unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

Cannot override tcp-upstream and tls-upstream with forward-tcp-upstream and forward-tls-upstream

Open MegaManSec opened this issue 1 year ago • 1 comments

Hello,

I am not sure if this is a bug or intentional, but thought I would report it here anyways.

I currently use unbound with an upstream DoT server. I use forward-tls-upstream to ensure that all of the upstream requests use implicitly use TLS (in case of bugs like https://github.com/NLnetLabs/unbound/issues/676)

However, I would also like to use forward-tls-upstream to implicitly set some domains to be resolved via an upstream server over normal DNS over UDP. As such, I have the following configuration:

server:
	tcp-upstream: yes
	tls-upstream: yes
	tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"

forward-zone:
        name: .
        forward-addr: 194.242.2.3@853#adblock.dns.mullvad.net

forward-zone:
        name: "wlan.schiphol.nl"
        forward-addr: 192.168.127.97
        forward-tls-upstream: no
        forward-tcp-upstream: no

My expectation is that when wlan.schiphol.nl is resolved, the 192.168.127.97 server is used via standard DNS over UDP, without encryption. Unfortunately it seems that neither forward-tls-upstream nor forward-tcp-upstream (either together or separately) take preference over the server: setting.

Unbound Version 1.21.0 on FreeBSD13.

MegaManSec avatar Aug 25 '24 00:08 MegaManSec

The forward-tls-upstream and forward-tcp-upstream only take precedence over the server: setting when they enable the setting. For disabling it it does not override the server setting.

If it is needed to have separate options for tls and tcp for particular forward-zone and stub-zone entries, do not use the global server settings but instead configure all of the forward-zone and stub-zone entries individuall with the forward-tls-upstream, forward-tcp-upstream, stub-tls-upstream and stub-tcp-upstream options. That leaves the tcp-upstream and tls-upstream settings at the default no, in the server: section. In the individual stub-zone and forward-zone sections it can then be configured in detail.

wcawijngaards avatar Aug 26 '24 13:08 wcawijngaards

Understood, thanks. It would be nice to add that information to the documentation.

MegaManSec avatar Oct 08 '24 13:10 MegaManSec

The commit adds an explanation for the behaviour to the documentation. Maybe this is more understandable.

wcawijngaards avatar Oct 08 '24 13:10 wcawijngaards