missing config, for local nameservers #32
Comments
|
A workaround for this is to run Unbound as a local caching forwarder listening on port 53, configured with stub zones as you need and then forwarding all other zones to Stubby on a different port. An Unbound config file something like the following: Combined with an updated stubby.yml that uses: Should work. A more detailed description on this kind of setup will be on dnsprivacy.org soon.... |
|
For a more complete example, my configuration is: server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
root-hints: "/etc/unbound/root.hints"
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053
forward-addr: ::1@8053– stubby.yml resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 256
edns_client_subnet_private : 1
idle_timeout: 10000
listen_addresses:
- 127.0.0.1@8053
- 0::1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 145.100.185.15
tls_port: 443
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 145.100.185.16
tls_port: 443
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 2001:610:1:40ba:145:100:185:15
tls_port: 443
tls_auth_name: "dnsovertls.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4=
- address_data: 2001:610:1:40ba:145:100:185:16
tls_port: 443
tls_auth_name: "dnsovertls1.sinodun.com"
tls_pubkey_pinset:
- digest: "sha256"
value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA=
- address_data: 80.67.188.188
tls_port: 443
#tls_auth_name: "ns0.ldn-fai.net"
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
- address_data: 2001:913::8
tls_port: 443
#tls_auth_name: "ns0.ldn-fai.net"
tls_pubkey_pinset:
- digest: "sha256"
value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM=
- address_data: 89.234.186.112
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 2a00:5884:8209::2
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.neutopia.org"
tls_pubkey_pinset:
- digest: "sha256"
value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI=
- address_data: 199.58.81.218
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=
- address_data: 2001:470:1c:76d::53
tls_port: 443
tls_auth_name: "dns.cmrg.net"
tls_pubkey_pinset:
- digest: "sha256"
value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo=I’m only using port 443 servers since port 853 is quite often blocked, while 443 is almost never (at least never encountered any case where 443 was blocked but not 853). |
|
Thanks for this - I've used this example on the website |
Hi, I miss a option, to forward requests to specified domains to a local nameserver.
eg. *.fritz.box or speedport.ip to my router or mydom.local to my local domain name server and also 0.0.168.192.in-addr.arpa and so on...
The text was updated successfully, but these errors were encountered: