search

bhanupratapys / dnswarden

Adblocking dns, Uncensored dns server and Adult-filter dns. Supports Dns-over-QUIC , Dns-over-HTTPS and Dns-over-TLS with DNSSEC enabled and no logging.
https://dnswarden.com/
MIT License
146 stars 4 forks source link

[QUESTION] how do I set up `unbound` DNS-over-TLS #40

Open Veraellyunjie opened 3 months ago

Veraellyunjie commented 3 months ago

Here is a howto on setting up unbound on OpenBSD https://www.jwillikers.com/dns-over-tls-with-unbound unbound.conf excerpt:

# Use an upstream DNS-over-TLS forwarder and do not fall back to cleartext
# if that fails.
forward-zone:
    name: "."
    forward-tls-upstream: yes       # use DNS-over-TLS forwarder
    forward-first: no           # do NOT send direct
#   # the hostname after "#" is not a comment, it is used for TLS checks:
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com

forward-addr: consists of 3 parts:

https://blahdns.com/ config data:

DNS-over-TLS

IP address: 78.46.244.143 2a01:4f8:c17:ec67::1

tls_auth_name: dot-de.blahdns.com

port: 853, 443 (Strict SNI, without SNI will drop)

All 3 parts present, I can understand it and apply in unbound.conf

https://dnswarden.com/ config data: adblock.dns.dnswarden.com or uncensored.dns.dnswarden.com or adultfilter.dns.dnswarden.com

1 part present, 2 parts missing, I can't understand it and can't apply in unbound.conf

What unbound.conf forward-addr: line should look like for dnswarden? Thank you

bhanupratapys commented 2 months ago

Hello, i think this should work.

forward-addr: 149.248.217.117@853#adblock.dns.dnswarden.com
forward-addr: 2a09:8280:1:0:0:0:1:da1b@853#adblock.dns.dnswarden.com

You can also play around with custom filter where you can choose your own blocklists. You can copy the domain name identifier from that page and replace it in above unbound config after #

forward-addr: 149.248.217.117@853#n000000080000g0000000g.dns.dnswarden.com
Veraellyunjie commented 2 months ago

Thank you, @bhanupratapys

I asked another DNS resolution provider a similar question https://github.com/m0zgen/openbld.net/issues/2 Here is their reply, adapted to dnswarden:

Check with nslookup or dig commands:

> nslookup -port=53 adblock.dns.dnswarden.com 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
adblock.dns.dnswarden.com       canonical name = dns.dnswarden.com.
Name:   dns.dnswarden.com
Address: 149.248.217.117

Check the service is working on port 853:

> telnet 149.248.217.117 853
Trying 149.248.217.117...
Connected to 149.248.217.117.
Escape character is '^]'.
Connection closed by foreign host.

Use 149.248.217.117@853#adblock.dns.dnswarden.com in config

Veraellyunjie commented 2 months ago

it doesn't work: forward-addr: 149.248.217.117@853#adblock.dns.dnswarden.com is what I put into my unbound.conf, then run rcctl reload unbound, then try pinging/opening some websites and run dns test at https://dnsleaktest.com/

With other DNS resolution services, it works. With dnswarden, ping: no address associated with name, browser: ERR_NAME_NOT_RESOLVED

same with uncensored.dns.dnswarden.com