From 34b4ffb8aca4cb8585a07007dc76ec84cb5f9761 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Fri, 4 Aug 2023 12:45:03 +0300 Subject: [PATCH] unbound/dns-over-tls.conf: cut to 443 and private ECS capable non-filtering servers --- etc/unbound/unbound.conf.d/dns-over-tls.conf | 58 +++++--------------- 1 file changed, 15 insertions(+), 43 deletions(-) diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf index 9f429d47..14b2a0c5 100644 --- a/etc/unbound/unbound.conf.d/dns-over-tls.conf +++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf @@ -1,57 +1,29 @@ -# NOTE! Requires Unbound 1.7.3 or newer! -# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html -# -# NOTE! You might also be interested in cache.conf, ipv6.conf and -# threads.conf -# You should already have qname-minimisation.conf and -# root-auto-trust-anchor-file.conf at least on Debian. - server: # Debian ca-certificates location tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Fedora location #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -# Hopefully a reasonable set of non-filtering servers including those -# listening on 443, preferably Anycast, but not necessarily. -# -# This list is mainly selfdogdfed on servers (so not being in Finland -# is not a concern and local devices are using Mullvad (Adblock for own, nonfiltering -# for shared family (need discount ads), Adguard filtered for 2006 print server) -# (Also I cannot rename this file due to it being linked around)) +# This list is for my travel laptop to have at least one DoT443 server +# which seems to be applied-privacy.net. They advice having multiple DoT servers +# for redundancy and as they don't filter, it's best I use other non-filtering ones. forward-zone: name: "." forward-tls-upstream: yes - # Quad9 - Anycast, Switzerland based - # Non filtering "insecure" servers without DNSSEC, but that is done - # by Unbound locally anyway. - forward-addr: 2620:fe::fe:10@853#dns10.quad9.net - forward-addr: 9.9.9.10@853#dns10.quad9.net - forward-addr: 2620:fe::10@853#dns10.quad9.net - forward-addr: 149.112.112.10@853#dns10.quad9.net - - # Cloudflare DNS - anycast - forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com - forward-addr: 1.1.1.1@853#cloudflare-dns.com - forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com - forward-addr: 1.0.0.1@853#cloudflare-dns.com - - ## DNS-over-TLS on port 443, no filtering. Mainly useful for traveling - ## laptops? # https://appliedprivacy.net/services/dns/ - Vienna, Austria - #forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net - #forward-addr: 146.255.56.98@443#dot1.applied-privacy.net + forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net + forward-addr: 146.255.56.98@443#dot1.applied-privacy.net - # Adguard DNS Unfiltered Anycast - forward-addr: 2a10:50c0::1:ff@853#dns-unfiltered.adguard.com - forward-addr: 2a10:50c0::2:ff@853#dns-unfiltered.adguard.com - forward-addr: 94.140.14.140@853#dns-unfiltered.adguard.com - forward-addr: 94.140.14.141@853#dns-unfiltered.adguard.com + # https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS + forward-addr: 193.110.81.254@853#open.dns0.eu + forward-addr: 185.253.5.254@853#open.dns0.eu + forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu + forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu - # NextDNS - anycast - forward-addr: 45.90.28.0@853#dns1.nextdns.io - forward-addr: 2a07:a8c0::@853#dns1.nextdns.io - forward-addr: 45.90.30.0@853#dns2.nextdns.io - forward-addr: 2a07:a8c1::@853#dns2.nextdns.io + # Adguard DNS Unfiltered Anycast. Malta based. Private ECS. + forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com + forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com + forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com + forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com