DNS over TLS with unbound

According to my connection information I’m not using DNS over TLS. If you need more information I can upload the unbound.log.

server:
    # If no logfile is specified, syslog is used
    logfile: "/var/log/unbound/unbound.log"
    verbosity: 5

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: yes

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    qname-minimisation: yes
    prefetch: yes
    rrset-roundrobin: yes
    use-caps-for-id: yes

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    
forward-zone:
    name: "."
    forward-addr: [email protected]#cloudflare-dns.com
    forward-addr: [email protected]#cloudflare-dns.com
    forward-ssl-upstream: yes

Is it my cert file or something? Because kdig is working fine

[email protected]:~ $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58240
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 397 B

;; QUESTION SECTION:
;; example.com.                 IN      A

;; ANSWER SECTION:
example.com.            76925   IN      A       93.184.216.34

;; Received 468 B
;; Time 2020-05-24 02:02:52 CEST
;; From [email protected](TCP) in 10.1 ms

Can you try dig @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com ?

I have installed cloudflared now, but haven’t uninstalled unbound yet. I will give this a try!

Here is the reply:

[email protected]:~ $ dig @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25527
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;is-dot.cloudflareresolve.com.  IN      A

;; AUTHORITY SECTION:
cloudflareresolve.com.  0       IN      SOA     cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0

;; Query time: 346 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue May 26 19:58:38 CEST 2020
;; MSG SIZE  rcvd: 108

It does seem like it’s not using TLS, I’m not sure why, try checking the unbound logs or increasing verbosity.

I put verbose on the highest (5).

Here is the log from dig @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com

https://i.zkitzo.one/unbound.log

It’s not being loaded, either your unbound needs to be upgraded or it’s not loading the config.
You should see something like this on startup:

info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
debug:   [cloudflare-dns.com] ip4 1.1.1.1 port 853 (len 16)
debug:   [cloudflare-dns.com] ip4 1.0.0.1 port 853 (len 16)

I think it must be the unbound version then… I changed the port in the config to 5336 to check if it’s loaded and did another dig, but I don’t see the debug lines.

Unbound Version 1.9.0

[email protected]:~ $ sudo unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
[email protected]:~ $ sudo unbound-checkconf /etc/unbound/unbound.conf.d/pi-hole.conf
unbound-checkconf: no errors in /etc/unbound/unbound.conf.d/pi-hole.conf
[email protected]:~ $ dig @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25227
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;is-dot.cloudflareresolve.com.  IN      A

;; Query time: 624 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue May 26 21:35:54 CEST 2020
;; MSG SIZE  rcvd: 57

New log: https://i.zkitzo.one/unbound.log

That’s good, that means it’s working. Unbound does DNSSEC revalidation and this special test record is synthesized by the resolver which doesn’t have signing capability, so it’s not going to pass the revalidator.

You can dig with +cd to disable revalidation.

[email protected]:~ $ dig +cd @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> +cd @127.0.0.1 -p 5335 is-dot.cloudflareresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49936
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;is-dot.cloudflareresolve.com.  IN      A

;; ANSWER SECTION:
is-dot.cloudflareresolve.com. 0 IN      CNAME   target.cloudflareresolve.com.cdn.cloudflare.net.
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN A 104.16.224.45
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN A 104.16.225.45

;; Query time: 681 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue May 26 22:48:34 CEST 2020
;; MSG SIZE  rcvd: 150

Again new log: https://i.zkitzo.one/unbound.log

That looks good!

Okay, I’m gonna test the unbound server in Pi-Hole, if it doesn’t work there is something wrong with Pi-Hole I guess…

Again not working: https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IkFNUyIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

[email protected]:~ $ dig +cd @127.0.0.1 -p 53 is-dot.cloudflareresolve.com

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Raspbian <<>> +cd @127.0.0.1 -p 53 is-dot.cloudflareresolve.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17822
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;is-dot.cloudflareresolve.com.  IN      A

;; ANSWER SECTION:
is-dot.cloudflareresolve.com. 0 IN      CNAME   target.cloudflareresolve.com.cdn.cloudflare.net.
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN A 104.16.225.45
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN A 104.16.224.45

;; Query time: 585 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue May 26 23:14:38 CEST 2020
;; MSG SIZE  rcvd: 150

I have a new log again: https://i.zkitzo.one/unbound.log

1MB of real traffic.

The https://1.1.1.1/help tester is not going to show you correct results when you’re proxying through Unbound because of the DNSSEC revalidation issue.

So it’s working though? :smiley:

Yes, if this resolves then you’re using DoT:

Thank you so much for your time and effort!