Open MegaManSec opened 3 weeks ago
The forward-tls-upstream and forward-tcp-upstream only take precedence over the server: setting when they enable the setting. For disabling it it does not override the server setting.
If it is needed to have separate options for tls and tcp for particular forward-zone and stub-zone entries, do not use the global server settings but instead configure all of the forward-zone and stub-zone entries individuall with the forward-tls-upstream, forward-tcp-upstream, stub-tls-upstream and stub-tcp-upstream options. That leaves the tcp-upstream and tls-upstream settings at the default no, in the server: section. In the individual stub-zone and forward-zone sections it can then be configured in detail.
Hello,
I am not sure if this is a bug or intentional, but thought I would report it here anyways.
I currently use unbound with an upstream DoT server. I use
forward-tls-upstream
to ensure that all of the upstream requests use implicitly use TLS (in case of bugs like https://github.com/NLnetLabs/unbound/issues/676)However, I would also like to use forward-tls-upstream to implicitly set some domains to be resolved via an upstream server over normal DNS over UDP. As such, I have the following configuration:
My expectation is that when
wlan.schiphol.nl
is resolved, the192.168.127.97
server is used via standard DNS over UDP, without encryption. Unfortunately it seems that neitherforward-tls-upstream
norforward-tcp-upstream
(either together or separately) take preference over theserver:
setting.Unbound Version 1.21.0 on FreeBSD13.