DNS over TLS support?

[pimvh]

Hi anuDeepND,

I've used your Unbound configuration as a base to couple with my Pihole, and I've noticed that Unbound currently also support DNS over TLS and DNS over HTTPS.

It is arguably more secure and privacy friendly than querying the root domain servers (which is unencrypted UDP traffic) based on which upstream DNS you configure. Still somebody could figure out to which website you are visiting based on reverse IP lookups etc, but encrypted DNS allows for less tampering.

Configuring this is quite simple, as you can add the following to the the bottom of your configuration:

        tls-cert-bundle:"etc/ssl/certs/ca-certificates.crt" # on Pihole, other systems might have different spots

forward-zone:
        name: "."
    forward-addr: #########@853 # replace with the DNS of your choice 
        forward-addr:##########@853 # replace with the DNS of your choice
    forward-tls-upstream: yes

some example of Encrypted DNS resolvers can be found here.

Is this something you'd like to include?

[anudeepND]

@pimvh Sorry for the late reply. Thanks for the info, it can be included in the config, I will test this setup on my end. If everything is working fine, I will include it

[mooleshacat]

Works for me too. I just wish I could get Unbound to resolve the domains recursively, that was the whole point of installing Unbound in the first place. Otherwise you can just put the forward IP into the PiHole DNS page and call it a day. No point in doing all that work for effectively the same results.

Where this does help, is when you want to set up a secondary DNS to your PiHole, because you don't need a full PiHole install only an Unbound resolver set up on port 53. Then you use above config to connect it to your PiHole and it will use the PiHole as the forwarder.