.156@443#uncensored-dot.dnswarden.com`
unbound dot: move things around 2019-08-16 23:26:36 +02:00
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00			`## DNS-over-TLS on port 853, no filtering`
unbound dot: move things around 2019-08-16 23:26:36 +02:00
unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# uncensoreddns.org / censurfridns.dk - Anycast (Copenhagen?)`
unbound dot: move things around 2019-08-16 23:26:36 +02:00			`forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk`
			`forward-addr: 91.239.100.100@853#anycast.censurfridns.dk`

unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# Cloudflare DNS - anycast`
			`# warning: for-profit business (and too big in my opinion), USA based`
unbound dot: move things around 2019-08-16 23:26:36 +02:00			`forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com`
			`forward-addr: 1.1.1.1@853#cloudflare-dns.com`
			`forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com`
			`forward-addr: 1.0.0.1@853#cloudflare-dns.com`

unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# https://securedns.eu/ - The Netherlands`
unbound/dot: add securedns (both), dnswarden (adblock) 2019-08-17 12:23:28 +02:00			`forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#dot.securedns.eu`
			`forward-addr: 146.185.167.43:853@853#dot.securedns.eu`
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00
			`## Malicious domain filtering`

			`# Quad9 - warning: uncommenting others simultaneously will break`
unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# malicious domain blocking. - Anycast, USA based`
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00			`forward-addr: 2620:fe::fe@853#dns.quad9.net`
			`forward-addr: 9.9.9.9@853#dns.quad9.net`
			`forward-addr: 2620:fe::9@853#dns.quad9.net`
			`forward-addr: 149.112.112.112@853#dns.quad9.net`

unbound dot: move things around 2019-08-16 23:26:36 +02:00			`# AdBlocking DNS`

			`# AdGuard DNS - warning: for-profit business which task is to lie (to`
unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# block ads) - anycast (Cyprus based)`
unbound dot: move things around 2019-08-16 23:26:36 +02:00			`#forward-addr: 176.103.130.130@853#dns.adguard.com`
			`#forward-addr: 176.103.130.131@853#dns.adguard.com`

unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# BlahDNS.com - uncommented due to 443, so even with blocked queries`
			`# something might work on a restricted network`
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00			`# TODO`

unbound/dns-over-tls.conf: add server locations Ref: #15 2019-08-17 11:34:03 +02:00			`# dnswarden.com - Germany`
unbound/dot: add securedns (both), dnswarden (adblock) 2019-08-17 12:23:28 +02:00			`# note: short blacklist`
			`forward-addr: 2a01:4f8:1c1c:5e77::1@443#adblock-dot.dnswarden.com`
			`forward-addr: 2a01:4f8:1c1c:75b4::1@443#adblock-dot.dnswarden.com`
			`forward-addr: 116.203.35.255@443#adblock-dot.dnswarden.com`
			`forward-addr: 116.203.70.156@443#adblock-dot.dnswarden.com`
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00
unbound/dot: add securedns (both), dnswarden (adblock) 2019-08-17 12:23:28 +02:00			`# https://securedns.eu/ - The Netherlands`
			`forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#ads-dot.securedns.eu`
			`forward-addr: 146.185.167.43:853@853#ads-dot.securedns.eu`
unbound dot: alphabetical order Ref: #15 2019-08-16 23:52:41 +02:00
unbound dot: move things around 2019-08-16 23:26:36 +02:00			`## Hopefully in the future`

			`# DNS.WATCH (German) - PROBLEM: NO DOT AS OF 2019-07-22 but in hope`
			`# they will have it I am leaving these here.`
unbound: replace forwards.conf with dns-over-tls.conf Simultaneously rm puntcat, their DNS appears to be down at the moment and I didn't find their own homepage. 2019-07-22 15:05:05 +02:00			`#forward-addr: 2001:1608:10:25::1c04:b12f@853#resolver1.dns.watch`
			`#forward-addr: 2001:1608:10:25::9249:d69b@853#resolver2.dns.watch`
			`#forward-addr: 84.200.69.80@853#resolver1.dns.watch`
			`#forward-addr: 84.200.70.40@853#resolver2.dns.watch`