From ffbbe9e522bc7c47ea9222b13f7a582990384acb Mon Sep 17 00:00:00 2001 From: Mikaela Suomalainen Date: Mon, 22 Jul 2019 16:05:05 +0300 Subject: [PATCH] unbound: replace forwards.conf with dns-over-tls.conf Simultaneously rm puntcat, their DNS appears to be down at the moment and I didn't find their own homepage. --- etc/unbound/unbound.conf.d/dns-over-tls.conf | 39 ++++++++++++++++++++ etc/unbound/unbound.conf.d/forwards.conf | 5 +-- 2 files changed, 40 insertions(+), 4 deletions(-) create mode 100644 etc/unbound/unbound.conf.d/dns-over-tls.conf diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf new file mode 100644 index 00000000..db6b17db --- /dev/null +++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf @@ -0,0 +1,39 @@ +# cp of forwards.conf updated to DNS over TLS time with a lot took from +# https://www.ctrl.blog/entry/unbound-tls-forwarding.html + +server: + # Debian ca-certificates location + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + # ctrl.blog says this is the Fedora location + #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem + +# Forward queries to +forward-zone: + name: "." + forward-tls-upstream: yes + ## Quad9 - warning: uncommenting others simultaneously will break + ## malicious domain blocking. + forward-addr: 2620:fe::fe@853#dns.quad9.net + forward-addr: 9.9.9.9@853#dns.quad9.net + forward-addr: 2620:fe::9@853#dns.quad9.net + forward-addr: 149.112.112.112@853#dns.quad9.net + ## Google - warning: for-profit business + #forward-addr: 2001:4860:4860::8888@853#dns.google + #forward-addr: 2001:4860:4860::8844@853#dns.google + #forward-addr: 8.8.8.8@853#dns.google + #forward-addr: 8.8.4.4@853#dns.google + ## censurfridns.dk (Copenhagen?) + #forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk + #forward-addr: 91.239.100.100@853#anycast.censurfridns.dk + ## DNS.WATCH (German) - PROBLEM: NO DOT AS OF 2019-07-22 but in hope + ## they will have it I am leaving these here. + #forward-addr: 2001:1608:10:25::1c04:b12f@853#resolver1.dns.watch + #forward-addr: 2001:1608:10:25::9249:d69b@853#resolver2.dns.watch + #forward-addr: 84.200.69.80@853#resolver1.dns.watch + #forward-addr: 84.200.70.40@853#resolver2.dns.watch + ## Cloudflare DNS - didn't exist in 2015 for forwards.conf + ## warning: for-profit business (and too big in my opinion) + #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com + #forward-addr: 1.1.1.1@853#cloudflare-dns.com + #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com + #forward-addr: 1.0.0.1@853#cloudflare-dns.com diff --git a/etc/unbound/unbound.conf.d/forwards.conf b/etc/unbound/unbound.conf.d/forwards.conf index 86d141fb..86f83b3f 100644 --- a/etc/unbound/unbound.conf.d/forwards.conf +++ b/etc/unbound/unbound.conf.d/forwards.conf @@ -1,4 +1,4 @@ -# Forward queries to +# Legacy file, use dns-over-tls.conf instead! forward-zone: name: "." # Trex DNS64/NAT64 @@ -17,6 +17,3 @@ forward-zone: forward-addr: 2001:1608:10:25::9249:d69b forward-addr: 84.200.69.80 forward-addr: 84.200.70.40 - # puntCAT - forward-addr: 2a00:1508:0:4::9 - forward-addr: 109.69.8.51