search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
2.92k stars 341 forks source link

[Feature Request] Adding Upstream DOH #308

Open ebanDev opened 3 years ago

ebanDev commented 3 years ago

First of all thank you for the great software that is unbound! I think it would be really great if unbound integrated DOH support natively :)

dtouzeau commented 3 years ago

In progress https://github.com/NLnetLabs/unbound/pull/255

wcawijngaards commented 3 years ago

Yes, if you seek those features then it can solve your request. The code there is usable right now if you want it in beta.

If you wanted DOH towards upstream servers, then this is a new feature. And it should wait for the already referenced DoH implementation, and also for socket reuse changes that are upcoming. It would be prudent to then first resolve bugs in that code. And then start thinking about this feature.

ebanDev commented 3 years ago

Okay ! Thanks for your answers

dtouzeau commented 3 years ago

Any news about this major feature ?

yan12125 commented 2 years ago

also for socket reuse changes that are upcoming.

@wcawijngaards Looks like the the socket reuse feature is ready in version 1.13.2? (with fixes https://github.com/NLnetLabs/unbound/pull/513 included). The only remaining issue might be that streams may not be reused on Windows (https://github.com/NLnetLabs/unbound/issues/516).

p1r473 commented 2 years ago

I have it successfully using DOT (DNS over TLS) which is great

#forward-ssl-upstream: yes - is the instruction to use DNS over TLS, in this case for all queries (name: “.”)
server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
    name: "."
    forward-tls-upstream: yes

    # Cloudflare DNS
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

    # NordVPN
    #forward-addr: 103.86.96.100@853#dns1.nordvpn.com
    #forward-addr: 103.86.99.100@853#dns2.nordvpn.com

    # Quad9
    #forward-addr: 2620:fe::fe@853#dns.quad9.net
    #forward-addr: 9.9.9.9@853#dns.quad9.net
    #forward-addr: 2620:fe::9@853#dns.quad9.net
    #forward-addr: 149.112.112.112@853#dns.quad9.net
endreszabo commented 1 year ago

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

mister2d commented 1 year ago

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

p1r473 commented 1 year ago

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

mister2d commented 1 year ago

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

It's terribly simple. I have a separate cloudflared DoH proxy listening on 127.0.0.1:5053 with an unbound forward-zone configured to 127.0.0.1@5053.

unbound.conf 

...
forward-zone:
name: "."
  forward-addr: 127.0.0.1@5053

You could test/replicate a cloudflared proxy setup with docker-compose.

version: "3"

services:
  cloudflared:
    restart: always
    image: cloudflare/cloudflared:2022.5.3
    command: proxy-dns
    environment:
      TUNNEL_METRICS: "0.0.0.0:9080"
      TUNNEL_DNS_ADDRESS: "0.0.0.0"
      TUNNEL_DNS_PORT: "5053"
      TUNNEL_DNS_UPSTREAM: "https://1.1.1.1/dns-query, https://1.0.0.1/dns-query"
      TUNNEL_DNS_MAX_UPSTREAM_CONNS: "10"
    ports:
      - "127.0.0.1:5053:5053"
stm32repo commented 1 year ago

Strange as it may seem, but the speed of DoH is much higher than DoT

kkkgo commented 3 months ago

Any progress?doh maybe useful in some network cases.

salamdamai commented 2 months ago

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

It's terribly simple. I have a separate cloudflared DoH proxy listening on 127.0.0.1:5053 with an unbound forward-zone configured to 127.0.0.1@5053.

unbound.conf

...
forward-zone:
name: "."
  forward-addr: 127.0.0.1@5053

You could test/replicate a cloudflared proxy setup with docker-compose.

version: "3"

services:
  cloudflared:
    restart: always
    image: cloudflare/cloudflared:2022.5.3
    command: proxy-dns
    environment:
      TUNNEL_METRICS: "0.0.0.0:9080"
      TUNNEL_DNS_ADDRESS: "0.0.0.0"
      TUNNEL_DNS_PORT: "5053"
      TUNNEL_DNS_UPSTREAM: "https://1.1.1.1/dns-query, https://1.0.0.1/dns-query"
      TUNNEL_DNS_MAX_UPSTREAM_CONNS: "10"
    ports:
      - "127.0.0.1:5053:5053"

What does your configuration file for cloudflared.service?