# NOTE! Requires Unbound 1.7.3 or newer! Debian 9 has 1.6.0 # cp of forwards.conf updated to DNS over TLS time with a lot took from # https://www.ctrl.blog/entry/unbound-tls-forwarding.html server: # Debian ca-certificates location tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # ctrl.blog says this is the Fedora location #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem # Forward queries to forward-zone: name: "." forward-tls-upstream: yes ## DNS-over-TLS on port 443, no filtering # https://appliedprivacy.net/services/dns/ - Vienna, Austria forward-addr: 37.252.185.232@443#dot1.appliedprivacy.net # https://dnswarden.com/ - Germany forward-addr: 2a01:4f8:1c1c:5e77::1@443#uncensored-dot.dnswarden.com forward-addr: 2a01:4f8:1c1c:75b4::1@443#uncensored-dot.dnswarden.com forward-addr: 116.203.35.255@443#uncensored-dot.dnswarden.com forward-addr: 116.203.70.156@443#uncensored-dot.dnswarden.com ## DNS-over-TLS on port 853, no filtering # Lelux.fi Luxembourg forward-addr: 2605:6400:30:f891::1@853#resolver2.lelux.fi forward-addr: 104.244.79.229@853#resolver2.lelux.fi # Snopyta.org, Finland forward-addr: 2a01:4f9:2a:1919::9301@853#fi.dot.dns.snopyta.org forward-addr: 95.216.24.230@853#fi.dot.dns.snopyta.org # uncensoreddns.org / censurfridns.dk - Anycast (Copenhagen?) forward-addr: 2001:67c:28a4::@853#anycast.censurfridns.dk forward-addr: 91.239.100.100@853#anycast.censurfridns.dk # Cloudflare DNS - anycast # warning: for-profit business (and too big in my opinion), USA based # my conscience demands me to comment it due to their thread to # decentralization #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com #forward-addr: 1.1.1.1@853#cloudflare-dns.com #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com #forward-addr: 1.0.0.1@853#cloudflare-dns.com # https://securedns.eu/ - The Netherlands forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#dot.securedns.eu forward-addr: 146.185.167.43@853#dot.securedns.eu ## Malicious domain filtering # Quad9 - warning: uncommenting others simultaneously will break # malicious domain blocking. - Anycast, USA based forward-addr: 2620:fe::fe@853#dns.quad9.net forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 2620:fe::9@853#dns.quad9.net forward-addr: 149.112.112.112@853#dns.quad9.net # AdBlocking DNS # AdGuard DNS - warning: for-profit business which task is to lie (to # block ads) - anycast (Cyprus based) #forward-addr: 176.103.130.130@853#dns.adguard.com #forward-addr: 176.103.130.131@853#dns.adguard.com # BlahDNS.com - uncommented due to 443, so even with blocked queries # something might work on a restricted network # Germany forward-addr: 2a01:4f8:1c1c:6b4b::1@443#dot-de.blahdns.com forward-addr: 159.69.198.101@443#dot-de.blahdns.com # Switzerland forward-addr: 2a0a:e5c0:2:2:0:c8ff:fe68:bf48@443#dot-ch.blahdns.com # Japan forward-addr: 2001:19f0:7001:1ded:5400:01ff:fe90:945b@443#dot-jp.blahdns.com forward-addr: 108.61.201.119@443#dot-jp.blahdns.com # dnswarden.com - Germany # note: short blacklist #forward-addr: 2a01:4f8:1c1c:5e77::1@443#adblock-dot.dnswarden.com #forward-addr: 2a01:4f8:1c1c:75b4::1@443#adblock-dot.dnswarden.com #forward-addr: 116.203.35.255@443#adblock-dot.dnswarden.com #forward-addr: 116.203.70.156@443#adblock-dot.dnswarden.com # https://securedns.eu/ - The Netherlands #forward-addr: 2a03:b0c0:0:1010::e9a:3001@853#ads-dot.securedns.eu #forward-addr: 146.185.167.43@853#ads-dot.securedns.eu ## Hopefully in the future # DNS.WATCH (German) - PROBLEM: NO DOT AS OF 2019-07-22 but in hope # they will have it I am leaving these here. #forward-addr: 2001:1608:10:25::1c04:b12f@853#resolver1.dns.watch #forward-addr: 2001:1608:10:25::9249:d69b@853#resolver2.dns.watch #forward-addr: 84.200.69.80@853#resolver1.dns.watch #forward-addr: 84.200.70.40@853#resolver2.dns.watch