Open ThomasCr opened 6 years ago
A workaround for this is to run Unbound as a local caching forwarder listening on port 53, configured with stub zones as you need and then forwarding all other zones to Stubby on a different port.
An Unbound config file something like the following:
interface: 127.0.0.1
do-not-query-localhost: no
stub-zone:
name: "example.com"
stub-addr: 192.0.2.68
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053
Combined with an updated stubby.yml that uses:
listen_addresses:
- 127.0.0.1@8053
Should work. A more detailed description on this kind of setup will be on dnsprivacy.org soon....
For a more complete example, my configuration is: – unbound.conf
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: "/etc/unbound/root.hints"
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053
forward-addr: ::1@8053
– stubby.yml
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@8053
- 0::1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 145.100.185.15
tls_port: 443
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_port: 443
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 2001:610:1:40ba:145:100:185:15
tls_port: 443
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_port: 443
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 80.67.188.188
tls_port: 443
#tls_auth_name: "ns0.ldn-fai.net"
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
- address_data: 2001:913::8
tls_port: 443
#tls_auth_name: "ns0.ldn-fai.net"
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
- address_data: 89.234.186.112
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 2a00:5884:8209::2
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
- address_data: 2001:470:1c:76d::53
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
I’m only using port 443 servers since port 853 is quite often blocked, while 443 is almost never (at least never encountered any case where 443 was blocked but not 853).
Thanks for this - I've used this example on the website https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients
Hi, I miss a option, to forward requests to specified domains to a local nameserver. eg. *.fritz.box or speedport.ip to my router or mydom.local to my local domain name server and also 0.0.168.192.in-addr.arpa and so on...