3

I have configured Unbound to use DNS over TLS using the following configuration. How can I configure Unbound to validate the upstream certificate against a hostname?

forward-zone:
        name: "."
        forward-addr: 1.1.1.1@853
        forward-addr: 1.0.0.1@853
        forward-addr: 2606:4700:4700::1111@853
        forward-addr: 2606:4700:4700::1001@853
        forward-tls-upstream: yes
Improve this question

3 Answers 3

Reset to default
4

The bug report for adding support for validating the upstream DNS server's certificate was resolved on April 19, 2018.

Adapting the example from comment 9:

server:
        tls-cert-bundle: "/etc/pki/tls/certs/ca-bundle.crt"
forward-zone:
        name: "."
        forward-addr: 1.1.1.1#cloudflare-dns.com
        forward-addr: 1.0.0.1#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1111#cloudflare-dns.com
        forward-addr: 2606:4700:4700::1001#cloudflare-dns.com
        forward-tls-upstream: yes

There's also an explanation of how it works - the hashtag name allows for the tls authentication name to be set for stub-zones and with unbound-control forward control commands. There should be no spaces around the '@' and '#'.

Improve this answer
1
  • Credit to @jwh, but apparently I'm not able to edit their answer to include an example.
    – Bardi Harborow
    Commented May 2, 2018 at 3:34
2

Unfortunately, you can not. There is an unresolved bug for this:

unbound using TLS in a forwarding configuration does not verify the server's certificate

So with Unbounds DNS over TLS your requests can be intercepted.

Improve this answer
1

The bug for "unbound using TLS in a forwarding configuration does not verify the server's certificate" was resolved on 19 Apr 2018:

TLS authentication for forwarders.

The syntax is forward-addr: [@port][#tls-authentication-name] And the ca bundle can be set with: tls-cert-bundle: "ca-bundle.pem" (or the ca-bundle.crt file).

Example server: tls-cert-bundle: "/etc/pki/tls/certs/ca-bundle.crt" forward-zone: name: "." forward-tls-upstream: yes forward-addr: 9.9.9.9@853#dns.quad9.net forward-addr: 1.1.1.1@853#cloudflare-dns.com

The hashtag name trick makes it so that the tls authentication name can also be set for eg. stub-zones and with unbound-control forward control commands. It was also easier in the code. There should be no spaces around the '@' and '#'.

The port number is [...] 853 when you specify a tls authname. (And still 53 for others).

Ref: comment 9.

Improve this answer
1
  • As is, its a bit of a link only answer. It would be useful to integrate some of the information from the appropriate email into your post.
    – Journeyman Geek
    Commented May 2, 2018 at 3:26

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .