unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

[Feature Request] Adding Upstream DOH

Open ebanDev opened this issue 4 years ago • 14 comments

First of all thank you for the great software that is unbound! I think it would be really great if unbound integrated DOH support natively :)

ebanDev avatar Sep 13 '20 14:09 ebanDev

In progress https://github.com/NLnetLabs/unbound/pull/255

dtouzeau avatar Sep 15 '20 17:09 dtouzeau

Yes, if you seek those features then it can solve your request. The code there is usable right now if you want it in beta.

If you wanted DOH towards upstream servers, then this is a new feature. And it should wait for the already referenced DoH implementation, and also for socket reuse changes that are upcoming. It would be prudent to then first resolve bugs in that code. And then start thinking about this feature.

wcawijngaards avatar Sep 16 '20 07:09 wcawijngaards

Okay ! Thanks for your answers

ebanDev avatar Sep 20 '20 12:09 ebanDev

Any news about this major feature ?

dtouzeau avatar Jan 24 '21 11:01 dtouzeau

also for socket reuse changes that are upcoming.

@wcawijngaards Looks like the the socket reuse feature is ready in version 1.13.2? (with fixes https://github.com/NLnetLabs/unbound/pull/513 included). The only remaining issue might be that streams may not be reused on Windows (https://github.com/NLnetLabs/unbound/issues/516).

yan12125 avatar Aug 18 '21 04:08 yan12125

I have it successfully using DOT (DNS over TLS) which is great

#forward-ssl-upstream: yes - is the instruction to use DNS over TLS, in this case for all queries (name: “.”)
server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
    name: "."
    forward-tls-upstream: yes

    # Cloudflare DNS
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

    # NordVPN
    #forward-addr: 103.86.96.100@853#dns1.nordvpn.com
    #forward-addr: 103.86.99.100@853#dns2.nordvpn.com

    # Quad9
    #forward-addr: 2620:fe::fe@853#dns.quad9.net
    #forward-addr: 9.9.9.9@853#dns.quad9.net
    #forward-addr: 2620:fe::9@853#dns.quad9.net
    #forward-addr: 149.112.112.112@853#dns.quad9.net

p1r473 avatar Jun 22 '22 13:06 p1r473

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

endreszabo avatar Aug 03 '22 14:08 endreszabo

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

mister2d avatar Aug 04 '22 15:08 mister2d

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

p1r473 avatar Aug 04 '22 17:08 p1r473

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

It's terribly simple. I have a separate cloudflared DoH proxy listening on 127.0.0.1:5053 with an unbound forward-zone configured to 127.0.0.1@5053.

unbound.conf

...
forward-zone:
name: "."
  forward-addr: 127.0.0.1@5053

You could test/replicate a cloudflared proxy setup with docker-compose.

version: "3"

services:
  cloudflared:
    restart: always
    image: cloudflare/cloudflared:2022.5.3
    command: proxy-dns
    environment:
      TUNNEL_METRICS: "0.0.0.0:9080"
      TUNNEL_DNS_ADDRESS: "0.0.0.0"
      TUNNEL_DNS_PORT: "5053"
      TUNNEL_DNS_UPSTREAM: "https://1.1.1.1/dns-query, https://1.0.0.1/dns-query"
      TUNNEL_DNS_MAX_UPSTREAM_CONNS: "10"
    ports:
      - "127.0.0.1:5053:5053"

mister2d avatar Aug 04 '22 22:08 mister2d

Strange as it may seem, but the speed of DoH is much higher than DoT

stm32repo avatar Jun 15 '23 06:06 stm32repo

Any progress?doh maybe useful in some network cases.

kkkgo avatar Apr 23 '24 17:04 kkkgo

I have it successfully using DOT

Great, but we need DOH here. Why? The restaurant across the street MITMs (and strips DNSSEC) raw DNS traffic and does not let TCP/853 (=DOT) through. However, access to TCP/443 (=DOH) works fine.

I agree. My current workaround is using Unbound to pass DNS queries to a local cloudflared DOH proxy. Has been working great.

Can you post your config please?

It's terribly simple. I have a separate cloudflared DoH proxy listening on 127.0.0.1:5053 with an unbound forward-zone configured to 127.0.0.1@5053.

unbound.conf

...
forward-zone:
name: "."
  forward-addr: 127.0.0.1@5053

You could test/replicate a cloudflared proxy setup with docker-compose.

version: "3"

services:
  cloudflared:
    restart: always
    image: cloudflare/cloudflared:2022.5.3
    command: proxy-dns
    environment:
      TUNNEL_METRICS: "0.0.0.0:9080"
      TUNNEL_DNS_ADDRESS: "0.0.0.0"
      TUNNEL_DNS_PORT: "5053"
      TUNNEL_DNS_UPSTREAM: "https://1.1.1.1/dns-query, https://1.0.0.1/dns-query"
      TUNNEL_DNS_MAX_UPSTREAM_CONNS: "10"
    ports:
      - "127.0.0.1:5053:5053"

What does your configuration file for cloudflared.service?

salamdamai avatar May 05 '24 04:05 salamdamai