From c81c1dd7d08f4ace8a97db14a8da7e2bbe1c0026 Mon Sep 17 00:00:00 2001 From: Aminda Suomalainen Date: Thu, 9 May 2024 20:02:23 +0300 Subject: [PATCH] unbound: restore dot-dns0-quad9.conf with IPv4 for DNS0 & IPv6 for Quad9 ECS This partially reverts commit 422ab0de4eedfe378d1866bfb58a2b4dac774b83 --- .../unbound.conf.d/dot-dns0-quad9.conf | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 etc/unbound/unbound.conf.d/dot-dns0-quad9.conf diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf new file mode 100644 index 00000000..5f5de52f --- /dev/null +++ b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf @@ -0,0 +1,34 @@ +# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0 +# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is +# horribly inaccurate and I have minor leaning towards having ECS enabled. +# Private ECS is a compromise between privacy and local destinations. +# +# Both are filtering DNS servers, so this brings risk of something being +# blocked by only one of them. However both are non-profits and have servers +# in Finland. + +server: + # Debian ca-certificates location + #tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # Fedora + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + # Use system certificates no matter where they are + tls-system-cert: yes + # Quad9 says pointless performance impact on forwarders. + # https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization + qname-minimisation: no + # Private ECS is more accurate with IPv4 than IPv6. + prefer-ip4: yes + prefer-ip6: no + +forward-zone: + name: "." + forward-tls-upstream: yes +## DNS0.eu IPv4 Default + forward-addr: 193.110.81.0@853#dns0.eu + forward-addr: 185.253.5.0@853#dns0.eu +## Quad9 IPv6 Secure + ECS + forward-addr: 2620:fe::fe:11@853#dns11.quad9.net + forward-addr: 2620:fe::11@853#dns11.quad9.net + +# vim: filetype=unbound.conf