unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

[FR]Do you plan to add DOH server as upstream for unbound?

Open LittleGrocery opened this issue 3 years ago • 7 comments

Current behavior Is there a current behavior that the feature relates to? If yes, would you wish the current behavior to change?

Now unbound can only use Dot(@853) , dns(@53)as upstream server

Describe the desired feature A clear and concise description of what the feature should be.

Want to use Doh(@443)as upstream server

Potential use-case Describe how you see this feature being useful to other Unbound users. I know in many cases Dot performance are better than Doh. However, , in some network environment(like me),Doh is fast and better.

LittleGrocery avatar Aug 14 '21 04:08 LittleGrocery

Seems the same feature request as https://github.com/NLnetLabs/unbound/issues/308?

yan12125 avatar Aug 17 '21 15:08 yan12125

Seems the same feature request as #308?

Maybe one year passed. The developer still doesn't want to implement this feature.

LittleGrocery avatar Aug 18 '21 03:08 LittleGrocery

I guess one reason why DOH server as upstream is not deem urgent is because most, if not all, root/TLD servers themselves are not DOH compatible. Even Unbound can support DOH upstream, there is no root/TLD server DOH to work with. If you are using DOH like Google and Cloudflare etc as upstream, then the use case of Unbound is less significant (instead of unbound, you may consider to set up a DOH "forwarder" using one of the below methods: https://github.com/kpadron/doh-forwarder/ https://www.sindastra.de/p/1332/how-to-set-up-doh-dns-over-https-forwarder https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/

karson33 avatar Dec 27 '21 01:12 karson33

I guess one reason why DOH server as upstream is not deem urgent is because most, if not all, root/TLD servers themselves are not DOH compatible

Not really. It's not like nameservers support DNS-over-TLS, but that has already been implemented.

agneevX avatar Feb 23 '22 12:02 agneevX

Seems the same feature request as #308?

Looks so!

Maybe one year passed. The developer still doesn't want to implement this feature.

In the case, opening another issue might not help, maybe just use the original issue to discuss with the maintainers? Maybe they just don't have enough bandwidth to implement it, not like they don't want to, at least, in #308, they said:

If you wanted DOH towards upstream servers, then this is a new feature. And it should wait for the already referenced DoH implementation, and also for socket reuse changes that are upcoming. It would be prudent to then first resolve bugs in that code. And then start thinking about this feature.

PeterDaveHello avatar Mar 21 '22 16:03 PeterDaveHello

I have it successfully using DOT (DNS over TLS) which is great

#forward-ssl-upstream: yes - is the instruction to use DNS over TLS, in this case for all queries (name: “.”)
server:
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
    name: "."
    forward-tls-upstream: yes

    # Cloudflare DNS
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

    # NordVPN
    #forward-addr: 103.86.96.100@853#dns1.nordvpn.com
    #forward-addr: 103.86.99.100@853#dns2.nordvpn.com

    # Quad9
    #forward-addr: 2620:fe::fe@853#dns.quad9.net
    #forward-addr: 9.9.9.9@853#dns.quad9.net
    #forward-addr: 2620:fe::9@853#dns.quad9.net
    #forward-addr: 149.112.112.112@853#dns.quad9.net

p1r473 avatar Jun 22 '22 13:06 p1r473

Strange as it may seem, but the speed of DoH is much higher than DoT. I am currently using dnscrypte-proxy.

stm32repo avatar Jun 15 '23 06:06 stm32repo